PIX, Object-Groups & Port Range Forwarding

dmcintosh · ‎06-12-2007

Can anyone tell me why the following would not work through a pix 525? I have two remote offices trying to connect back with a VoIP phone system. We are forwarding all traffic on a ouside IP (xxx.xxx.xxx.152) address to an internal IP (xxx.xxx.xxx.12) and defined the following ACL's/Statics.

object-group network Some_NetGroup_1

description Some Remote Offices

network-object xxx.xxx.xxx.14 255.255.255.255

network-object xxx.xxx.xxx.22 255.255.255.255

object-group service Some_Group_TCP tcp

port-object eq xxxx

object-group service Some_Group_UDP udp

port-object eq xxxx

port-object range xxxx xxxx

access-list outside_in extended permit tcp object-group Some_NetGroup_1 host xxx.xxx.xxx.152 object-group Some_Group_TCP

access-list outside_in extended permit udp object-group Some_NetGroup_1 host xxx.xxx.xxx.152 object-group Some_Group_UDP

static (inside,outside) xxx.xxx.xxx.152 xxx.xxx.xxx.12 netmask 255.255.255.255

Thank you for any suggestions.

Drew

Jon Marshall · ‎06-12-2007

Hi

Well the config looks okay. Does the expanded access-list look right when you do a "sh access-list outside_in"

You don't include the statement but i'm assuming you have applied the access-list to your outside interface ie.

access-group outside_in in interface outside

If you have applied this then are you sure you have all the ports covered. What if you temporarily allow all IP from one of the remote addresses, does it then work ?

HTH

Jon