02-24-2008 09:48 PM - edited 03-11-2019 05:08 AM
Cisco PIX Firewall Version 6.3
I recently enabled PPPoE and now my ACLs no longer permit incoming traffic to my public hosts (Outgoing traffic is fine).
I tried disabling 'ip audit', changing my static statements from 'interface' to the IP address, I even tried 'permit ip any any' and traffic still can't get through. The ACLs still show 'hitcnt=0' even though I'm hammering it from proxify.com and ShieldsUp.
I get nothing from 'debug packet outside', but when I run a capture it shows a lot of incoming requests in hex. When I import it into Ethereal, it shows a whole lot of incoming traffic, so it doesn't appear to be filtered by my ISP or my CPE.
For troubleshooting purposes, the Public address to my web server is <A HREF="javascript:newWin('http://74.2.65.94/')">http://74.2.65.94/</A>
My PPPoE config:
ip address outside pppoe setroute
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [MYPPPOEUSERNAME]
vpdn group pppoex ppp authentication pap
vpdn username [MYPPPOEUSERNAME] password *********
Attachments:
sh_run_080224.txt sanitized config
cap1.txt incoming hex dump
Solved! Go to Solution.
02-24-2008 11:32 PM
Hi,
HI,
The access lists are not bound to the outside interface .
Hence u need to add
access-list PUBLICHOSTS permit tcp any interface outside eq www
access-group PUBLICHOSTS in interface outside
Raj
02-24-2008 11:32 PM
Hi,
HI,
The access lists are not bound to the outside interface .
Hence u need to add
access-list PUBLICHOSTS permit tcp any interface outside eq www
access-group PUBLICHOSTS in interface outside
Raj
02-25-2008 12:04 AM
rajbhatt- You ROCK!
How could I have forgotten to apply the ACL..?
I didn't need the other line;
access-list PUBLICHOSTS permit tcp any interface outside eq www
I think because I already have;
access-list PUBLICHOSTS permit tcp any host
THANKS!!
02-25-2008 12:58 AM
Hi,
Thanks
Plz apply the key word interface outside in access list as from pppoe u may get a different ip address each time u connnect
Raj
02-25-2008 08:39 AM
Do you mean 'access-list PUBLICHOSTS permit tcp any interface outside eq www '?
I added it per your suggestion.
This is good for PPPoE?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide