Re: Problem with Access-List on Pix 515E. Ver 7.0(4)

xe1zvo · ‎02-01-2006

Hello..i have 3 access lists configured. the first one is to allow internet access to web servers, it's applied in the outside interface and it's working fine.

The second one is to NAT only the contents of it.

The third one is to allow acces from a host in the DMZ to Inside and looks like this:

access-list DMZ-INSIDE extended permit tcp host 10.50.198.1 eq 1433 host 10.50.100.3

When i try to apply it as: access-group DMZ-INSIDE out interface dmz

It does not work and the internet access stops.

What i need to do is to have acces from the host in the DMZ to a server located on the Inside.

What am i doing wrong?

I'll appreciate any help

mpalardy · ‎02-01-2006

I think there a misconfiguration in the ACL:

access-list DMZ-INSIDE extended permit tcp host 10.50.198.1 eq 1433 host 10.50.100.3

Try this instead:

access-list DMZ-INSIDE extended permit tcp host 10.50.198.1 host 10.50.100.3 eq 1433

Make sure source host-IP is placed first and dest host IP is second.

After doing this, initiate a "clear xlate" command to remove all IP translation for the host.

You may also want to add "nat control" for the DMZ.

HTH

Mike

mpalardy · ‎02-01-2006

Forgot to say you'll need also a static statement to access your inside host from the dmz

static (inside, dmz) ip-host-inside ip-host-inside netmask 255.255.255.255 0 0

+clear xlate local inside-ip-host

xe1zvo · ‎02-01-2006

Thanks a lot i just corrected the ACL, also add the static route you told me, however.. still not working. I add the statement: access-group DMZ-INSIDE out interface dmz

to permit outgoing packets from dmz according to the ACL. And is not working.

Am I still wrong with this?