04-23-2003 09:02 PM - edited 02-20-2020 09:21 PM
I am in a confusion why the same access-list/static cmd to allow access from high to lowe security works for only 1 pc, not other servers/pcs. can you pls advise an idea? this is to allow access from tmd4 to inside interface such as terminal server access or any network mapping or allow printing from low to high security interface .
Config is like this
-------------------------------------------------------------
nat (inside) 1 0 0
global (tmd4) 1 inetrface
static (inside,tmd4) 203.1.108.22 203.1.108.22 255.255.255.255 0 0
access-list tmd4_access_prt permit tcp host 10.1.1.18 host 203.1.108.22 access-group tmd4_access_prt in interface tmd4
---------------------------------------------------------------------------------------
If I replace 203.1.108.88 instead of 203.1.108.22 in the above access-list, I can access everything on 203.1.108.88, but not with any other ip addresses. I have been trying it with different combinations, i am running out of ideas, pls help.
From the syslog, error that captured is as below: (when try to access from win2k terminal service client, I know this server is working OK)
<166>Apr 24 2003 14:32:42: %PIX-6-302013: Built inbound TCP connection 574 for tmd4:10.1.1.18/1060 (10.1.1.18/1060) to inside:203.1.108.22/3389 (203.1.108.22/3389) <inside:255.255.255.255/netbios-dgm
<167>Apr 24 2003 14:32:55: %PIX-7-710005: UDP request discarded from 10.1.1.18/137 to tmd4:10.1.1.254/netbios-ns
<167>Apr 24 2003 14:32:56: %PIX-7-710005: UDP request discarded from 10.1.1.18/137 to tmd4:10.1.1.254/netbios-ns
<167>Apr 24 2003 14:32:58: %PIX-7-710005: UDP request discarded from 10.1.1.18/137 to tmd4:10.1.1.254/netbios-ns
<166>Apr 24 2003 14:33:40: %PIX-6-302014: Teardown TCP connection 572 for tmd4:10.1.1.18/1059 to inside:203.1.108.22/3389 duration 0:02:01 bytes 0 SYN Timeout
Many Thanks in advance,
DJ
04-23-2003 09:04 PM
I am sorry, correction here - access from low to high interface. thks
04-24-2003 07:32 AM
Its because that is all you allow - your access list statement is from one host to one host. The host keyword signifies just one machine.
host 1.2.3.4
would mean that host
1.2.3.0 255.255.255.0
would mean the entire 1.2.3.0 subnet
04-25-2003 01:59 PM
I understand what you mean, if I add 203.1.108.88 as host, I don't have any issue. but not with any other host....
04-24-2003 01:16 PM
HI.
* You should check the TS configuration again - is the pix the Default Gateway of the Terminal Server (or at least, the TS must have a routing entry for the 10.1.1.0 network. Use the command "route print" at the TS server.
* You should also reboot or clear arp cache on routers that might have a dirty arp entry for the failing IP address.
> access-list tmd4_access_prt permit tcp host 10.1.1.18 host 203.1.108.22
You should better be more specific in your ACL - only TCP port 3389 is sufficient for MS RDP.
Yizhar
04-25-2003 02:05 PM
*TS doesn't require 10.1.1.x as gateway, TS is on the inside network which is higher security than 10.1.1.x. If I try to access TS from the same network, there is no issue.
*Isn't that reload will clear arp table? or do I have to manually clear arp from pix?
*I already tried to allow only 3389, it didn't make any difference, that's why I gave all ports access.
DJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide