03-23-2004 07:21 AM - edited 03-09-2019 06:50 AM
I am assuming that in order to reach the site through the pix i need to open a port or fixup. Any solutions?
03-23-2004 07:45 AM
Hi,
You'll need a ACL on the inside interface for your inside client to connect to the mentioned port, i.e.
access-list inside permit tcp host
access-group inside in interface inside
You'll need to save with write mem and also clear translations with clear xlate
If the connection is made back to you then you'll need a static and ACL on you PIX to allow the connection to you inside network.
Hope this helps and let me know how you get on.
Jay
03-23-2004 08:31 AM
I tried it and found that I could no longer reach anything from the inside to the outside.
03-23-2004 08:44 AM
Hi,
Sorry a little lost here, you say that when you applied that ACL you don't have access from inside to outside. Did you issue command clear xlate, if possible can you post your config here or direct to me if you like (please remember to change real IPs and passwords. e-mail: jmia@ohgroup.co.uk
Jay
03-23-2004 08:49 AM
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
names
name 10.1.1.1 int-ns1
name 10.1.1.8 int-ns2
name a.b.c.225 knet-gw
name a.b.c.227 ext-ns1
name a.b.c.228 ext-ns2
name a.b.c.229 ext-mail
name a.b.c.230 ext-rem
name a.b.c.231 ext-rtr
name 10.1.1.15 int-mail
name 10.1.1.254 int-rtr
name 10.1.1.230 int-rem
name a.b.c.232 ext-rem-2
name 10.1.1.189 int-rem-2
name a.b.c.233 ext-rem-3
name 10.1.1.125 int-rem-3
name 10.168.0.2 webserver
access-list outside permit icmp any any
access-list outside permit tcp any host ext-mail eq smtp
access-list outside permit tcp any host ext-mail eq pop3
access-list outside permit tcp any host ext-mail eq www
access-list outside permit tcp any host ext-ns1 eq domain
access-list outside permit udp any host ext-ns1 eq domain
access-list outside permit tcp any host ext-ns2 eq domain
access-list outside permit udp any host ext-ns2 eq domain
access-list outside permit tcp host knet-gw host ext-rtr eq telnet
access-list outside permit tcp any host ext-ns1 eq 3389
access-list outside permit udp any host ext-ns1 eq 3389
access-list outside permit tcp any host ext-rem eq 6000
access-list outside permit tcp any host ext-rem eq 6001
access-list outside permit tcp any host ext-rem eq pcanywhere-data
access-list outside permit tcp any host ext-rem eq 5362
access-list outside permit tcp any host ext-rem eq 5632
access-list outside permit tcp any host ext-rem-2 eq 6000
access-list outside permit tcp any host ext-rem-2 eq 6001
access-list outside permit tcp any host ext-rem-2 eq pcanywhere-data
access-list outside permit tcp any host ext-rem-2 eq 5362
access-list outside permit tcp any host ext-rem-2 eq 5632
access-list outside permit tcp any host ext-rem-3 eq 6000
access-list outside permit tcp any host ext-rem-3 eq 6001
access-list outside permit tcp any host a.b.c.234 eq www
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging history emergencies
logging facility 7
logging host inside 10.1.1.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside a.b.c.226 255.255.255.240
ip address inside 10.100.1.254 255.255.255.0
ip address dmz 10.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
arp timeout 14400
global (outside) 1 a.b.c.236
global (outside) 1 a.b.c.237
global (outside) 1 a.b.c.238
global (dmz) 1 10.168.0.10-10.168.0.20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 10.168.0.0 255.255.255.0 0 0
static (inside,outside) ext-mail int-mail netmask 255.255.255.255 0 0
static (inside,outside) ext-ns1 int-ns1 netmask 255.255.255.255 0 0
static (inside,outside) ext-ns2 int-ns2 netmask 255.255.255.255 0 0
static (inside,outside) ext-rtr int-rtr netmask 255.255.255.255 0 0
static (inside,outside) ext-rem int-rem netmask 255.255.255.255 0 0
static (inside,outside) ext-rem-2 int-rem-2 netmask 255.255.255.255 0 0
static (inside,outside) ext-rem-3 int-rem-3 netmask 255.255.255.255 0 0
static (dmz,outside) a.b.c.234 webserver netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 knet-gw 1
route inside 10.0.0.0 255.0.0.0 10.100.1.253 1
03-23-2004 09:20 AM
Hi,
I don't see any access-group applied for your inside ACLs (access-list outbound-nat) ? I presume your ACL outbound-nat is for the inside interface?
Can you tell me if the above asumption is correct before we go any further. If you take out the previous ACL that stopped connectivity, does evrything work ok??
Did you save with command write memory and also issued command clear xlate ??
Let me know,
Jay
03-23-2004 09:40 AM
You are correct in all your assumptions
03-23-2004 09:55 AM
Hi,
The procedure for changing the inside access-list to permit additional users access is as follows.
Open up a notepad session and also telnet into the PIX.
Show the configuration on the PIX, copy all the access-list inside (which I presume) is access-list outbound-nat lines into notepad. At the start of the text in notepad add an additional line stating no access-list inside, in your case no access-list outbound-nat
It should end up looking something like this
No access-list outbound-nat
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat permit ip any any
access-group outbound-nat in interface inside
Add the additional ACL (access-list outbound-nat permit tcp host
Back to the telnet screen, make sure your in configuration mode, paste the modified text back into the PIX, issue the write memory command and then issue command clear xlate.
The way this works is when the no access-list outbound-nat command is issued the entire list and the interface (if any are applied) statements are removed. Modifying the text in notepad and pasting it back ensures that the list is in the correct order, as the list is parsed start to finish, BUT if a match is made access-list processing stops. Therefore if you simply stick new entries at the end of the list they will be ignored because of the catch all access-list outbound-nat permit ip any any at the end of the list.
Hope this helps, Jay.
03-23-2004 10:28 AM
i did what you said ..
nothing different is happening.
I tried using the inside client ip as (eg.10.a.b.c)
i then tried using the inside client ip as the inside interface ip ..
still no luck
gavin
03-24-2004 12:18 AM
Gavin,
Can you enable syslog please and capture the output.
To enable syslog do:
logging on
logging buffer debug
sho log
Either post your results here or to me : jmia@ohgroup.co.uk
Thanks / Jay.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide