Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
1
Replies

inside_acces_in rule denying everything

mike.gilner
Level 1
Level 1

‎08-01-2005 09:24 AM - edited ‎03-09-2019 12:00 PM

PIX 506E

Everything is fine when the implicit outbound rule is in place, but I want to restrict outbound access to Common_Internet_Protocols (TCP/UDP) service group. When I do that, it appears nothing is allowed inbound because of the "inside_access_in" rule. According to the syslog, this rule is denying everything. My config is below. Any ideas? I've configured Watchguard and Checkpoint firewalls, but the PIX is kicking my butt. Note that I am using the PDM.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.135.3.13 Mail_Server

object-group service Common_Internet_Protocols tcp-udp

description 1257-Shockwave2, 1626-Shockwave, 1935-Flash

port-object eq www

port-object eq domain

port-object eq 1257

port-object eq 1626

port-object eq 1935

port-object range 20 21

port-object eq 123

port-object eq 443

object-group service Mail_Protocols tcp-udp

description 995=POP3 over SSL

port-object eq 25

port-object eq 995

access-list outside_access_in permit tcp interface outside object-group Mail_Protocols host Mail_Server

object-group Mail_Protocols

access-list inside_access_in permit tcp interface inside object-group Common_Internet_Protocols interface outside

pager lines 24

logging on

logging trap informational

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside 70.89.226.202 255.255.255.248

ip address inside 10.135.3.3 255.255.255.0

ip verify reverse-path interface outside

ip audit name Attack attack action alarm drop reset

ip audit name Info info action alarm

ip audit interface outside Info

ip audit interface outside Attack

ip audit info action alarm

ip audit attack action alarm

pdm location 10.135.3.0 255.255.255.0 inside

pdm location 10.135.4.128 255.255.255.192 inside

pdm location Mail_Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 30 interface

global (inside) 10 interface

nat (inside) 30 0.0.0.0 0.0.0.0 0 0

static (inside,outside) Mail_Server Mail_Server netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 70.89.226.206 1

route inside 10.135.4.128 255.255.255.192 10.135.3.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

Labels:
0 Helpful
1 Reply 1

valconix
Level 1
Level 1

‎08-02-2005 12:07 AM

Try using a inside network address, because I wonder when you have (access-list inside_access_in permit tcp interface inside) it's only allowing your inside interface ip (10.135.3.3). Try allow your 10.135.3.0 subnet, see if that works.

0 Helpful
Customers Also Viewed These Support Documents