11-12-2003 07:04 AM - edited 02-20-2020 09:23 PM
Hi everybody,
I'm trying to open ports 25 smtp and 80 http so clients from the outside interface can access http mail and smtp of a server which is on the inside interface of the PIX.
What I've implemented is...
object-group service WATBC01 tcp
description // WATBC01 open ports
port-object eq www
port-object eq smtp
access-list outside_access_in permit tcp any host 10.0.0.5 object-group WATBC01
static (inside,outside) 10.0.0.5 192.168.190.10 netmask 255.255.255.255 0 0
What I get after setting this up is an smtp port open but http is not.
(I've used object-groups because I heard that is not possible to set two access-list to the same ip address.
Eventhought I checked it out and it didn't work either.)
Could you help me guys?
Thanks in advanced.
11-12-2003 03:43 PM
You can certainly add more than one ACL referencing the same IP address, so:
access-list outside_access_in permit tcp any host 10.0.0.5 eq www
access-list outside_access_in permit tcp any host 10.0.0.5 eq smtp
should work just as effectively. If you already tried this and it didn't work also then the problem is probably something else. From a host on the inside of the PIX, can you web browse to 192.168.190.10? If not then you have a server problem. If you can, check that you're not redirected to a https URL straight away or something like that. If this happens, then you'd need to add the following ACL as well:
access-list outside_access_in permit tcp any host 10.0.0.5 eq 443
What error do you get when you try and browse to this machine through the PIX?
11-12-2003 11:39 PM
I found out what the problem was, I tried to telnet 10.0.0.5 on tcp port 80 from the outside router and I got the http server response, the access-list was working correctly.
The problem was on the outside router that althought http traffic had been redirected to ip 10.0.0.5, the router had an http service active that was blocking traffic to the pix.
What I've done is changing the service's socket from port 80 to port 8080 and it worked! now it passes traffic ok.
Thank you gfullage, anyway!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide