ACL on PIX

cisconoval · ‎01-23-2007

Hi There,

Please explain me what is the difference between these two ACL..

access-list acl_dmz line 1 permit tcp host 10.22.1.10 host 192.168.2.5 eq

5555 (hitcnt=0)

access-list acl_dmz line 2 permit tcp host 10.22.1.10 eq 5555 host 192.168

.2.5 (hitcnt=0)

As am troubleshooting an issue it is very. It would be greteful if I get a reply at the earlist.

Thanks in adv

Jon Marshall · ‎01-23-2007

Hi

The first line says allow the host 10.22.1.10 with any source port to talk to the host 192.168.2.5 on port 5555.

The second line says allow the host 10.22.1.10 with a source port of 5555 to talk to the host 192.168.2.5 on any port.

HTH

cisconoval · ‎01-23-2007

Thanks for your immediate reply.

My PIX having both the ACL but I couldn't telnet the IP from 10.22.1.10 to 192.168.2.5

telnet 192.168.2.5 5555

Will it allow this direction? the 192.168.2.5 is in inside network and 10.22.1.10 is in DMZ.

Please shed me

Jon Marshall · ‎01-23-2007

Have you got a static entry for the server inside

ie "static (inside,DMZ) 192.168.2.5 192.168.2.5 netmask 255.255.255.255"

Where i have put DMZ in the static statement you need to put whatever you DMZ interface is called.

HTH

cisconoval · ‎01-23-2007

there is an ACL stating no nat required for this subnet

Jon Marshall · ‎01-23-2007

Can you send a copy of the config you are working with minus any sensitive info.

cisconoval · ‎01-23-2007

as it is an enterprise config it having huge amount of config details as well as security concern I couldn't.

Could you please guide me to trouble shoot this issue with config detail

Jon Marshall · ‎01-23-2007

Okay but it would be easier with config. You need to do some debugging.

On the inside interface

debug packet inside dst 192.168.2.5

When telnet from the DMZ do you see any packets from the debug. If you don't then the traffic is not making it through the firewall.

Do you see any hits on the acl applied to your DMZ interface

your acl should read something like

access-list DMZ_IN permit tcp host 10.22.1.10 host 192.168.2.5 eq 5555

Could you confirm what you mean by no nat for this connection - ie you could show me that bit of the config.

Routing - is the 192.168.2.5 server on the same subnet as the pix inside interface ? If it isn't does the pix know how to route to that server. And does the server know how to route back 10.22.1.10 ?

HTH

cisconoval · ‎01-23-2007

Hi sorry jon,

I am newbie to PIX am not aware of that much.

Could you please give me the command how to see the routing...I tried sh ip route but its vain.

no nat configured as like this.

access-list nonat permit ip any 192.168.2.0 255.255.255.0

cisconoval · ‎01-23-2007

I can telnet from DMZ to inside server. the thing is I cant telnet from inside to DMZ.

Jon Marshall · ‎01-23-2007

Do you have an acl on the inside interface.

To view the routes you need "sh route"

Jon

cisconoval · ‎01-23-2007

no, there is no specific ACL for this subnet on inside interface.

I can ping the server in DMZ from inside server. So it sounds routing was there.

Jon Marshall · ‎01-23-2007

If you can ping the server in the DMZ from 192.168.2.5 then there should be nothing stopping telnet.

Are you telnetting on port 5555 or are you using telnet on port 23. Are you sure the service is up and running on the DMZ server.

if there are any other servers on the DMZ try telnetting from their.

cisconoval · ‎01-24-2007

hi Jon,

Thanks for your immediate reply. I haven't checked the service in server will check it and come back to you if any help is required.