|
Posted by on March 19, 2006, 2:14 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Went to the dc to replace, still cannot access any of th internal
services. Outgoing works no problem, just cannot bring up any of the
websites. Here is the latest:
It was my understanding that when you nat 0 an access list that
automatically sets up all of the statics for the incoming traffic ie
web sites, dns etc...
Outbound ICMP wasn't working, any help with this would be greatly
appreciated.
Thanks
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan35 physical
interface ethernet1 vlan20 logical
interface ethernet1 vlan21 logical
interface ethernet1 vlan22 logical
interface ethernet1 vlan23 logical
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif vlan20 priv security96
nameif vlan21 reggie security99
nameif vlan22 net3 security98
nameif vlan23 net4 security97
hostname dimepix1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network REGGIE_STATIC_HOSTS
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.84
network-object host 72.29.91.85
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
network-object host 72.29.91.89
network-object host 72.29.91.90
object-group network priv_hosts
network-object host 72.29.91.66
network-object host 72.29.91.67
network-object host 72.29.91.68
network-object host 72.29.91.69
network-object host 72.29.91.70
network-object host 72.29.91.71
network-object host 72.29.91.72
network-object host 72.29.91.73
network-object host 72.29.91.74
network-object host 72.29.91.76
network-object host 72.29.91.75
network-object host 72.29.91.77
network-object host 72.29.91.78
object-group network net3_hosts
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.100
network-object host 72.29.91.101
network-object host 72.29.91.102
network-object host 72.29.91.103
network-object host 72.29.91.104
network-object host 72.29.91.105
network-object host 72.29.91.106
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
network-object host 72.29.91.110
object-group network net4_hosts
network-object host 72.29.91.114
network-object host 72.29.91.115
network-object host 72.29.91.116
network-object host 72.29.91.117
network-object host 72.29.91.118
object-group protocol webservices
protocol-object tcp
object-group service web_service tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group service mail_service tcp
description Allows mail services inbound
port-object eq smtp
port-object eq imap4
port-object eq pop3
object-group network webhosts
network-object host 72.29.91.84
network-object host 72.29.91.82
network-object host 72.29.91.85
network-object host 72.29.91.83
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
network-object host 72.29.91.89
network-object host 72.29.91.66
network-object host 72.29.91.67
network-object host 72.29.91.68
network-object host 72.29.91.69
network-object host 72.29.91.70
network-object host 72.29.91.71
network-object host 72.29.91.72
network-object host 72.29.91.73
network-object host 72.29.91.77
network-object host 72.29.91.78
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.100
network-object host 72.29.91.101
network-object host 72.29.91.102
network-object host 72.29.91.103
network-object host 72.29.91.104
network-object host 72.29.91.105
network-object host 72.29.91.106
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
network-object host 72.29.91.74
object-group network mailhosts
network-object host 72.29.91.83
network-object host 72.29.91.66
network-object host 72.29.91.99
network-object host 72.29.91.114
network-object host 72.29.91.115
object-group network rdp_hosts
network-object host 72.29.91.84
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.85
network-object host 72.29.91.66
network-object host 72.29.91.69
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
object-group network dnshosts
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.73
network-object host 72.29.91.76
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.114
network-object host 72.29.91.115
access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
any
access-list priv_out_acl permit ip object-group priv_hosts any
access-list net3_out_acl permit ip object-group net3_hosts any
access-list net4_out_acl permit ip object-group net4_hosts any
access-list acl_in permit tcp any object-group webhosts object-group
web_service
access-list acl_in permit tcp any object-group mailhosts object-group
mail_service
access-list acl_in permit tcp any object-group rdp_hosts eq 3389
access-list acl_in permit tcp any object-group dnshosts eq domain
access-list acl_in permit udp any object-group dnshosts eq domain
access-list acl_in permit tcp any host 72.29.91.83 eq 7099
access-list acl_in permit tcp any host 72.29.91.82 eq 8888
access-list acl_in permit icmp any any
access-list acl_in permit tcp any host 72.29.91.66 eq 81
access-list acl_in permit tcp any host 72.29.91.66 range 7000 7500
access-list acl_in permit tcp any host 72.29.91.107 range 7000 7500
access-list acl_in permit tcp any host 72.29.91.114 eq ssh
access-list acl_in permit tcp any host 72.29.91.114 eq 993
access-list acl_in permit tcp any host 72.29.91.114 eq 995
access-list acl_in permit tcp any host 72.29.91.76 eq 9080
access-list acl_in permit tcp host 64.3.246.250 host 72.29.91.76 eq
1090
access-list acl_in permit tcp host 24.73.161.202 any eq ssh
access-list acl_in permit tcp host 24.73.161.202 any eq 3389
access-list acl_in permit tcp host 24.73.161.202 any eq 9999
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 72.29.91.125 255.255.255.248
no ip address inside
ip address intf2 10.5.250.1 255.255.0.0
ip address priv 72.29.91.65 255.255.255.240
ip address reggie 72.29.91.81 255.255.255.240
ip address net3 72.29.91.97 255.255.255.240
ip address net4 72.29.91.113 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address priv
no failover ip address reggie
no failover ip address net3
no failover ip address net4
pdm history enable
arp timeout 14400
nat (priv) 0 access-list priv_out_acl
nat (reggie) 0 access-list reggie_out_acl
nat (net3) 0 access-list net3_out_acl
nat (net4) 0 access-list net4_out_acl
access-group priv_out_acl in interface priv
access-group reggie_out_acl in interface reggie
access-group net3_out_acl in interface net3
access-group net4_out_acl in interface net4
route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
|
|
Posted by on March 19, 2006, 4:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I narrowed it down to a very minimal config, still can't get it to
work, I can ping from the firewall to the inside host, I can ping the
firewall, shows the access-list 115 receiving traffic.
dimepix1(config)# show access-list 115
access-list 115; 4 elements
access-list 115 line 1 permit icmp any any (hitcnt=66)
access-list 115 line 2 permit ip any host 72.29.91.84 (hitcnt=3)
access-list 115 line 3 permit tcp any host 72.29.91.84 (hitcnt=0)
access-list 115 line 4 permit udp any host 72.29.91.84 (hitcnt=0)
But my following config still will not work.
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full
interface ethernet1 vlan35 physical
interface ethernet1 vlan20 logical
interface ethernet1 vlan21 logical
interface ethernet1 vlan22 logical
interface ethernet1 vlan23 logical
interface ethernet2 100full
nameif ethernet0 goo security1
nameif ethernet1 inside security100
nameif ethernet2 outside security0
nameif vlan20 priv security96
nameif vlan21 reggie security99
nameif vlan22 net3 security98
nameif vlan23 net4 security97
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname dimepix1
domain-name host2max.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 109 permit ip 72.29.91.80 255.255.255.240 any
access-list 109 permit icmp any any
access-list 109 deny ip any any
access-list 110 permit ip 72.29.91.64 255.255.255.240 any
access-list 111 permit ip 72.29.91.96 255.255.255.240 any
access-list 112 permit ip 72.29.91.112 255.255.255.248 any
access-list 115 permit icmp any any
access-list 115 permit ip any host 72.29.91.84
access-list 115 permit tcp any host 72.29.91.84
access-list 115 permit udp any host 72.29.91.84
pager lines 24
mtu goo 1500
mtu inside 1500
mtu outside 1500
no ip address goo
no ip address inside
ip address outside 10.5.251.251 255.255.0.0
ip address priv 72.29.91.65 255.255.255.240
ip address reggie 72.29.91.81 255.255.255.240
ip address net3 72.29.91.97 255.255.255.240
ip address net4 72.29.91.113 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address goo
no failover ip address inside
no failover ip address outside
no failover ip address priv
no failover ip address reggie
no failover ip address net3
no failover ip address net4
pdm history enable
arp timeout 14400
nat (priv) 0 access-list 110
nat (reggie) 0 access-list 109
nat (net3) 0 access-list 111
nat (net4) 0 access-list 112
access-group 115 in interface outside
access-group 110 in interface priv
access-group 109 in interface reggie
access-group 111 in interface net3
access-group 112 in interface net4
|
| Similar Threads | Posted | | Cisco ASA5500 unable to pass inbound TCP traffic... | August 24, 2007, 2:56 pm |
| Inbound Passive FTP using IPNAT | February 18, 2008, 8:51 am |
| https inbound policy NS-25? | June 5, 2008, 12:43 am |
| Repeated inbound to access svchost.exe | February 4, 2005, 1:26 pm |
| Unidentified inbound packets in Sunbelt Kerio PF | December 13, 2006, 2:08 pm |
| Inbound Mail Server Connect and Reject by Firewall | December 8, 2007, 3:11 am |
| Re: FTP outward traffic causing "Unidentified IP traffic" error on ISA 2004 server connected to a PIX | May 31, 2006, 8:57 am |
| Firewall (cheap) that supports PPTP inbound to firewall | July 30, 2004, 7:53 pm |
| Traffic stop on PIX 515 | July 17, 2004, 10:06 am |
| Firewall + Ip-Traffic | June 7, 2005, 11:33 am |
|
XML site map