02-24-2008 09:48 PM - edited 03-11-2019 05:08 AM
Cisco PIX Firewall Version 6.3
I recently enabled PPPoE and now my ACLs no longer permit incoming traffic to my public hosts (Outgoing traffic is fine).
I tried disabling 'ip audit', changing my static statements from 'interface' to the IP address, I even tried 'permit ip any any' and traffic still can't get through. The ACLs still show 'hitcnt=0' even though I'm hammering it from proxify.com and ShieldsUp.
I get nothing from 'debug packet outside', but when I run a capture it shows a lot of incoming requests in hex. When I import it into Ethereal, it shows a whole lot of incoming traffic, so it doesn't appear to be filtered by my ISP or my CPE.
For troubleshooting purposes, the Public address to my web server is <A HREF="javascript:newWin('http://74.2.65.94/')">http://74.2.65.94/</A>
My PPPoE config:
ip address outside pppoe setroute
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [MYPPPOEUSERNAME]
vpdn group pppoex ppp authentication pap
vpdn username [MYPPPOEUSERNAME] password *********
Attachments:
sh_run_080224.txt sanitized config
cap1.txt incoming hex dump
Solved! Go to Solution.
02-24-2008 11:32 PM
Hi,
HI,
The access lists are not bound to the outside interface .
Hence u need to add
access-list PUBLICHOSTS permit tcp any interface outside eq www
access-group PUBLICHOSTS in interface outside
Raj
02-24-2008 11:32 PM
Hi,
HI,
The access lists are not bound to the outside interface .
Hence u need to add
access-list PUBLICHOSTS permit tcp any interface outside eq www
access-group PUBLICHOSTS in interface outside
Raj
02-25-2008 12:04 AM
rajbhatt- You ROCK!
How could I have forgotten to apply the ACL..?
I didn't need the other line;
access-list PUBLICHOSTS permit tcp any interface outside eq www
I think because I already have;
access-list PUBLICHOSTS permit tcp any host
THANKS!!
02-25-2008 12:58 AM
Hi,
Thanks
Plz apply the key word interface outside in access list as from pppoe u may get a different ip address each time u connnect
Raj
02-25-2008 08:39 AM
Do you mean 'access-list PUBLICHOSTS permit tcp any interface outside eq www '?
I added it per your suggestion.
This is good for PPPoE?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: