After Upgrade, ACL's don't work

Answered Question
Apr 23rd, 2008

Hi,


PIX 515e, upgraded from 6.3(5) to 7.2(3)


Upon rebooting ACL's do not work to allow SMTP, RDP, etc.


Not sure if I am missing a command, etc. Please see config below:


PIX Version 7.2(3)

!

hostname PIX

domain-name Something.com

enable password xxx

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.66 255.255.255.248

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.7.0.1 255.255.240.0

!

interface Ethernet2

speed 100

duplex full

nameif Pix_DVC

security-level 60

ip address 192.168.4.1 255.255.255.0

!

passwd xxx

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS

domain-name Something.com


access-list 101 extended permit ip 10.7.0.0 255.255.240.0 172.16.1.0 255.255.255.0

access-list 100 extended permit ip 10.7.0.0 255.255.240.0 172.16.1.0 255.255.255.0


access-list Outside_acl extended permit tcp host x.x.x.68 any eq www

access-list Outside_acl extended permit tcp host x.x.x.68 any eq 3389

access-list Outside_acl extended permit tcp host x.x.x.67 any eq smtp

access-list Outside_acl extended permit tcp host x.x.x.67 any eq domain

access-list Outside_acl extended permit tcp host x.x.x.67 any eq 3389


access-list DVC_acl extended permit tcp host x.x.x.70 any eq h323


pager lines 24

mtu outside 1500

mtu inside 1500

mtu NamPix_DVC 1500

ip local pool insidepool 172.16.1.1-172.16.1.255

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat-control


global (outside) 1 x.x.x.69

nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) x.x.x.68 10.7.0.50 netmask 255.255.255.255 tcp

static (inside,outside) x.x.x.67 10.7.0.70 netmask 255.255.255.255 tcp

static (NamPix_DVC,outside) x.x.x.70 192.168.4.5 netmask 255.255.255.255


access-group Outside_acl in interface outside

access-group inside_acl in interface inside

access-group DVC_acl in interface Pix_DVC


route outside 0.0.0.0 0.0.0.0 x.x.x.65 1


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto dynamic-map dynmap 9 set transform-set strong

crypto map tovpn 40 ipsec-isakmp dynamic dynmap

crypto map tovpn interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

Correct Answer by acomiskey about 8 years 10 months ago

Source and destination in acl's are backwards. Should be...


access-list Outside_acl extended permit tcp any host x.x.x.68 eq www

access-list Outside_acl extended permit tcp any host x.x.x.68 eq 3389

access-list Outside_acl extended permit tcp any host x.x.x.67 eq smtp

access-list Outside_acl extended permit tcp any host x.x.x.67 eq domain

access-list Outside_acl extended permit tcp any host x.x.x.67 eq 3389

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 04/23/2008 - 11:29

Source and destination in acl's are backwards. Should be...


access-list Outside_acl extended permit tcp any host x.x.x.68 eq www

access-list Outside_acl extended permit tcp any host x.x.x.68 eq 3389

access-list Outside_acl extended permit tcp any host x.x.x.67 eq smtp

access-list Outside_acl extended permit tcp any host x.x.x.67 eq domain

access-list Outside_acl extended permit tcp any host x.x.x.67 eq 3389

Actions

This Discussion