04-23-2008 10:20 AM - edited 03-11-2019 05:35 AM
Hi,
PIX 515e, upgraded from 6.3(5) to 7.2(3)
Upon rebooting ACL's do not work to allow SMTP, RDP, etc.
Not sure if I am missing a command, etc. Please see config below:
PIX Version 7.2(3)
!
hostname PIX
domain-name Something.com
enable password xxx
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.7.0.1 255.255.240.0
!
interface Ethernet2
speed 100
duplex full
nameif Pix_DVC
security-level 60
ip address 192.168.4.1 255.255.255.0
!
passwd xxx
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name Something.com
access-list 101 extended permit ip 10.7.0.0 255.255.240.0 172.16.1.0 255.255.255.0
access-list 100 extended permit ip 10.7.0.0 255.255.240.0 172.16.1.0 255.255.255.0
access-list Outside_acl extended permit tcp host x.x.x.68 any eq www
access-list Outside_acl extended permit tcp host x.x.x.68 any eq 3389
access-list Outside_acl extended permit tcp host x.x.x.67 any eq smtp
access-list Outside_acl extended permit tcp host x.x.x.67 any eq domain
access-list Outside_acl extended permit tcp host x.x.x.67 any eq 3389
access-list DVC_acl extended permit tcp host x.x.x.70 any eq h323
pager lines 24
mtu outside 1500
mtu inside 1500
mtu NamPix_DVC 1500
ip local pool insidepool 172.16.1.1-172.16.1.255
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.x.69
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.68 10.7.0.50 netmask 255.255.255.255 tcp
static (inside,outside) x.x.x.67 10.7.0.70 netmask 255.255.255.255 tcp
static (NamPix_DVC,outside) x.x.x.70 192.168.4.5 netmask 255.255.255.255
access-group Outside_acl in interface outside
access-group inside_acl in interface inside
access-group DVC_acl in interface Pix_DVC
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto dynamic-map dynmap 9 set transform-set strong
crypto map tovpn 40 ipsec-isakmp dynamic dynmap
crypto map tovpn interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Solved! Go to Solution.
04-23-2008 11:29 AM
Source and destination in acl's are backwards. Should be...
access-list Outside_acl extended permit tcp any host x.x.x.68 eq www
access-list Outside_acl extended permit tcp any host x.x.x.68 eq 3389
access-list Outside_acl extended permit tcp any host x.x.x.67 eq smtp
access-list Outside_acl extended permit tcp any host x.x.x.67 eq domain
access-list Outside_acl extended permit tcp any host x.x.x.67 eq 3389
04-23-2008 11:29 AM
Source and destination in acl's are backwards. Should be...
access-list Outside_acl extended permit tcp any host x.x.x.68 eq www
access-list Outside_acl extended permit tcp any host x.x.x.68 eq 3389
access-list Outside_acl extended permit tcp any host x.x.x.67 eq smtp
access-list Outside_acl extended permit tcp any host x.x.x.67 eq domain
access-list Outside_acl extended permit tcp any host x.x.x.67 eq 3389
04-24-2008 03:48 AM
Excellent. Thank you, I will correct that today.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide