We are having an issue allowing traffic to pass through our PIX 515e running 7.2(2). It seems like no matter what the ACL states, the traffic is always dropped by the implicit deny. I have even gone as far to temporarily permit ALL IP traffic, and it still drops the packets with the implict deny.
Firstly, we tried duplicating the rules we used on the 501 we had before, but it still didn't allow traffic through. I've tried using both the internal and external IPs of the device for the destination IP with no luck. I've tried scrapping the web browser entirely and just attempting to connect with telnet to the device with no success.
Here are the relevant parts of the config:
object-group service webserver tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host 192.168.1.230 object-group webserver
Please let me know what I can do to get this config working again...it worked fine with the 501 but our office is getting too big for us to use that device any more. I'll be glad to provide more information if needed.
I have modified the ACL with your suggested changes, and connections still time out to the device behind the firewall. Also, our ASDM console is no longer accessible on the outside interface. I think that may be caused by permitting port 443 to another device, but I am not sure.
I have checked that no firewalls are running on that device, and also tested using the interface IP of the PIX outside interface, and still no joy.
I just can't figure out why this isn't working - it should pass through now with no problem, but the Packet Tracer in the ASDM still shows it matching the rules and passing through, then being dropped by the implicit deny. Why would it be checked twice - if it already passed the traffic that should be it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :