cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
5
Replies

Can't understd why same static/access-list works for only 1pc, not other?

djkim
Level 1
Level 1

I am in a confusion why the same access-list/static cmd to allow access from high to lowe security works for only 1 pc, not other servers/pcs. can you pls advise an idea? this is to allow access from tmd4 to inside interface such as terminal server access or any network mapping or allow printing from low to high security interface .

Config is like this

-------------------------------------------------------------

nat (inside) 1 0 0

global (tmd4) 1 inetrface

static (inside,tmd4) 203.1.108.22 203.1.108.22 255.255.255.255 0 0

access-list tmd4_access_prt permit tcp host 10.1.1.18 host 203.1.108.22 access-group tmd4_access_prt in interface tmd4

---------------------------------------------------------------------------------------

If I replace 203.1.108.88 instead of 203.1.108.22 in the above access-list, I can access everything on 203.1.108.88, but not with any other ip addresses. I have been trying it with different combinations, i am running out of ideas, pls help.

From the syslog, error that captured is as below: (when try to access from win2k terminal service client, I know this server is working OK)

<166>Apr 24 2003 14:32:42: %PIX-6-302013: Built inbound TCP connection 574 for tmd4:10.1.1.18/1060 (10.1.1.18/1060) to inside:203.1.108.22/3389 (203.1.108.22/3389) <inside:255.255.255.255/netbios-dgm

<167>Apr 24 2003 14:32:55: %PIX-7-710005: UDP request discarded from 10.1.1.18/137 to tmd4:10.1.1.254/netbios-ns

<167>Apr 24 2003 14:32:56: %PIX-7-710005: UDP request discarded from 10.1.1.18/137 to tmd4:10.1.1.254/netbios-ns

<167>Apr 24 2003 14:32:58: %PIX-7-710005: UDP request discarded from 10.1.1.18/137 to tmd4:10.1.1.254/netbios-ns

<166>Apr 24 2003 14:33:40: %PIX-6-302014: Teardown TCP connection 572 for tmd4:10.1.1.18/1059 to inside:203.1.108.22/3389 duration 0:02:01 bytes 0 SYN Timeout

Many Thanks in advance,

DJ

5 Replies 5

djkim
Level 1
Level 1

I am sorry, correction here - access from low to high interface. thks

Its because that is all you allow - your access list statement is from one host to one host. The host keyword signifies just one machine.

host 1.2.3.4

would mean that host

1.2.3.0 255.255.255.0

would mean the entire 1.2.3.0 subnet

I understand what you mean, if I add 203.1.108.88 as host, I don't have any issue. but not with any other host....

yizhar
Level 1
Level 1

HI.

* You should check the TS configuration again - is the pix the Default Gateway of the Terminal Server (or at least, the TS must have a routing entry for the 10.1.1.0 network. Use the command "route print" at the TS server.

* You should also reboot or clear arp cache on routers that might have a dirty arp entry for the failing IP address.

> access-list tmd4_access_prt permit tcp host 10.1.1.18 host 203.1.108.22

You should better be more specific in your ACL - only TCP port 3389 is sufficient for MS RDP.

Yizhar

*TS doesn't require 10.1.1.x as gateway, TS is on the inside network which is higher security than 10.1.1.x. If I try to access TS from the same network, there is no issue.

*Isn't that reload will clear arp table? or do I have to manually clear arp from pix?

*I already tried to allow only 3389, it didn't make any difference, that's why I gave all ports access.

DJ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: