Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ Access List To Inside Network Problem

Running PIX 525

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.0(2)

I'm having some strange access problems from the DMZ to the internal network. This problem started about a week ago. I have several ports opened from my DMZ to my inside network (SMTP, FTP)

Some access list are working while some ports that were working stopped. Listed below is the DMZ access list. Any help would be grateful!!!

access-list DMZ permit icmp any host 172.16.2.22 echo-reply (hitcnt=4)

access-list DMZ permit icmp any host 172.16.2.34 echo-reply (hitcnt=8)

access-list DMZ permit icmp any host 172.16.2.24 echo-reply

access-list DMZ permit udp any host 172.16.2.1 eq domain

access-list DMZ permit icmp any host 172.16.2.15 echo-reply

access-list DMZ permit icmp any host 172.16.2.27 echo-reply

access-list DMZ permit tcp any host 172.16.2.27 eq smtp

access-list DMZ permit tcp host 192.168.1.7 any eq www

access-list DMZ permit tcp host 192.168.1.7 any eq ftp

access-list DMZ permit tcp any host 172.16.2.34 eq smtp

access-list DMZ permit tcp any host 172.16.2.29 eq ftp

1 REPLY
dro
New Member

Re: DMZ Access List To Inside Network Problem

Perhaps you should take a look at your system logs for any errors that are causing you problems. If you don't have system logs enabled, use these commands:

logging on

logging buffered warnings

If you have packets that are being blocked by your access lists, they will show up in the log as follows:

106023: Deny tcp src dmz:a.a.a.a/port dst inside:b.b.b.b/port by access-group "DMZ"

If the problem isn't related to the access lists, you should see some other type of error messages describing why the connection was blocked.

Regards,

-Joshua

111
Views
0
Helpful
1
Replies