04-21-2003 03:11 PM - edited 03-09-2019 02:58 AM
Hi,
Allowing inbound traffic from lower security to high security doesn't seem to work properly. Is any one has the same experience? I have PIX515 v6.2(2) with 6 interfaces. As per docs, static/access-list/access-group commands is required. Is there any thing that I missed from below? there is no problem with inbound traffic to lower security to high security.
-Inside -203.1.108.x network (security 100)
-tmd4-10.1.1.x network (security 20)
-Inside is NATed via tmd4 interface
-------------------------------------------------------------------------------
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
|
global (outside) 1 interface
global (tmd4) 1 interface
|
static (inside,tmd4) 10.1.1.9 203.1.108.22 netmask 255.255.255.255
access-list acl_tmd4 permit tcp any host 10.1.1.9
access-group acl_tmd4 in interface tmd4
---------------------------------------------------------------------------------------------
I really appreciate your reply.
Regards,
DJ
04-21-2003 05:46 PM
What does the syslog show when you're trying to get to this host. Are you trying to conect to it via it's name, cause you may find your host is doing a DNS lookup first and that isn't allowed thru to your DNS server if that's on the inside network?
Syslog's are always the best way to see what's being denied when you're having strange issues like this.
04-21-2003 06:10 PM
Thanks for your reply, I can see hitcount increasing through "sh access-list" command whenever trying to access server. does it matter with NAT and PAT on lower interface for this issue? I haven't seup up syslog yet. Can you pls give a link for setting up syslog? Pix is new to me as yet. Regards,
04-22-2003 01:17 AM
Hello
you can use the debug staments on the PIX
debug packet tmd4 dst 10.1.1.9
and then
debug packet inside
capture the debug on the PIX and see if the all packets are TCP or if you have any other type of protocols.
hope this can help
04-22-2003 12:55 AM
if you want access the hosts on the high security from the low security ,you must use the "conduit " command ,"conduit" is used to establish a channel bypass the pix asa .
scorpions
04-22-2003 07:39 AM
No you do not want to mix conduits and acls. Tyr changing the acl to
access-list acl_tmd4 permit ip any host 10.1.1.9
I assuming that there is no problems on the inside_access_in acl preventing access to the servers on this interfface. You could add
access-list inside_access_in permit ip 203.1.108.x y.y.y.y 10.1.1.x z.z.z.z
where y.y.y.y. and z.z.z.z are your subnet masks.
To setup the syslog server, download the cisco syslog server from the software download section on the main cisco site. Install it on one of your servers, then add these lines.
logging on
logging timestamp
logging trap debugging
logging host inside machinename
You should see the logs getting generated.
Hopefully I havent missed anything ;)
04-22-2003 03:10 PM
Thanks All, I didn't need conduit. I have verified the statements below worked for me:
"static (inside,tmd4) 203.1.108.0 203.1.108.0 netmask 255.255.255.0
access-list acl_tmd4 permit tcp host 10.1.1.9 host 203.1.108.x
access-group acl_tmd4 in interface tmd4"
This is to allow any traffic from 10.1.1.9 to 203.1.108.x. I still need to apply more restrictive access-list though.
Scorpion- thanks for syslog info... will try..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide