Inbound traffic from lower security to high security interface

djkim · ‎04-21-2003

Hi,

Allowing inbound traffic from lower security to high security doesn't seem to work properly. Is any one has the same experience? I have PIX515 v6.2(2) with 6 interfaces. As per docs, static/access-list/access-group commands is required. Is there any thing that I missed from below? there is no problem with inbound traffic to lower security to high security.

-Inside -203.1.108.x network (security 100)

-tmd4-10.1.1.x network (security 20)

-Inside is NATed via tmd4 interface

-------------------------------------------------------------------------------

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

|

global (outside) 1 interface

global (tmd4) 1 interface

|

static (inside,tmd4) 10.1.1.9 203.1.108.22 netmask 255.255.255.255

access-list acl_tmd4 permit tcp any host 10.1.1.9

access-group acl_tmd4 in interface tmd4

---------------------------------------------------------------------------------------------

I really appreciate your reply.

Regards,

DJ

gfullage · ‎04-21-2003

What does the syslog show when you're trying to get to this host. Are you trying to conect to it via it's name, cause you may find your host is doing a DNS lookup first and that isn't allowed thru to your DNS server if that's on the inside network?

Syslog's are always the best way to see what's being denied when you're having strange issues like this.

djkim · ‎04-21-2003

Thanks for your reply, I can see hitcount increasing through "sh access-list" command whenever trying to access server. does it matter with NAT and PAT on lower interface for this issue? I haven't seup up syslog yet. Can you pls give a link for setting up syslog? Pix is new to me as yet. Regards,

badih_abifadel · ‎04-22-2003

Hello

you can use the debug staments on the PIX

debug packet tmd4 dst 10.1.1.9

and then

debug packet inside

capture the debug on the PIX and see if the all packets are TCP or if you have any other type of protocols.

hope this can help

scorpions · ‎04-22-2003

if you want access the hosts on the high security from the low security ,you must use the "conduit " command ,"conduit" is used to establish a channel bypass the pix asa .

scorpions

richardmcmahon · ‎04-22-2003

No you do not want to mix conduits and acls. Tyr changing the acl to

access-list acl_tmd4 permit ip any host 10.1.1.9

I assuming that there is no problems on the inside_access_in acl preventing access to the servers on this interfface. You could add

access-list inside_access_in permit ip 203.1.108.x y.y.y.y 10.1.1.x z.z.z.z

where y.y.y.y. and z.z.z.z are your subnet masks.

To setup the syslog server, download the cisco syslog server from the software download section on the main cisco site. Install it on one of your servers, then add these lines.

logging on

logging timestamp

logging trap debugging

logging host inside machinename

You should see the logs getting generated.

Hopefully I havent missed anything ;)

djkim · ‎04-22-2003

Thanks All, I didn't need conduit. I have verified the statements below worked for me:

"static (inside,tmd4) 203.1.108.0 203.1.108.0 netmask 255.255.255.0

access-list acl_tmd4 permit tcp host 10.1.1.9 host 203.1.108.x

access-group acl_tmd4 in interface tmd4"

This is to allow any traffic from 10.1.1.9 to 203.1.108.x. I still need to apply more restrictive access-list though.

Scorpion- thanks for syslog info... will try..