Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

My pix has a hole !!!


I have a small problem with the PIX firewall and it is a small one

just want to see if I can get your grey cells to work along with

mine to resolve this small issue.

I have a Windows 2000 server which is also a oracle server for one of our clients. The live IP address of the server is mapped to static internal . This is for sql access from the outside.

What happens is , if I am using the internt connection from say

my home R any where else outside,and I click on Start > Run and then

type in the Open box // and click on open,after some time it comes out with No Network Connection found.This is the same with Windows 95, R windows 98 R windows NT workstation.

If I try the same with another windows 2000 professional R windows 2000 server which has internet connection, Then surprisingly

the shared folders of the server open up !!!! Amazingly the server is just open.

Could you please let me know any such issues whith windows 2000 what is to be done on the server side , what ports to be blocked R anything that will resolve this issue with my client , R he will have me for Lunch this week end :).



config :

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 auto

interface ethernet1 auto

ip address outside

ip address inside

arp timeout 14400

mtu outside 1500

mtu inside 1500

nat (inside) 1

global (outside) 1

global (outside) 1

logging on

logging timestamp

no logging standby

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

no logging history

logging facility 23

logging queue 512

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any eq www

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host eq smtp

access-list acl_out permit tcp any host eq pop3

access-list acl_out permit tcp any host eq domain

access-list acl_out permit tcp any host eq sqlnet

route outside 0 0 1

static (inside, outside) netmask 0 0

static (inside, outside) netmask 0 0

access-group acl_in interface inside

access-group acl_out in interface outside

New Member

Re: My pix has a hole !!!

don't know a lot of how win2k trys to access shared drives, win95 etc use udp ports eg 138,139 netbios etc. Try taking out the

access-list acl_in permit tcp any any eq www

command. That should only allow an outside host to ping the inside host. Nothing else should be allow in.

Also don't know if it grammatical or just an error

but your access group statement is wrong it should have an "in" statement. Otherwise it won't be applied to the interface. (I think)

hope it helps

New Member

Re: My pix has a hole !!!

Thanx candy,

but the "in" was just missing in the config put up , but it is implemented there in , in the real scenario.Well the access-list acl_in permit tcp any any eq www was essential to allow the internal LAN computers to browse any web site outside using only port 80,well that is essential for the LAN computers to be able to browse the internet,right....

well IM still on the run for this solution,but am sure will get it and will post it when I get the right fix for the solution,Till then take care,and have a nice time.



New Member

Re: My pix has a hole !!!

You shouldn't allow your internal servers to initiate a www sesion with anything on the outside. Change your access list to only allow clients to initiate http traffic.