Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pb access list pix 515 E V7.0

Hi

I have a little pb with my pix.

When i open the all port between my dmz and the outside(dmz-->outside) the computer of dmz can access to the internet but when i configure the access list it' s not ok.

Please help me!!!!

My configurution is :

PIX Version 7.0(4)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password xxx

names

name 192.168.38.201 SRV-DC1

name 192.168.38.205 SRV-ANTIVIRUS

name 192.168.38.203 SRV-MAIL

name 192.168.38.202 SRV-DC2

name 192.168.40.10 ISVW

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.2.50 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.39.251 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 30

ip address 192.168.40.254 255.255.255.0

!

passwd HNMNAKnXWPPjlMLC encrypted

ftp mode passive

access-list Outside_access_in extended deny ip any any

access-list DMZ_access_in extended permit tcp any eq domain any eq domain

access-list DMZ_access_in extended permit udp any eq domain any eq domain

access-list DMZ_access_in extended permit tcp any eq 8080 any eq 8080

access-list DMZ_access_in extended permit tcp any eq www any eq www

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended deny ip any any

access-list inside_access_in extended permit icmp 192.168.38.0 255.255.255.0 any inactive

access-list inside_access_in extended permit ip 192.168.38.0 255.255.255.0 any inactive

access-list inside_access_in extended permit icmp any any inactive

access-list inside_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu Outside 1500

mtu DMZ 1500

failover

monitor-interface inside

monitor-interface Outside

monitor-interface DMZ

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0

global (DMZ) 1 192.168.40.20-192.168.40.50 netmask 255.255.255.0

nat (inside) 1 192.168.38.0 255.255.255.0

nat (DMZ) 1 192.168.40.0 255.255.255.0

access-group inside_access_in in interface inside

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

route inside 192.168.38.0 255.255.255.0 192.168.39.254 1

route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password wq5THO2pQ8Zphhhk encrypted privilege 15

http server enable

http 192.168.38.0 255.255.255.0 inside

http 192.168.40.0 255.255.255.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.39.252-192.168.39.254 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

3 REPLIES

Re: Pb access list pix 515 E V7.0

Hi,

There is a problem in your access list DMZ_Access_in

Just correct the two lines which allows access to tcp port 80 and 8080 as follows.

access-list DMZ_access_in extended permit tcp any any eq 8080

access-list DMZ_access_in extended permit tcp any any eq www

In your configuration you are matching both the source and destination ports to be 8080 and www. That's the mistake.

HTH

-VJ

New Member

Re: Pb access list pix 515 E V7.0

THANK YOU VERY VERY MUCH!!!!!!!!!!!

Re: Pb access list pix 515 E V7.0

Hi,

Please rate the post, if it had helped you in anyway.

-VJ

130
Views
4
Helpful
3
Replies
CreatePlease to create content