Servers on the DMZ used to be able to download windows update from microsoft site. However when the administrator tried to download the windows update recently, it failed. I monitored the PIX as he was doing it but no ports were being denied. I add the following in
access-list acl_dmz permit tcp 172.16.16.0 255.255.255.0 any
It started working. Can someone explain why? Your input is much appreciated.
That was exactly what I needed. I did a sh log and saw that the port 443 was being denied. What I am a bit confused is that when I monitored it (term mon) as the user tried to access the site, I did not see any ports being denied. We have the following logging set on the firewall.
logging console notifications
logging monitor notifications
logging buffered notifications
Shouldn't a term mon showed the ports blocked with logging console notifications (5)? As exptected, the ports blocked were shown in sh log. It should have shown with term mon as well, true?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...