Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
2
Replies

problems adding http and smtp on one access-list

pression2
Level 1
Level 1

‎11-12-2003 07:04 AM - edited ‎02-20-2020 09:23 PM

Hi everybody,

I'm trying to open ports 25 smtp and 80 http so clients from the outside interface can access http mail and smtp of a server which is on the inside interface of the PIX.

What I've implemented is...

object-group service WATBC01 tcp

description // WATBC01 open ports

port-object eq www

port-object eq smtp

access-list outside_access_in permit tcp any host 10.0.0.5 object-group WATBC01

static (inside,outside) 10.0.0.5 192.168.190.10 netmask 255.255.255.255 0 0

What I get after setting this up is an smtp port open but http is not.

(I've used object-groups because I heard that is not possible to set two access-list to the same ip address.

Eventhought I checked it out and it didn't work either.)

Could you help me guys?

Thanks in advanced.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎11-12-2003 03:43 PM

You can certainly add more than one ACL referencing the same IP address, so:

access-list outside_access_in permit tcp any host 10.0.0.5 eq www

access-list outside_access_in permit tcp any host 10.0.0.5 eq smtp

should work just as effectively. If you already tried this and it didn't work also then the problem is probably something else. From a host on the inside of the PIX, can you web browse to 192.168.190.10? If not then you have a server problem. If you can, check that you're not redirected to a https URL straight away or something like that. If this happens, then you'd need to add the following ACL as well:

access-list outside_access_in permit tcp any host 10.0.0.5 eq 443

What error do you get when you try and browse to this machine through the PIX?

0 Helpful

pression2
Level 1
Level 1
In response to gfullage

‎11-12-2003 11:39 PM

I found out what the problem was, I tried to telnet 10.0.0.5 on tcp port 80 from the outside router and I got the http server response, the access-list was working correctly.

The problem was on the outside router that althought http traffic had been redirected to ip 10.0.0.5, the router had an http service active that was blocking traffic to the pix.

What I've done is changing the service's socket from port 80 to port 8080 and it worked! now it passes traffic ok.

Thank you gfullage, anyway!

0 Helpful
Customers Also Viewed These Support Documents