Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problems with access-lists

Hey all.

Currently having problems with my access lists. I'm trying to forward (allow) port 35000 from outside to an internal host. However when I do this it knocks out my incoming mail rule (port 25) to the dmz.

It seems I cannot have

access-group outside_mail in interface outside

at the same time as

access-group torrent in interface outside

Outside: 212.x.x.93 (all internal PAT'ed to this)

DMZ: 172.16.1.0/24

Internal: 10.0.1.0/24

212.x.x.92 mail server nated to 172.16.1.1

config:

PIX Version 7.1(1)

!

hostname XXXXXXXX

domain-name XXXXXXXXXXXXXX

enable password XXXXXXXXXXXXXX encrypted

names

name 10.0.10.0 VM_Management

!

interface Ethernet0

nameif outside

security-level 0

ip address XXXXXXXXXXXXX 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.1.251 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

security-level 99

no ip address

<--- More --->

interface Ethernet3

shutdown

no nameif

security-level 90

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

nameif dmz

security-level 50

ip address 172.16.1.251 255.255.255.0

!

passwd XXXXXXXXXX encrypted

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name XXXXXXXXXXXXXXXXX

access-list outside_mail extended permit tcp any host 212.x.x.92 eq smtp

access-list mail_outside extended permit tcp host 172.16.1.1 any eq smtp

access-list dmz_dns_outside extended permit tcp host 172.16.1.1 any eq domain

access-list dmz_dns_outside extended permit udp host 172.16.1.1 any eq domain

access-list dmz_mail_outside extended permit tcp host 172.16.1.1 any eq smtp

access-list dmz_www_outside extended permit tcp host 172.16.1.1 any eq www

access-list torrent extended permit udp any any eq 35000

access-list torrent extended permit tcp any any eq 35000

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

no failover

asdm image flash:/asdm-511.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) udp interface 35000 10.0.1.40 35000 netmask 255.255.255.

255

static (inside,outside) tcp interface 35000 10.0.1.40 35000 netmask 255.255.255.

255

static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0

static (dmz,inside) 10.0.2.0 10.0.2.0 netmask 255.255.255.0

static (dmz,outside) 212.33.100.92 172.16.1.1 netmask 255.255.255.255

static (inside,outside) 212.33.100.91 10.0.1.15 netmask 255.255.255.255

access-group torrent in interface outside

route outside 0.0.0.0 0.0.0.0 212.33.100.94 1

route inside VM_Management 255.255.255.0 10.0.1.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect dns maximum-length 1000

!

service-policy global_policy global

Cryptochecksum:xxx

: end

3 REPLIES
New Member

Re: Problems with access-lists

You are right. with one direction (in or out), only one access-group on a interface.

access-list outside_mail_torrent extended permit tcp any host 212.33.100.92 eq smtp

access-list outside_mail_torrent extended permit udp any any eq 35000

access-list outside_mail_torrent extended permit tcp any any eq 35000

access-group outside_mail_torrent in interface outside

New Member

Re: Problems with access-lists

thanks rico.

so anything coming in from outside I have define and encompass all in one access-group?

e.g

port 45000 into inside

port 25 into dmz

port 80 into dmz

all have to be put in say outside_coming_in and applied via access-group outside_coming_in interface outside?

seems a bit limited :)

New Member

Re: Problems with access-lists

Yes. After the incoming traffic passed ACL then the pix routing table will send the traffic to the right interface (inside or dmz).

114
Views
0
Helpful
3
Replies
CreatePlease to create content