cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
746
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core issue

This configuration previously used conduit statements. If the configuration contains conduits to allow inbound traffic to the internal servers, and then an access list is applied to the outside interface, this overrides all of the conduit statements. One should use either access lists or conduits to permit inbound traffic into the internal (DMZ) networks, but do not use both.

Resolution

At the end of every access list is an implicit deny ip any any statement. Therefore, if the access list does not explicitly permit inbound traffic, the traffic will be denied by default.

To fix the problem, migrate all of the conduit statements to the access list in the form of permit statements. Then remove the old conduit statements.

 

For more help with access lists on the PIX, see Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX.

PIX Syslogs

PIX-4-106023: Deny protocol src [inbound-interface]:[src_address/src_port] dst outbound-interface:dst_address/dst_port [type {type}, code {code}] by access_group access-list-name

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: