Please explain me what is the difference between these two ACL..
access-list acl_dmz line 1 permit tcp host 10.22.1.10 host 192.168.2.5 eq
access-list acl_dmz line 2 permit tcp host 10.22.1.10 eq 5555 host 192.168
As am troubleshooting an issue it is very. It would be greteful if I get a reply at the earlist.
Thanks in adv
The first line says allow the host 10.22.1.10 with any source port to talk to the host 192.168.2.5 on port 5555.
The second line says allow the host 10.22.1.10 with a source port of 5555 to talk to the host 192.168.2.5 on any port.
Thanks for your immediate reply.
My PIX having both the ACL but I couldn't telnet the IP from 10.22.1.10 to 192.168.2.5
telnet 192.168.2.5 5555
Will it allow this direction? the 192.168.2.5 is in inside network and 10.22.1.10 is in DMZ.
Please shed me
Have you got a static entry for the server inside
ie "static (inside,DMZ) 192.168.2.5 192.168.2.5 netmask 255.255.255.255"
Where i have put DMZ in the static statement you need to put whatever you DMZ interface is called.
as it is an enterprise config it having huge amount of config details as well as security concern I couldn't.
Could you please guide me to trouble shoot this issue with config detail
Okay but it would be easier with config. You need to do some debugging.
On the inside interface
debug packet inside dst 192.168.2.5
When telnet from the DMZ do you see any packets from the debug. If you don't then the traffic is not making it through the firewall.
Do you see any hits on the acl applied to your DMZ interface
your acl should read something like
access-list DMZ_IN permit tcp host 10.22.1.10 host 192.168.2.5 eq 5555
Could you confirm what you mean by no nat for this connection - ie you could show me that bit of the config.
Routing - is the 192.168.2.5 server on the same subnet as the pix inside interface ? If it isn't does the pix know how to route to that server. And does the server know how to route back 10.22.1.10 ?
Hi sorry jon,
I am newbie to PIX am not aware of that much.
Could you please give me the command how to see the routing...I tried sh ip route but its vain.
no nat configured as like this.
access-list nonat permit ip any 192.168.2.0 255.255.255.0