Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL on PIX

Hi There,

Please explain me what is the difference between these two ACL..

access-list acl_dmz line 1 permit tcp host 10.22.1.10 host 192.168.2.5 eq

5555 (hitcnt=0)

access-list acl_dmz line 2 permit tcp host 10.22.1.10 eq 5555 host 192.168

.2.5 (hitcnt=0)

As am troubleshooting an issue it is very. It would be greteful if I get a reply at the earlist.

Thanks in adv

  • WAN Routing and Switching
13 REPLIES
Hall of Fame Super Blue

Re: ACL on PIX

Hi

The first line says allow the host 10.22.1.10 with any source port to talk to the host 192.168.2.5 on port 5555.

The second line says allow the host 10.22.1.10 with a source port of 5555 to talk to the host 192.168.2.5 on any port.

HTH

New Member

Re: ACL on PIX

Thanks for your immediate reply.

My PIX having both the ACL but I couldn't telnet the IP from 10.22.1.10 to 192.168.2.5

telnet 192.168.2.5 5555

Will it allow this direction? the 192.168.2.5 is in inside network and 10.22.1.10 is in DMZ.

Please shed me

Hall of Fame Super Blue

Re: ACL on PIX

Have you got a static entry for the server inside

ie "static (inside,DMZ) 192.168.2.5 192.168.2.5 netmask 255.255.255.255"

Where i have put DMZ in the static statement you need to put whatever you DMZ interface is called.

HTH

New Member

Re: ACL on PIX

there is an ACL stating no nat required for this subnet

Hall of Fame Super Blue

Re: ACL on PIX

Can you send a copy of the config you are working with minus any sensitive info.

New Member

Re: ACL on PIX

as it is an enterprise config it having huge amount of config details as well as security concern I couldn't.

Could you please guide me to trouble shoot this issue with config detail

Hall of Fame Super Blue

Re: ACL on PIX

Okay but it would be easier with config. You need to do some debugging.

On the inside interface

debug packet inside dst 192.168.2.5

When telnet from the DMZ do you see any packets from the debug. If you don't then the traffic is not making it through the firewall.

Do you see any hits on the acl applied to your DMZ interface

your acl should read something like

access-list DMZ_IN permit tcp host 10.22.1.10 host 192.168.2.5 eq 5555

Could you confirm what you mean by no nat for this connection - ie you could show me that bit of the config.

Routing - is the 192.168.2.5 server on the same subnet as the pix inside interface ? If it isn't does the pix know how to route to that server. And does the server know how to route back 10.22.1.10 ?

HTH

New Member

Re: ACL on PIX

Hi sorry jon,

I am newbie to PIX am not aware of that much.

Could you please give me the command how to see the routing...I tried sh ip route but its vain.

no nat configured as like this.

access-list nonat permit ip any 192.168.2.0 255.255.255.0

New Member

Re: ACL on PIX

I can telnet from DMZ to inside server. the thing is I cant telnet from inside to DMZ.

148
Views
3
Helpful
13
Replies
This widget could not be displayed.