Prev: Cisco 878
Next: 802.1x with ACS and Third Party Switch
From: rg on 8 Apr 2008 10:27
Hello,

I am not sure where I am going wrong here, but when I add the following 4
lines to my configuration, I loose the outbound access and gain web and smtp
server publishing. Could somebody tell me why and how to fix it

access-list inbound permit tcp any host 67.81.19.32 eq https
access-list inbound permit tcp any host 67.81.19.32 eq smtp
access-group inbound in interface outside
static (inside,outside) 67.81.19.32 192.168.3.9 netmask 255.255.255.255 0 0

The full configuration is here:

PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.3.0 LAN
object-group service Bittorrent_Azureus tcp-udp
description Bittorrent_Azureus
port-object range 24611 24611
access-list inbound permit tcp any host 67.81.19.32 eq https
access-list inbound permit tcp any host 67.81.19.32 eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.3 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 192.168.3.9 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 67.81.19.32 192.168.3.9 netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.3.22 /
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
isakmp enable outside
telnet 192.168.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 25
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain VISI

From: Walter Roberson on 8 Apr 2008 10:35
In article <47fb8107$0$15186$607ed4bc(a)cv.net>, rg <nobody(a)nowher.net> wrote:

>I am not sure where I am going wrong here, but when I add the following 4
>lines to my configuration, I loose the outbound access and gain web
>and smtp
>server publishing. Could somebody tell me why and how to fix it

>access-list inbound permit tcp any host 67.81.19.32 eq https
>access-list inbound permit tcp any host 67.81.19.32 eq smtp
>access-group inbound in interface outside
>static (inside,outside) 67.81.19.32 192.168.3.9 netmask 255.255.255.255 0 0

>PIX Version 6.3(5)

>ip address outside dhcp setroute

Where does that IP address 67.81.19.32 come from? Your outside
IP address is dhcp, so it could be anything and change at any
time. Is your provider *routing* 67.81.19.32 to your DHCP'd address?

Or is 67.81.19.32 what DHCP happens to be giving you for your
interface IP these days? If so, then your problem is that in PIX 6
you cannot refer to the outside interface by its IP address
and you cannot static the entire outside interface IP.

access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq smtp
access-group inbound in interface outside
static (inside,outside) tcp interface https 192.168.3.9 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.3.9 smtp netmask 255.255.255.255
From: rg on 8 Apr 2008 10:55
Thanks a lot. This is exactly what I was looking for. I didn't know how
to specify the interface.
"Walter Roberson" <roberson(a)hushmail.com> wrote in message
news:_oLKj.34533$rd2.29763(a)pd7urf3no...
> In article <47fb8107$0$15186$607ed4bc(a)cv.net>, rg <nobody(a)nowher.net>
> wrote:
>
>>I am not sure where I am going wrong here, but when I add the following 4
>>lines to my configuration, I loose the outbound access and gain web
>>and smtp
>>server publishing. Could somebody tell me why and how to fix it
>
>>access-list inbound permit tcp any host 67.81.19.32 eq https
>>access-list inbound permit tcp any host 67.81.19.32 eq smtp
>>access-group inbound in interface outside
>>static (inside,outside) 67.81.19.32 192.168.3.9 netmask 255.255.255.255 0
>>0
>
>>PIX Version 6.3(5)
>
>>ip address outside dhcp setroute
>
> Where does that IP address 67.81.19.32 come from? Your outside
> IP address is dhcp, so it could be anything and change at any
> time. Is your provider *routing* 67.81.19.32 to your DHCP'd address?
>
> Or is 67.81.19.32 what DHCP happens to be giving you for your
> interface IP these days? If so, then your problem is that in PIX 6
> you cannot refer to the outside interface by its IP address
> and you cannot static the entire outside interface IP.
>
> access-list inbound permit tcp any interface outside eq https
> access-list inbound permit tcp any interface outside eq smtp
> access-group inbound in interface outside
> static (inside,outside) tcp interface https 192.168.3.9 https netmask
> 255.255.255.255
> static (inside,outside) tcp interface smtp 192.168.3.9 smtp netmask
> 255.255.255.255

 | 
Pages: 1
Prev: Cisco 878
Next: 802.1x with ACS and Third Party Switch