access-list addition blocking access to web server !?!

Some problems. Below is a production PIX. Needed to get an outside IP into 192.168.0.122 in a range of ports. added a series of statics, as in static (inside,outside) tcp interface 3060 192.168.0.122 3060 netmask

255.255.255.0 and an access list addition as in

access-list outside_access_in permit tcp any host 192.168.0.122 range 3060

3064 access-list outside_access_in permit udp any host 192.168.0.122 range 3060 3064

which are now not in the config you see below, becaue when they are there, no one can get into the web server at 192.168.2.121. That's the major issue.

I also noted that logging just seemed not to work at all, and that nothing was going to the Kiwi server either. I played with setting logging on to the console and for the telnet session; nothing. Also, my attempt to use the debug command got nowhere. As in debug packet interface src 206.186.59.97 dst 192.168.0.122 didn't take at all.

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password xxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxxx encrypted hostname xxxxxxxxxxxxxxxxx domain-name xxxxxxxxxxxxxxxxxxx fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name 192.168.0.101 xxxxxxxx1 name 192.168.0.102 xxxxxxxx2 name 192.168.0.112 xxxxxxxxf2 name 192.168.0.111 xxxxxxxxf1 name 192.168.2.121 xxxxxxxxweb object-group service xxxxxxxx tcp port-object range 6990 6992 object-group network xxxxxxxxServers network-object xxxxxxxx1 255.255.255.255 network-object xxxxxxxx2 255.255.255.255 object-group network xxxxxxxxServers_ref network-object 192.168.2.10 255.255.255.255 network-object 192.168.2.11 255.255.255.255 object-group service PCAnywhere tcp-udp description PCAnywhere Standard Ports port-object range 5631 5632 object-group service PCAnyWeb tcp-udp description PCAnywhere and Web Services port-object range 5631 5632 port-object range 80 80 access-list inside_outbound_nat0_acl permit ip any 192.168.0.192

255.255.255.

access-list outside_access_in permit tcp any interface outside object-group P yWeb access-list outside_access_in permit icmp any any echo access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit tcp any host 192.168.0.42 range 10000

10001

access-list dmz_access_in permit tcp host xxxxxxxxweb object-group xxxxxxxxServ _ref object-group xxxxxxxx pager lines 24 logging on logging timestamp logging monitor debugging logging host inside 192.168.0.244 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside xxxxxxxxxxxxxxx 255.255.255.252 ip address inside 192.168.0.2 255.255.255.0 ip address dmz 192.168.2.1 255.255.255.0 ip verify reverse-path interface outside ip audit name checkit attack action alarm reset ip audit interface outside checkit ip audit info action alarm ip audit attack action alarm ip local pool boldsupport 192.168.0.200-192.168.0.230 pdm location 192.168.0.31 255.255.255.255 inside pdm location xxxxxxxxf1 255.255.255.255 inside pdm location 192.168.2.33 255.255.255.255 inside pdm location xxxxxxxxweb 255.255.255.255 dmz pdm location xxxxxxxx1 255.255.255.255 inside pdm location xxxxxxxx2 255.255.255.255 inside pdm location xxxxxxxxf2 255.255.255.255 inside pdm location 0.0.0.0 255.255.255.255 inside pdm location 192.168.2.10 255.255.255.255 dmz pdm location 192.168.2.11 255.255.255.255 dmz pdm group xxxxxxxxServers inside pdm group xxxxxxxxServers_ref dmz reference xxxxxxxxServers pdm history enable arp timeout 14400 global (outside) 1 interface global (dmz) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) tcp interface www xxxxxxxxweb www netmask

255.255.255.255 0 static (dmz,outside) tcp interface pcanywhere-data xxxxxxxxweb pcanywhere-data tmask 255.255.255.255 0 0 static (dmz,outside) tcp interface 5632 xxxxxxxxweb 5632 netmask 255.255.255.2 0 0 static (inside,outside) tcp interface 10000 192.168.0.42 10000 netmask 255.25 55.255 0 0 static (inside,outside) tcp interface 10001 192.168.0.42 10001 netmask 255.25 55.255 0 0 static (inside,outside) tcp interface 10002 192.168.0.42 10002 netmask 255.25 55.255 0 0 static (inside,outside) tcp interface 10003 192.168.0.42 10003 netmask 255.25 55.255 0 0 static (inside,outside) tcp interface 3060 192.168.0.122 3060 netmask 255.255 5.255 0 0 static (inside,outside) tcp interface 3061 192.168.0.122 3061 netmask 255.255 5.255 0 0 static (inside,outside) tcp interface 3062 192.168.0.122 3062 netmask 255.255 5.255 0 0 static (inside,outside) tcp interface 3063 192.168.0.122 3063 netmask 255.255 5.255 0 0 static (inside,outside) tcp interface 3064 192.168.0.122 3064 netmask 255.255 5.255 0 0 static (inside,outside) udp interface 3061 192.168.0.122 3061 netmask 255.255 5.255 0 0 static (inside,outside) udp interface 3060 192.168.0.122 3060 netmask 255.255 5.255 0 0 static (inside,outside) udp interface 3062 192.168.0.122 3062 netmask 255.255 5.255 0 0 static (inside,outside) udp interface 3063 192.168.0.122 3063 netmask 255.255 5.255 0 0 static (inside,outside) udp interface 3064 192.168.0.122 3064 netmask 255.255 5.255 0 0 static (inside,dmz) 192.168.2.10 xxxxxxxx1 netmask 255.255.255.255 0 0 static (inside,dmz) 192.168.2.11 xxxxxxxx2 netmask 255.255.255.255 0 0 static (dmz,inside) 192.168.0.121 xxxxxxxxweb netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 155.212.99.141 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.0.31 255.255.255.255 inside http xxxxxxxxf1 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp
Reply to
Barret Bonden
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.