In article , Corbin O'Reilly wrote: :What command line do I need to add to my PIX to open :Protocol ESP inbound? Thanks for the help.
and look for the one marked as being against the 'outside' interface. The name there is the name of an access-list . show access-list that name:
pix> en Password: ****** pix# show access-group access-group CSM-acl-Goutside in interface outside access-group CSM-acl-Ginside in interface inside pix# show access-list CSM-acl-Ginside access-list CSM-acl-Ginside line 1 permit ip host mrtserver ibdCX0 255.255.255.0 (hitcnt=0) access-list CSM-acl-Ginside line 2 deny ip host 22.214.171.124 any (hitcnt=0) access-list CSM-acl-Ginside line 3 permit tcp host netadmin host kazoo eq domain (hitcnt=0)
Look through the list and find the first 'deny' statement that would block ip access to the target host. [If there isn't any such statement, then the current deny is being handled by the implicit deny of everything at the end of the list.] You will have to add a 'permit' statement somewhere above that point.
If line numbers show up in the access-list display, as shown above, then you can insert -before- a given line by configuring a new statement for that line. For example,
pix# config t pix(config)# access-list CSM-acl-Ginside line 2 permit esp host 126.96.36.199 host
this would result in the following ACL:
pix# show access-list CSM-acl-Ginside access-list CSM-acl-Ginside line 1 permit ip host mrtserver ibdCX0 255.255.255.0 (hitcnt=0) access-list CSM-acl-Ginside line 2 permit esp host 188.8.131.52 host 184.108.40.206 (hitcnt=0) access-list CSM-acl-Ginside line 3 deny ip host 220.127.116.11 any (hitcnt=0) access-list CSM-acl-Ginside line 4 permit tcp host netadmin host kazoo eq domain (hitcnt=0)
You would then test to see if it worked, and if it did you would
pix# write memory
to save the result as the new configuration.
If the line numbers do not show up for you when you show the access-list then you are running an older PIX version that does not allow inline editting, and unless you go in via the graphical PDM, in order to insert something into the middle, you would effectively have to remove the existing ACL and put the revised version in its place. If you do that, then afterwards be sure to
pix(config)# access-group CSM-acl-Ginside in outside
(or as appropriate for whatever ACL you are using). This is essential !! When you remove an ACL, any access-group or crypto map or nat statements that refer to it are automatically removed as well, so you have to put the statements back again.