1. Home
  2. Cisco Systems
  3. pix 515E - acl

pix 515E - acl

I had following configuration but for example web connection was impossible. When I removed " access-group acl_outside in interface outside access-group acl_inside in interface inside " everything start working. What is wrong ?

regards Mika

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 clock timezone GMT 0 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list compiled access-list acl_inside permit tcp 10.0.0.0 255.255.255.0 any eq www access-list acl_inside permit tcp 10.0.0.0 255.255.255.0 any eq ftp access-list acl_inside permit tcp host 10.0.0.3 any eq pop3 access-list acl_inside permit tcp 10.0.0.0 255.255.255.0 any eq smtp access-list acl_inside permit icmp 10.0.0.0 255.255.255.0 any access-list acl_inside permit tcp 10.0.0.0 255.255.255.0 any eq https access-list acl_inside permit tcp host 10.0.0.12 any eq 3389 access-list acl_inside deny tcp any any access-list acl_inside deny udp any any access-list acl_outside permit icmp any any access-list acl_outside permit tcp any host 22.205.22.21 eq pop3 pager lines 24 logging on logging timestamp logging buffered errors logging trap warnings mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 22.205.22.21 255.255.255.252 ip address inside 10.0.0.1 255.255.255.0 no ip address intf2 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.0.0.0 255.255.255.0 0 0 static (inside,outside) tcp 22.205.22.21 pop3 10.0.0.3 pop3 netmask

255.255.255.255 0 0 access-group acl_outside in interface outside access-group acl_inside in interface inside route outside 0.0.0.0 0.0.0.0 22.205.22.20 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable snmp-server host inside 10.0.0.1 no snmp-server location no snmp-server contact snmp-server community RO snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0
Reply to
Mika Hanner
Loading thread data ...

Maybe because you didn't allow DNS requests out from the LAN.

Chris.

Reply to
Chris

If you don't remove outside access-list , and you only remove inside access-list ....does it still cause the problem ?

Reply to
sarabjit.herr

I did it but situation is the same.

Reply to
Mika Hanner

yes

Reply to
Mika Hanner

So, when you look at the syslog information when it;s not working, what you do see? If it works with no access list but not with the access list then the security rules are blocking 'something'. If that is the case then you will see an entry in syslog telling you what is blocked to where and on what port. Can you ping out via IP address. Can you resolve DNS? Can you send a DNS query to a DNS server using nslookup?

Chris.

Chris.

Reply to
Chris

Now I know what the problem was. I created rule for DNS based on TCP protocol. I changed it to UDP and the problem has been resolved.

Reply to
Mika Hanner

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.