255.255.255.128 eq 5222 255.255.255.128 255.255.255.128 eq 5222 255.255.255.128
Actually, the third line doesn't make sense... "eq" is not a valid keyword with ICMP, and there's no such thing as an ICMP type 5222 packet.
Hello group members,
I have two PIX
PIX-A: 195.238.10.19 PIX-B: 212.217.89.23
Behing, Private LAN
PIX-A: 192.168.10.0/25 PIX-B: 192.168.20.0/25
I need a VPN between those, so, I've defined a no-nat access-list
access-list no-nat-pix-a permit ip 192.168.10.0 255.255.255.128
192.168.20.0 255.255.255.128 access-list no-nat-pix-a permit ip 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128and, an access-list to bound to what to encrypt to get to pix-b
access-list to-pix-b permit tcp 192.168.10.0 255.255.255.128
192.168.20.0 255.255.255.128 eq 5222 access-list to-pix-b permit tcp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128 access-list to-pix-b permit icmp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222 access-list to-pix-b permit icmp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128It works ok,
I use the "capture" command to check if the VPN is going ok. Like
pix-a#(config)capture snoopy interface inside buffer 10000 circular
using PDM, I redirect the flow to my browser.
I my web browser using this capture command, I need to filter only what is going between the host 192.168.10.10 and remote host 192.168.20.15
How do I achieve it? It looks I need to create a third access-list and apply it against the capture command.
I've tried, I can't get it.
Can anybody light it?
Thank you very much,
Amaury
In article , Amaury Ronflard wrote: :I have two PIX
255.255.255.128 eq 5222 255.255.255.128 eq 5222 255.255.255.128The third and fourth lines duplicate the first and second.
You should only write the ACL in one direction, as if the data is going out of the local machine towards the remote machine. The ACL will automatically be matched in reverse for the remote traffic.
If you were to reverse the second line, the result would be a superset of the first, leaving the first unnecessary. I suspect you are trying to account for dynamic source ports and that the second line is actually a to-pix-a entry. If so then if you are going to include a specific port number in that first to-pix-b line, then you should exactly mirror it on b,
access-list to-pix-a permit tcp 192.168.20.0 255.255.255.128 eq 5222
192.168.10.0 255.255.255.128Using a specific port number on an crypto map ACL will get you a warning about loss of efficiency. Earlier PIX versions prohibitted using port numbers entirely.
:I use the "capture" command to check if the VPN is going ok. Like
:I need to filter only what :is going between the host 192.168.10.10 and remote host 192.168.20.15
:How do I achieve it? It looks I need to create a third access-list and :apply it against the capture command.
Right.
I have evidence that the capture ACL is -not- automatically read in reverse, so try
access-list capture10_15_acl permit host 192.168.10.10 host 192.168.20.15 access-list capture10_15_acl permit host 192.168.20.15 host 192.168.10.10 capture c10_15 access-list capture_10_15_acl
In article , Walter Roberson wrote: :capture c10_15 access-list capture_10_15_acl
Sorry, you'll probably need to add the 'interface' specification to that.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.