|
Question : access-lists are not working
|
|
I can not figure out why my access-lists are not working. I think it my be a nat or routing issue but do not know enough about routing to determine.
cisco-pix(config)# sho route outside 0.0.0.0 0.0.0.0 71.39.227.222 1 OTHER static // What is this line doing? Is this the address that internal comps use for an IP on the internet? outside 71.39.227.216 255.255.255.248 71.39.227.217 1 CONNECT static // 71.39.227.217 is the outside IP address of the PIX inside 192.168.4.0 255.255.255.0 192.168.4.1 1 CONNECT static
Is this line translating everything from the outside to a 192.168.4.xxx address? cisco-pix(config)# sho nat nat (inside) 1 192.168.4.0 255.255.255.0 0 0
If everything above is correct, shouldn't the opened ports following work? cisco-pix(config)# show static static (inside,outside) 71.39.227.218 192.168.4.137 netmask 255.255.255.255 0 0 static (inside,outside) 71.39.227.219 192.168.4.135 netmask 255.255.255.255 0 0 static (inside,outside) 71.39.227.220 192.168.4.132 netmask 255.255.255.255 0 0
cisco-pix(config)# sho access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256) alert-interval 300 access-list inbound; 1 elements access-list inbound line 1 permit icmp any any (hitcnt=0) access-list outside; 12 elements access-list outside line 1 permit icmp any any echo-reply (hitcnt=0) access-list outside line 2 permit tcp any host 71.39.227.218 eq ssh (hitcnt=0) access-list outside line 3 permit tcp any host 71.39.227.218 eq domain (hitcnt=0) access-list outside line 4 permit tcp any host 71.39.227.218 eq www (hitcnt=0) access-list outside line 5 permit icmp any host 71.39.227.218 echo-reply (hitcnt=0) access-list outside line 6 permit tcp any host 71.39.227.219 eq ssh (hitcnt=0) access-list outside line 7 permit tcp any host 71.39.227.219 eq domain (hitcnt=0) access-list outside line 8 permit tcp any host 71.39.227.219 eq www (hitcnt=0) access-list outside line 9 permit icmp any host 71.39.227.219 echo-reply (hitcnt=0) access-list outside line 10 permit tcp any host 71.39.227.220 eq 3389 (hitcnt=0) access-list outside line 11 permit tcp any host 71.39.227.220 eq www (hitcnt=0) access-list outside line 12 permit icmp any host 71.39.227.220 echo-reply (hitcnt=0)
|
Answer : access-lists are not working
|
|
Add the following command:
access-group outside in interface outside
That will bind the access-list named outside to the PIX outside interface. After you add that commad, run the following command on the PIX as well.
clear xlate clear arp
To refresh the PIX session table. Now to test this, be sure that the server 192.168.4.137 is able to browse the internet from BEHIND the PIX (don't bypass the PIX). If it is not able to go out to the internet, then check if you can reach the internet from the PIX itself. To check this, just do the following:
ping 71.39.227.222 ping 4.2.2.2
The first one is the default gateway, the 2nd one is an internet IP.
|
|
|
|