Question : access-lists are not working

I can not figure out why my access-lists are not working.
I think it my be a nat or routing issue but do not know enough about routing to determine.

cisco-pix(config)# sho route
        outside 0.0.0.0 0.0.0.0 71.39.227.222 1 OTHER static                                    // What is this line doing? Is this the address that internal comps use for an IP on the internet?
        outside 71.39.227.216 255.255.255.248 71.39.227.217 1 CONNECT static       // 71.39.227.217 is the outside IP address of the PIX
        inside 192.168.4.0 255.255.255.0 192.168.4.1 1 CONNECT static



Is this line translating everything from the outside to a 192.168.4.xxx address?
cisco-pix(config)# sho nat
nat (inside) 1 192.168.4.0 255.255.255.0 0 0



If everything above is correct, shouldn't the opened ports following work?
cisco-pix(config)# show static
static (inside,outside) 71.39.227.218 192.168.4.137 netmask 255.255.255.255 0 0
static (inside,outside) 71.39.227.219 192.168.4.135 netmask 255.255.255.255 0 0
static (inside,outside) 71.39.227.220 192.168.4.132 netmask 255.255.255.255 0 0

cisco-pix(config)# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list inbound; 1 elements
access-list inbound line 1 permit icmp any any (hitcnt=0)
access-list outside; 12 elements
access-list outside line 1 permit icmp any any echo-reply (hitcnt=0)
access-list outside line 2 permit tcp any host 71.39.227.218 eq ssh (hitcnt=0)
access-list outside line 3 permit tcp any host 71.39.227.218 eq domain (hitcnt=0)
access-list outside line 4 permit tcp any host 71.39.227.218 eq www (hitcnt=0)
access-list outside line 5 permit icmp any host 71.39.227.218 echo-reply (hitcnt=0)
access-list outside line 6 permit tcp any host 71.39.227.219 eq ssh (hitcnt=0)
access-list outside line 7 permit tcp any host 71.39.227.219 eq domain (hitcnt=0)
access-list outside line 8 permit tcp any host 71.39.227.219 eq www (hitcnt=0)
access-list outside line 9 permit icmp any host 71.39.227.219 echo-reply (hitcnt=0)
access-list outside line 10 permit tcp any host 71.39.227.220 eq 3389 (hitcnt=0)
access-list outside line 11 permit tcp any host 71.39.227.220 eq www (hitcnt=0)
access-list outside line 12 permit icmp any host 71.39.227.220 echo-reply (hitcnt=0)

Answer : access-lists are not working

Add the following command:

access-group outside in interface outside

That will bind the access-list named outside to the PIX outside interface.
After you add that commad, run the following command on the PIX as well.

clear xlate
clear arp

To refresh the PIX session table. Now to test this, be sure that the server  192.168.4.137  is able to browse
the internet from BEHIND the PIX (don't bypass the PIX). If it is not able to go out to the internet, then check if
you can reach the internet from the PIX itself. To check this, just do the following:

ping 71.39.227.222
ping 4.2.2.2

The first one is the default gateway, the 2nd one is an internet IP.






Random Solutions  
 
programming4us programming4us