Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > access-list addition blocking access to web server !?!

Reply
Thread Tools

access-list addition blocking access to web server !?!

 
 
Barret Bonden
Guest
Posts: n/a
 
      06-24-2005

Some problems.
Below is a production PIX. Needed to get an outside IP into 192.168.0.122 in
a range of ports.
added a series of statics, as in
static (inside,outside) tcp interface 3060 192.168.0.122 3060 netmask
255.255.255.0
and an access list addition as in

access-list outside_access_in permit tcp any host 192.168.0.122 range 3060
3064
access-list outside_access_in permit udp any host 192.168.0.122 range 3060
3064

which are now not in the config you see below, becaue when they are there,
no one can get into the
web server at 192.168.2.121. That's the major issue.

I also noted that logging just seemed not to work at all, and that nothing
was going to the Kiwi
server either. I played with setting logging on to the console and for the
telnet session; nothing.
Also, my attempt to use the debug command got nowhere. As in
debug packet interface src 206.186.59.97 dst 192.168.0.122 didn't take at
all.




PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.101 xxxxxxxx1
name 192.168.0.102 xxxxxxxx2
name 192.168.0.112 xxxxxxxxf2
name 192.168.0.111 xxxxxxxxf1
name 192.168.2.121 xxxxxxxxweb
object-group service xxxxxxxx tcp
port-object range 6990 6992
object-group network xxxxxxxxServers
network-object xxxxxxxx1 255.255.255.255
network-object xxxxxxxx2 255.255.255.255
object-group network xxxxxxxxServers_ref
network-object 192.168.2.10 255.255.255.255
network-object 192.168.2.11 255.255.255.255
object-group service PCAnywhere tcp-udp
description PCAnywhere Standard Ports
port-object range 5631 5632
object-group service PCAnyWeb tcp-udp
description PCAnywhere and Web Services
port-object range 5631 5632
port-object range 80 80
access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
255.255.255.

access-list outside_access_in permit tcp any interface outside object-group
P
yWeb
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
10001

access-list dmz_access_in permit tcp host xxxxxxxxweb object-group
xxxxxxxxServ
_ref object-group xxxxxxxx
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging host inside 192.168.0.244
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxxxxxxxxxxxxxx 255.255.255.252
ip address inside 192.168.0.2 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name checkit attack action alarm reset
ip audit interface outside checkit
ip audit info action alarm
ip audit attack action alarm
ip local pool boldsupport 192.168.0.200-192.168.0.230
pdm location 192.168.0.31 255.255.255.255 inside
pdm location xxxxxxxxf1 255.255.255.255 inside
pdm location 192.168.2.33 255.255.255.255 inside
pdm location xxxxxxxxweb 255.255.255.255 dmz
pdm location xxxxxxxx1 255.255.255.255 inside
pdm location xxxxxxxx2 255.255.255.255 inside
pdm location xxxxxxxxf2 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.2.10 255.255.255.255 dmz
pdm location 192.168.2.11 255.255.255.255 dmz
pdm group xxxxxxxxServers inside
pdm group xxxxxxxxServers_ref dmz reference xxxxxxxxServers
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp interface www xxxxxxxxweb www netmask
255.255.255.255
0
static (dmz,outside) tcp interface pcanywhere-data xxxxxxxxweb
pcanywhere-data
tmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 5632 xxxxxxxxweb 5632 netmask
255.255.255.2
0 0
static (inside,outside) tcp interface 10000 192.168.0.42 10000 netmask
255.25
55.255 0 0
static (inside,outside) tcp interface 10001 192.168.0.42 10001 netmask
255.25
55.255 0 0
static (inside,outside) tcp interface 10002 192.168.0.42 10002 netmask
255.25
55.255 0 0
static (inside,outside) tcp interface 10003 192.168.0.42 10003 netmask
255.25
55.255 0 0
static (inside,outside) tcp interface 3060 192.168.0.122 3060 netmask
255.255
5.255 0 0
static (inside,outside) tcp interface 3061 192.168.0.122 3061 netmask
255.255
5.255 0 0
static (inside,outside) tcp interface 3062 192.168.0.122 3062 netmask
255.255
5.255 0 0
static (inside,outside) tcp interface 3063 192.168.0.122 3063 netmask
255.255
5.255 0 0
static (inside,outside) tcp interface 3064 192.168.0.122 3064 netmask
255.255
5.255 0 0
static (inside,outside) udp interface 3061 192.168.0.122 3061 netmask
255.255
5.255 0 0
static (inside,outside) udp interface 3060 192.168.0.122 3060 netmask
255.255
5.255 0 0
static (inside,outside) udp interface 3062 192.168.0.122 3062 netmask
255.255
5.255 0 0
static (inside,outside) udp interface 3063 192.168.0.122 3063 netmask
255.255
5.255 0 0
static (inside,outside) udp interface 3064 192.168.0.122 3064 netmask
255.255
5.255 0 0
static (inside,dmz) 192.168.2.10 xxxxxxxx1 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.11 xxxxxxxx2 netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.0.121 xxxxxxxxweb netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 155.212.99.141 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.31 255.255.255.255 inside
http xxxxxxxxf1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Non-blocking and semi-blocking Sockets class. nukleus Java 14 01-22-2007 08:22 PM
web blocking me access to a web site i use Quiz Time Computer Support 1 06-07-2006 09:36 PM
stealth-blocking, isp blocking website Dhruv Computer Security 9 01-25-2005 05:37 PM
Blocking and non blocking assignment in VHDL Hendra Gunawan VHDL 1 04-08-2004 06:03 AM
blocking i/o vs. non blocking i/o (performance) Andre Kelmanson C Programming 3 10-12-2003 02:09 PM



Advertisments