access-list addition blocking access to web server !?!

Discussion in 'Cisco' started by Barret Bonden, Jun 24, 2005.

  1. Some problems.
    Below is a production PIX. Needed to get an outside IP into 192.168.0.122 in
    a range of ports.
    added a series of statics, as in
    static (inside,outside) tcp interface 3060 192.168.0.122 3060 netmask
    255.255.255.0
    and an access list addition as in

    access-list outside_access_in permit tcp any host 192.168.0.122 range 3060
    3064
    access-list outside_access_in permit udp any host 192.168.0.122 range 3060
    3064

    which are now not in the config you see below, becaue when they are there,
    no one can get into the
    web server at 192.168.2.121. That's the major issue.

    I also noted that logging just seemed not to work at all, and that nothing
    was going to the Kiwi
    server either. I played with setting logging on to the console and for the
    telnet session; nothing.
    Also, my attempt to use the debug command got nowhere. As in
    debug packet interface src 206.186.59.97 dst 192.168.0.122 didn't take at
    all.




    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password xxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxxxxx encrypted
    hostname xxxxxxxxxxxxxxxxx
    domain-name xxxxxxxxxxxxxxxxxxx
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 192.168.0.101 xxxxxxxx1
    name 192.168.0.102 xxxxxxxx2
    name 192.168.0.112 xxxxxxxxf2
    name 192.168.0.111 xxxxxxxxf1
    name 192.168.2.121 xxxxxxxxweb
    object-group service xxxxxxxx tcp
    port-object range 6990 6992
    object-group network xxxxxxxxServers
    network-object xxxxxxxx1 255.255.255.255
    network-object xxxxxxxx2 255.255.255.255
    object-group network xxxxxxxxServers_ref
    network-object 192.168.2.10 255.255.255.255
    network-object 192.168.2.11 255.255.255.255
    object-group service PCAnywhere tcp-udp
    description PCAnywhere Standard Ports
    port-object range 5631 5632
    object-group service PCAnyWeb tcp-udp
    description PCAnywhere and Web Services
    port-object range 5631 5632
    port-object range 80 80
    access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
    255.255.255.

    access-list outside_access_in permit tcp any interface outside object-group
    P
    yWeb
    access-list outside_access_in permit icmp any any echo
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
    10001

    access-list dmz_access_in permit tcp host xxxxxxxxweb object-group
    xxxxxxxxServ
    _ref object-group xxxxxxxx
    pager lines 24
    logging on
    logging timestamp
    logging monitor debugging
    logging host inside 192.168.0.244
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside xxxxxxxxxxxxxxx 255.255.255.252
    ip address inside 192.168.0.2 255.255.255.0
    ip address dmz 192.168.2.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit name checkit attack action alarm reset
    ip audit interface outside checkit
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool boldsupport 192.168.0.200-192.168.0.230
    pdm location 192.168.0.31 255.255.255.255 inside
    pdm location xxxxxxxxf1 255.255.255.255 inside
    pdm location 192.168.2.33 255.255.255.255 inside
    pdm location xxxxxxxxweb 255.255.255.255 dmz
    pdm location xxxxxxxx1 255.255.255.255 inside
    pdm location xxxxxxxx2 255.255.255.255 inside
    pdm location xxxxxxxxf2 255.255.255.255 inside
    pdm location 0.0.0.0 255.255.255.255 inside
    pdm location 192.168.2.10 255.255.255.255 dmz
    pdm location 192.168.2.11 255.255.255.255 dmz
    pdm group xxxxxxxxServers inside
    pdm group xxxxxxxxServers_ref dmz reference xxxxxxxxServers
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (dmz) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (dmz,outside) tcp interface www xxxxxxxxweb www netmask
    255.255.255.255
    0
    static (dmz,outside) tcp interface pcanywhere-data xxxxxxxxweb
    pcanywhere-data
    tmask 255.255.255.255 0 0
    static (dmz,outside) tcp interface 5632 xxxxxxxxweb 5632 netmask
    255.255.255.2
    0 0
    static (inside,outside) tcp interface 10000 192.168.0.42 10000 netmask
    255.25
    55.255 0 0
    static (inside,outside) tcp interface 10001 192.168.0.42 10001 netmask
    255.25
    55.255 0 0
    static (inside,outside) tcp interface 10002 192.168.0.42 10002 netmask
    255.25
    55.255 0 0
    static (inside,outside) tcp interface 10003 192.168.0.42 10003 netmask
    255.25
    55.255 0 0
    static (inside,outside) tcp interface 3060 192.168.0.122 3060 netmask
    255.255
    5.255 0 0
    static (inside,outside) tcp interface 3061 192.168.0.122 3061 netmask
    255.255
    5.255 0 0
    static (inside,outside) tcp interface 3062 192.168.0.122 3062 netmask
    255.255
    5.255 0 0
    static (inside,outside) tcp interface 3063 192.168.0.122 3063 netmask
    255.255
    5.255 0 0
    static (inside,outside) tcp interface 3064 192.168.0.122 3064 netmask
    255.255
    5.255 0 0
    static (inside,outside) udp interface 3061 192.168.0.122 3061 netmask
    255.255
    5.255 0 0
    static (inside,outside) udp interface 3060 192.168.0.122 3060 netmask
    255.255
    5.255 0 0
    static (inside,outside) udp interface 3062 192.168.0.122 3062 netmask
    255.255
    5.255 0 0
    static (inside,outside) udp interface 3063 192.168.0.122 3063 netmask
    255.255
    5.255 0 0
    static (inside,outside) udp interface 3064 192.168.0.122 3064 netmask
    255.255
    5.255 0 0
    static (inside,dmz) 192.168.2.10 xxxxxxxx1 netmask 255.255.255.255 0 0
    static (inside,dmz) 192.168.2.11 xxxxxxxx2 netmask 255.255.255.255 0 0
    static (dmz,inside) 192.168.0.121 xxxxxxxxweb netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 155.212.99.141 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.0.31 255.255.255.255 inside
    http xxxxxxxxf1 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
     
    Barret Bonden, Jun 24, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PS2 gamer
    Replies:
    6
    Views:
    6,991
    Hansang Bae
    Jun 9, 2004
  2. Sarah
    Replies:
    4
    Views:
    1,822
    Erik Freitag
    Nov 30, 2004
  3. Replies:
    0
    Views:
    436
  4. Dhruv

    stealth-blocking, isp blocking website

    Dhruv, Oct 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    3,123
  5. Quiz Time

    web blocking me access to a web site i use

    Quiz Time, Jun 7, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    392
Loading...

Share This Page