PIX 515e: access-list rule not working after reboot

Discussion in 'Cisco' started by leuzz, Jan 3, 2008.

  1. leuzz

    leuzz Guest

    Hi All

    this is my configuration

    static (inside,outside) tcp interface 10001 192.168.0.202 22 netmask
    255.255.255.255
    access-list OutsideToInside extended permit tcp any interface outside
    eq 10001
    access-group OutsideToInside in interface outside

    It works, I can reach my ssh server from outside (port 10001) to
    inside.

    After store and reboot PIX says this:

    Deny tcp src outside:x.x.x.x/35689 dst inside:192.168.1.6/10001 by
    access-group "OutsideToInside"

    (192.168.1.6 is the IP Address of the PIX outside interface.)

    and I can't delete the rule:
    # no access-list OutsideToInside extended permit tcp any interface
    outside eq 10001
    specified access-list does not exist

    but it's in show running-config..

    Help me!
    leuzz, Jan 3, 2008
    #1
    1. Advertising

  2. leuzz

    Guest

    Salü ???

    Why you give also the interface name in the access-list?

    Try this:
    access-list OutsideToInside extended permit tcp any interface eq
    10001

    cu ivo




    On 3 Jan., 14:24, leuzz <> wrote:
    > Hi All
    >
    > this is my configuration
    >
    > static (inside,outside) tcp interface 10001 192.168.0.202 22 netmask
    > 255.255.255.255
    > access-list OutsideToInside extended permit tcp any interface outside
    > eq 10001
    > access-group OutsideToInside in interface outside
    >
    > It works, I can reach my ssh server from outside (port 10001) to
    > inside.
    >
    > After store and reboot PIX says this:
    >
    > Deny tcp src outside:x.x.x.x/35689 dst inside:192.168.1.6/10001 by
    > access-group "OutsideToInside"
    >
    > (192.168.1.6 is the IP Address of the PIX outside interface.)
    >
    > and I can't delete the rule:
    > # no access-list OutsideToInside extended permit tcp any interface
    > outside eq 10001
    > specified access-list does not exist
    >
    > but it's in show running-config..
    >
    > Help me!
    , Jan 6, 2008
    #2
    1. Advertising

  3. leuzz

    leuzz Guest

    On Jan 6, 11:32 am, ""
    <> wrote:
    > Salü ???


    Thanks for your reply

    >
    > Try this:
    > access-list OutsideToInside extended permit tcp any interface eq
    > 10001
    >


    access-list OutsideToInside extended permit tcp any interface eq 10001

    ^
    ERROR: % Invalid Hostname

    After the interface statement it expects the interface name.

    This form seems to be working correct:

    access-list OutsideToInside line 1 extended permit tcp any any eq
    10001
    access-group OutsideToInside in interface outside
    leuzz, Jan 7, 2008
    #3
  4. leuzz

    Noah Guest

    You're using a PIX 515e? Mind showing us the output of a 'sh nameif' or
    a 'sh access-group'? That way we could narrow down with access lists are
    associated with your PIX interfaces, or see their various security levels.

    --N

    leuzz wrote:
    > On Jan 6, 11:32 am, ""
    > <> wrote:
    >> Salü ???

    >
    > Thanks for your reply
    >
    >> Try this:
    >> access-list OutsideToInside extended permit tcp any interface eq
    >> 10001
    >>

    >
    > access-list OutsideToInside extended permit tcp any interface eq 10001
    >
    > ^
    > ERROR: % Invalid Hostname
    >
    > After the interface statement it expects the interface name.
    >
    > This form seems to be working correct:
    >
    > access-list OutsideToInside line 1 extended permit tcp any any eq
    > 10001
    > access-group OutsideToInside in interface outside
    >
    >
    Noah, Feb 2, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,000
    J Bard
    Jan 10, 2004
  2. jsandlin0803
    Replies:
    3
    Views:
    936
    Erik Tamminga
    Dec 30, 2005
  3. Darren Green
    Replies:
    1
    Views:
    909
    Walter Roberson
    Mar 14, 2006
  4. ally0000

    Pix 515E Access List issue

    ally0000, Jan 12, 2008, in forum: Hardware
    Replies:
    3
    Views:
    1,377
    ally0000
    Feb 15, 2008
  5. Lawrence D'Oliveiro

    Reboot, reboot, reboot

    Lawrence D'Oliveiro, Mar 6, 2009, in forum: NZ Computing
    Replies:
    12
    Views:
    942
    Lawrence D'Oliveiro
    Mar 7, 2009
Loading...

Share This Page