Search results for query: *

This line below is doing nothing. access-list outside_access_in I am not sure if that was the line you were trying to apply the access-list with, but try this: access-group outside_access_in in interface outside.

Yes you can. Make sure you have a route inside command telling the PIX how to get to that subnet. Also, make sure you are marking traffic from this subnet as interesting traffic.

If your ISP is DSL, then you should have an ethernet handoff from the DSL modem. You don't have to use the router as the PIX takes an ethernet handoff. If your mail server is on your lan, you just need to duplicate the same rules (NAT/PAT & access-list) as your current firewall.

If you are accessing the PIX remotely, you are going to have a problem. Once you change the IP address or gateway, you will be kicked out. You will not then be able to change the other paramter. Is it possible to open telnet up to the internal LAN? That way you can have a user telnet in and...

You can set up static PAT. This will set up static translations on a port level. This is one example http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml

You don't have any NAT rules set up. Without setting up NAT, your private network won't be able to surf the web as 10.0.0.0 is a non-routable subnet on the internet. However, if both interfaces are up, I am not sure why you can't ping your FastEthernet0/0 IP from your LAN.

I think standard access-lists are based on source while extended access-lists are based on source and destination. Standard access list allowing 192.168.0.0 into my lan access-list 1 permit 192.168.0.0 0.0.0.254 extended access list allowing 192.168.0.0 into my lan of 10.0.0.0. access-list 100...

Since you are using all cisco routers, why not use EIGRP?

If they are both in the same DMZ, then they should be on the same subnet. If they are on the same subnet, then any communication between the two (including telnetting on port 1333) would not involve the PIX.

ip address inside 192.168.253.254 255.255.255.252 This subnet mask tells the PIX that you only have one PC on your LAN. Do you have a route inside command to another subnet? Can you post your entire config, so we can see where access-lists are applied?

Are you saying the Web server and both SQL servers are in the same DMZ?

1)After you made your changes, did you do a clear xlate? 2)Do a show access-list to see if your access-lists are taking hits. 3)Do the applications also use udp ports? I ask this because you are only permitting tcp ports out from your lan.

You have a rule permitting IP any any on your inside. There is no need to have an access-list at all since your inside interface has a higher security than any other interface. This gives it access to all other interfaces by default. The problem is more than likely your access-list that is...

pix----sonic----LAN Is the set-up like the above? Can the LAN ping the inside of the sonic? Can the LAN ping the outside of the sonic? What do the subnets and routes look like?

access-list inside_out permit ip 10.10.10.0 255.0.0.0 10.10.11.0 255.255.255.0 ^^You are permitting 10.x.x.x to 10.10.x.x with the above statement on the inside access-list. ___________________________________________________________ access-list dmz1_out permit tcp any host 10.10.11.224 eq...

I meant to illustrate "cross pins 1,2 with pins 4,5" on both sides. SYNQUEST is correct with his diagram.

I misread your post originally. I thought your machines were connecting to external mail servers on port 25. Your original access-list should work. Are you sure the source port is 25?

Remember that the source machine is leaving on a random port but requesting the destination machine to answer on port 25(smtp). Below is how it should look. access-list 101 permit tcp host 10.1.0.12 any eq smtp access-list 101 deny tcp any any eq smtp access-list 101 permit ip any any...

You need to use the alias command. This allows users from the inside to access website by name when name points to a public IP address. If you have an internal DNS server, you could just create a record that points to the internal address. Try the commands below. confg t alias (inside)...

Your 877 DSL router must have a route back to the 10.1.1.0/24 network. I didn't see you mention that route anhywhere. Without it, it will know how to ping the 2621 simply because it is directly connected. However, it will not be able to ping the 10.1.1.x interface of the 2621.