Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

506e access group conflict? in interface outside, HELP!!!

Status
Not open for further replies.
Dublin73

Dublin73

IS-IT--Management
Apr 26, 2005
236
US
Hi,

We have an external software vendor who wants to support their software, without coming onsite each time there's a problem with it. I've been asked to grant them access into our network. It's a 506e PIX. I'm trying to do this with the following commands at the PIX....

(note, I've substituted IP addresses for fake ones! )

access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5
access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5 eq 1723
static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0
access-group acl-out in interface outside


the external PPTP client is at 209.165.201.25 <Their Public IP Address

the public address of our Windows Server is 209.165.201.5

the internal address of our Windows Server is 10.48.66.106

============================================================
My problem is this. When I enter this line at the PIX...

access-group acl-out in interface outside

The following line gets removed from the PIX, hence knocking out all of our incoming e-mail ( SMTP traffic )...

access-group mail in interface outside


============================================================

My PIX configuration is as follows....

Result of firewall command: "sho runn"

: Saved
:
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list mail permit tcp any host xx.yy.zzz.10 eq https
access-list mail permit tcp mmm.nnn.ppp.0 255.255.255.0 host xx.yy.zzz.10 eq smtp
access-list mail permit tcp qqq.rr.sss.0 255.255.255.0 host xx.yy.zzz.10 eq smtp
access-list 101 permit ip aaa.bbb.cc.0 255.255.255.0 ggg.h.i.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside jj.kk.lll.9 255.255.255.255 pppoe setroute
ip address inside aaa.bbb.cc.97 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location aaa.bbb.cc.8 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.yy.zzz.10 aaa.bbb.cc.91 netmask 255.255.255.255 0 0
static (inside,outside) xx.yy.zzz.11 aaa.bbb.cc.92 netmask 255.255.255.255 0 0
access-group mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http aaa.bbb.cc.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set viper esp-des esp-md5-hmac
crypto map corvette 1 ipsec-isakmp
crypto map corvette 1 match address 101
crypto map corvette 1 set peer dd.ee.ff.124
crypto map corvette 1 set transform-set viper
crypto map corvette interface outside
isakmp enable outside
isakmp key ******** address dd.ee.ff.124 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname eircom
vpdn group pppoe_group ppp authentication chap
vpdn username eircom password *********
terminal width 80
Cryptochecksum:e25aa77285b2cd72c55d04748bf3325a
: end
============================================================

How do I work around this? Thanks a million in advance for anyone who may be kind enough to help!

Dublin73


 
Sort by date Sort by votes
You could make this a lot easier on yourself and just setup a dynamic map to allow VPN clients to connect individually.
 
Upvote 0 Downvote
Thanks for the reply mynus. How do I do that? The incoming client is coming in over broadband and has one public I.P. address.

I've only started using the PIX this year, so you'll have to excuse my lack of knowledge.

cheers, Dublin73
 
Upvote 0 Downvote
When you say client, is this just one person that will be working with your system?
 
Upvote 0 Downvote
The remote client(s) are on a LAN that use a broadband connection for internet access. To the rest of the world out on the internet, they have one public IP address provided by their ISP. What I'm attempting to do, is allow all pptp traffic originating from their I.P. address through our PIX to a Windows VPN Server on our LAN ( I have not set up the Windows VPN Server yet )

I've got a posting on another site regarding the issue of allowing the pptp traffic through from the remote software vendor onto our LAN and I think I have a resolution for that now. It wasn't registering with me, that you can only assign one access group to the external interface on the PIX ( for all inbound traffic ).

Having said that, something tells me there's a better way of doing this, instead of getting involved with a Windows VPN Server and Windows VPN client. The software vendor doesn't have a PIX firewall. I believe it’s a simple broadband router with some form of built in firewall on it. Here’s a few ideas that I’m throwing around in my head….

1. Cisco VPN software client, I’m not clear on what this entails, but will see what I can find on Cisco’s site

2. Some form of Citrix client in the remote office, inhouse we have two Citrix servers. I’m not sure if this would work, but maybe I can get the PIX to allow all ICA traffic originating from the public IP address of the software vendor, through to one of our Citrix Servers? I haven't tried this before, but will also look on the net to see if I can find anything on this.

Any suggestions or opinions on these ideas would be much appreciated.

thanks again, Dublin73



 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
921
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
202
tklamb
tklamb
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
953
Shmid
Shmid
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
288
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top