Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

enable server access with 515E

Status
Not open for further replies.
amrqura

amrqura

Technical User
Dec 5, 2007
37
EG
Dears,

I want to secure my network using cisco pix 515E by putting the pix between my internet router and my switch.

I want to enable some servers to be accessed from out side.. I upload this configuration in my pix:

access-list acl_out permit tcp any host 196.219.50.164 eq www
access-list acl_out permit tcp any host 196.219.50.165 eq www
access-list acl_out permit tcp any host 196.219.50.166 eq www
access-list acl_out permit tcp any host 196.219.50.166 eq 7000
access-list acl_out permit tcp any host 196.219.50.166 eq 8000
access-list acl_out permit tcp any host 196.219.50.166 eq 44444
access-list acl_out permit tcp any host 196.219.50.166 eq 7200
access-list acl_out permit icmp any any

ip address outside 196.219.50.162 255.255.255.248

static (inside,outside) 196.219.50.164 192.168.1.236 netmask 255.255.255.255 0 0

static (inside,outside) 196.219.50.165 192.168.1.17 netmask 255.255.255.255 0 0

static (inside,outside) 196.219.50.166 192.168.1.4 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 196.219.50.161 1


i didn't make any natting command at the router , but the servers is not seen from outside.....why?

 
Sort by date Sort by votes
Not sure how up to date this is but:

access-list acl_outside deny ip 0.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 1.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 2.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 5.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 10.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 14.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 23.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 27.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 31.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 36.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 37.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 39.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 42.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 46.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 49.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 50.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 100.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 101.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 102.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 103.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 104.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 105.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 106.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 107.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 108.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 109.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 110.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 111.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 127.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 169.254.0.0 0.0.255.255 any
access-list acl_outside deny ip 172.16.0.0 0.15.255.255 any
access-list acl_outside deny ip 175.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 176.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 177.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 178.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 179.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 180.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 181.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 182.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 183.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 184.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 185.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 192.0.2.0 0.0.0.255 any
access-list acl_outside deny ip 192.168.0.0 0.0.255.255 any
access-list acl_outside deny ip 197.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 223.0.0.0 0.255.255.255 any
access-list acl_outside deny ip 224.0.0.0 31.255.255.255 any


access-group acl_outside in interface outside

 
Upvote 0 Downvote
Make sure the subnet mask for the outside int matches the routers connecting interface. Can you ping from one of the translated internal servers to the router?

On the router do a "show arp". Any arp entries for the translated IPs?

 
Upvote 0 Downvote
thnx for your replay

i can reach the router successfully and i can browse the internet wich mean tha the natting in the router and pix is successfully done.

but when i'm trying to ping public ip that is natting to private server it doesn't work .

I wonder why alghouth i make the following command in the Access-List
access-list acl_out permit tcp any host 196.219.50.164 eq www
access-list acl_out permit tcp any host 196.219.50.166 eq www
access-list acl_out permit tcp any host 196.219.50.166 eq 7000
access-list acl_out permit tcp any host 196.219.50.166 eq 8000
access-list acl_out permit tcp any host 196.219.50.166 eq 44444
access-list acl_out permit tcp any host 196.219.50.166 eq 7200
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 196.219.50.163 eq www

and apply the Access-list in the inside interface:

access-group acl_out in interface outside
 
Upvote 0 Downvote
there is no any access-list at all.

but i want to add that when i write "debug icmp trace" in the pix firewall the following replay appear:
**********************************************************
4034: ICMP echo-request: translating inside:192.168.1.4 to outside:196.219.50.166

4035: ICMP echo-request from inside:192.168.1.4 to 87.206.150.226 ID=512 seq=35649 length=40

4036: ICMP echo-request: translating inside:192.168.1.4 to outside:196.219.50.166

4037: ICMP echo-reply from outside:87.206.150.226 to 196.219.50.166 ID=512 seq=23105 length=40

4038: ICMP echo-reply: untranslating outside:196.219.50.166 to inside:192.168.1.4
********************************************************

I wonder what does it mean?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
323
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
408
Shmid
Shmid
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
90
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
86
ISDPCMAN
ISDPCMAN
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
82
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top