Need to access Exchange server on different subnet

[sevendcruz]

topology

PIX > internet2
|
10.10.0.0
|
router > pix > internet
|
192.168.0.0


The Exchage server is on the 10.10 subnet and the only way I've been able to get access to it from the 192.168.0.0 is to open is to use a wildcard. access-list 101 permit ip host 192.168.1.5 any access-list 101 permit ip host 192.168.1.6 any.

Am I missing something like eq domain?

Thnaks


ip subnet-zero
ip host gatekeeper 192.168.1.1
ip host Switch2 192.168.1.21
ip host Switch1 192.168.1.20
!
!
!
!
interface Ethernet0/0
description Ethernet interface supporting LHHRP Network
ip address 192.168.1.10 255.255.255.0
no ip directed-broadcast
full-duplex
!
interface Ethernet0/1
ip address 10.10.1.3 255.255.0.0
ip access-group 101 out
no ip directed-broadcast
ip accounting access-violations
full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
access-list 101 permit ip host 192.168.1.5 any
access-list 101 permit ip host 192.168.1.6 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.10.5.21
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.10.5.41
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 10.10.5.6 eq www
access-list 101 permit tcp any any established
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.10.5.5
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.10.5.2

line con 0
transport input none
line aux 0
line vty 0 4
password
login
!
no scheduler allocate
end

 

[jimmyzz]

I would recommend you apply the access-list on the interface closest to the traffic that your want to deny/permit. In your case, you want to deny/permit traffic from 192.168.1.0 to go to 10.10.0.0. Hence you should redefine your access-list 100 and apply it to e0/0 (instead of e0/1) and inbound (instead of outbound).

Hence in theory, any traffic coming into e0/0 will have access-list 100 applied to it.

JimmyZ