Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

static / access list

Status
Not open for further replies.
jdl508

jdl508

Technical User
Apr 30, 2001
242
US
Hello, I have a pix515 and have set a static. my config is as follows
wir   write term
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz2 security50
enable password frVQqQcSSQM/PbhJ encrypted
passwd frVQqQcSSQM/PbhJ encrypted
hostname fw2
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list in-dmz2 permit icmp any any echo
access-list outside permit icmp any any echo
pager lines 24
interface ethernet0 10baset
<--- More --->

interface ethernet1 10baset
interface ethernet2 10baset
mtu outside 1500
mtu inside 1500
mtu dmz2 1500
ip address outside xxx.xxx.xxx.186 255.255.255.248
ip address inside xxx.1.1.49 255.255.255.0
ip address dmz2 10.2.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.188
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
static (dmz2,outside) xxx.xxx.xxx.187 10.2.2.2 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group in-dmz2 in interface dmz2
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
<--- More --->

no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:fa61381a0c7b6d80e3657e0034a05ad2
: end
[OK]

my prob is that I cant ping this server from the internet or from another router attached directly. The idea is to be able to pass traffice from another subnet to this server but it obviously isnt working any ideas? thanks
jdl
 
Sort by date Sort by votes
For ping tests I usually just use:
access-list in-dmz2 permit icmp any any

Also, keep in mind all traffic can normally go from the DMZ to the outside. Once you apply that access-list to the DMZ, everything changes because of the implicit 'deny any any' at the end. Most often you would block traffic destined for the inside, then 'permit any any' at the end.

Try using a syslog server with &quot;logging trap warnings&quot; to see where traffice is getting denied.

-gbiello
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
651
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
732
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
122
gbayi_omo
gbayi_omo
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
136
kythri
kythri
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
98
RMurr34
RMurr34

Part and Inventory Search

Sponsor

Back
Top