[c-nsp] Pix config help
Gary Smith
lists at l33t-d00d.co.uk
Sat Apr 14 11:22:56 EDT 2012
Hi there,
I'm struggling with a Pix configuration issue which has really got me
scratching my head.
It seems quite basic, but I've so far got to the end of my troubleshooting.
The Inside interface of the Pix has the network 192.168.70.0/24. The
outside interface has the network 192.168.70.0/24. The next hop from the
Pix on the outside is 192.168.71.1 (the Pix is at 192.168.71.2). The
next hop is a 2811.
On the 2811, I have ACLs set up to allow connection to a machine on the
inside interface of the Pix (192.168.71.5). If I attempt to connect from
a machine allowed through on the ACL, this works.
I've also allowed some machines from another internal network (but
beyond the outside interface on the Pix) (for instance, 192.168.50.3)
via an ACL to connect to 192.168.71.5. To the best of my problem solving
skills, these are being allowed but aren't actually connecting. And this
is the bit I'm struggling with. If, for instance, I attempt to RDP
through, then it's logged at both the 2811 and the Pix as being allowed
(so far as I can see):
From the Pix:
302013: Built inbound TCP connection 7972 for outside:192.168.50.3/4992
(192.168.50.3/4992) to inside:192.168.70.5/3389 (192.168.71.5/3389)
From the 2811:
Apr 14 15:16:58 62.49.229.217 568: 000564: Apr 14 15:16:57:
%SEC-6-IPACCESSLOGP: list 122 permitted tcp 192.168.50.3(4995) ->
192.168.71.5(3389), 1 packet
For what it's worth, though, the Pix, immediately after logging the
connection being built doesn't show it in the show conn output. With the
static output listed in the config below, it's always got the relevant
info in the xlate.
So, to my understanding, this should work. I think I've ruled out the
machine as I can connect in from beyond the outside interface of the
2811. Similarly, the config rules which allow that connection exactly
mirror that which I'm attempting to use for 192.168.50.3. So what am I
doing wrong? I've put the relevant bits of the config here:
Pix bits:
access-list serverout permit tcp host [machine beyond the outside
interface of 2811] host 192.168.71.5
access-list serverout permit tcp host 192.168.50.3 host 192.168.71.5
ip address outside 192.168.71.1 255.255.255.0
ip address inside 192.168.70.1 255.255.255.0
static (inside,outside) 192.168.71.5 192.168.70.5 netmask
255.255.255.255 0 0
access-group serverout in interface outside
Bits from the 2811:
Extended IP access list 122
25 permit ip host 192.168.50.3 host 192.168.71.5 log (6 matches)
30 permit ip host [machine beyond outside interface of the 2811]
host 192.168.71.5 log (1029 matches)
310 deny ip any any log (69 matches)
So - any thoughts anyone?
Gary
More information about the cisco-nsp
mailing list