Cisco PIX Inbound Policy

I've tried searching on EE for this answer but because I'm not that much of a PIX expert -I only understand IOS syntax and basic firewall rules- I couldnt really solve my problem.  So, if the answer is blatently already available try not to flame me too much...

I've got a client with a PIX that has a bunch of web servers in the DMZ with existing policies to allow smtp and web traffic to those servers.  However, they have a box on the LAN they'd like to open full access to for a very short period of time and I cant seem to figure out how to write it into the config.  Based on all the configs that were already on the system, I tried to do the following:

static (inside, outside) netmask

Then for the actual policy:

access-list outside_access_in permit tcp host [ip of origin client] host eq telnet

We had the remote user try telnet and it didn't work; I also found out they needed access for a few hours to a million other ports so tried changing the policy to:

access-list outside_access_in permit tcp any (in case they weren't originating from the IP they thought they were) host

And this still didn't work so here I am.  Anyone see what I'm doing wrong?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hi there

First of all
Is the access-list "outside_access_in" the same name as all the other servers on the DMZ are accessed under?
It needs to be as only 1 access-list name is referenced per interface - so if you already have an access list that is allowing access to servers in the DMZ from outside, you need to use the exact same access-list name.

Is the definetly a free available address in your ip range?  It cannot be already used or be the ip address of your pix outside interface - (If you don't have a free address there are workarounds)

Access-lists work top>down until they find a match.  If there is a deny access-list that appears above your access-list - then your one will not be read.  At the pix type
sh access-list
And look at the line numbers of the access-lists.
You may need to remove yours and reinsert it with a line number so that it comes in before a deny statment:
access-list outside_access_in line 15 permit tcp host [ip of origin client] host eq telnet

hope this helps

AM6_Networks_AdamLAuthor Commented:
First: the access lists are different for the DMZ, its something like outside_access_dmz; which I'm not dealing with since this unit in inside the LAN (..i know, security risks..).

Second: Yes, it is a free address, its not your typical soho deployment, the customer has a wide range of IPs.

Thrid: I'll try running that sh access-list and see if there is any sort of a deny policy.  I'll update asap.

Thanks a lot.
<<First: the access lists are different for the DMZ, its something like outside_access_dmz; which I'm not dealing with since this unit in inside the LAN>>

I know what you mean but the fact is that the traffic is still originating from the outside so if there is an access-list allowing www access to servers in your DMZ - it will be applied to your outside interface.  
Your access-list and static above are fine - but the problem is that they are not applied to anything.

Look for the line in the config:
access-group [access-list name] in interface outside

The access-list applied here is the one you need to name your access-list for allowing access inside.  Even if the access-list is named outside_access_dmz - that is only the name of it - it can be called whatever - if you get my drift

hope this helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

You need the two access list

1. Allow traffic from outside to Lan
2. Allow the same from LAN to outside to make it work


<<2. Allow the same from LAN to outside to make it work

You don't need an access-list to permit traffic from inside to out on a pix.  The PIX ASA algorithm dictates that all traffic from a more secure interface can flow to a less secure one by default.  The static below is giving 1-1 nat translation for the LAN server to outside.  

static (inside, outside) netmask
AM6_Networks_AdamLAuthor Commented:
I'm still waiting for field techs to report with sh access-list and possibly a sh run just so we can all be on the same page here.  Sorry for the delays, this is definitely important to us and I'll post as quickly as possible.

Take your time!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.