exiscapital
asked on
Pix 515E and ICMP
What is the proper way to allow icmp messages from my network through a Cisco Pix 515e, without allowing it from the outside in. I have looked at https://www.experts-exchange.com/questions/21679742/cisco-pix-allow-icmp-ping-to-outside-only-and-prevent-all-inbound-icmp-pings.html and https://www.experts-exchange.com/questions/21790685/Cannot-ping-websites-by-I-P-or-by-name-from-PIX-firewall-or-PC's.html?qid=21790685 but that does not seem to do it.
Thanks
Thanks
Just bear in mind this lets it through from the PIX outwards.
if you apply this access-list it will only let this traffic go through so make sure you add it to your existing acl....
If you do not have an outgoing acl, then all traffic will be allowed out.
if you apply this access-list it will only let this traffic go through so make sure you add it to your existing acl....
If you do not have an outgoing acl, then all traffic will be allowed out.
ASKER
By default, shouldn't all traffic from high security interface flow out the low security interface without restriction. SHould the access list be used just to allow the traffic back in.
To your first point, yes. Having NO acl, would allow higher to lower but as soon as you put an ACL in, then ONLY that traffic is allowed. When traffic passes out, it makes a session so that responses can come back in again.
ASKER
I have entered the following code below, and now i am able to ping from the fire wall in either direction, however, I am still not able to ping from workstation on network to an external ip. Is there something else that I need to add.
icmp permit any echo-reply outside
access-list acl_ins permit icmp any any echo
access-list acl_ins permit icmp any any
access-list acl_ins permit ip any any
access-list acl_out permit icmp any any echo-reply
icmp permit any echo-reply outside
access-list acl_ins permit icmp any any echo
access-list acl_ins permit icmp any any
access-list acl_ins permit ip any any
access-list acl_out permit icmp any any echo-reply
Can you just post a sanitised copy of the config?
ASKER
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SK/lhDTtaj.76ERQ encrypted
passwd SK/lhDTtaj.76ERQ encrypted
hostname xxxxxxx
domain-name xxxxxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.XX.XX.XX InternalNet
name 66.XX.XX.XX Instaquote4
name 63.XX.XX.XX Instaquote1
name 63.XX.XX.XX Instaquote3
name 63.XX.XX.XX Instaquote2
name 216.XX.XX.XX evault
name 218.XX.XX.XX tracker2
name 192.XX.XX.XX Hamptons
name 63.XX.XX.XX Software
object-group service FTP tcp
port-object eq ftp-data
port-object eq ftp
object-group service Bridge tcp-udp
port-object range 14000 14000
port-object range 6107 6107
port-object range 4301 4301
port-object range 4303 4303
object-group service Sobig_Block udp
port-object range 995 999
object-group service XXXX_Internet tcp
port-object range 16443 16443
port-object range 15443 15443
port-object range 18443 18443
port-object range 17443 17443
object-group service Sasser_Virus tcp
port-object range 445 445
port-object range 9996 9996
port-object range 5554 5554
object-group service CTS tcp
port-object range 23242 23242
port-object range 23502 23502
port-object range 23602 23602
object-group service instaquote tcp
port-object range 3200 3210
port-object range 3500 3510
port-object range 3550 3560
object-group service BitTorrent tcp-udp
port-object range 6881 6999
object-group service BitTorrentTracker tcp-udp
port-object range 6969 6969
object-group service BitComet tcp-udp
port-object range 19973 19973
object-group service P2Papps tcp-udp
description Bunch of peer to peer apps
port-object range 4762 4762
port-object range 8888 8889
port-object range 28864 28865
port-object range 7668 7668
port-object range 8311 8311
port-object range 41170 41170
port-object range 1214 1214
object-group service NAPSTER tcp
port-object range 6600 6699
port-object eq 4444
port-object eq 8888
port-object eq 5555
port-object eq 6666
port-object eq 8875
port-object eq 7777
object-group service SIP tcp-udp
port-object eq 3478
port-object range 8000 8001
port-object range 5060 5061
object-group service citifutures tcp-udp
port-object range 7001 7002
port-object range 5555 5556
access-list outside_access_in permit tcp any object-group CTS any object-group C
TS
access-list outside_access_in permit tcp any object-group SIP any object-group S
IP log 1
access-list outside_access_in deny tcp any object-group NAPSTER any
access-list outside_access_in deny tcp any object-group BitTorrent any
access-list outside_access_in deny tcp any object-group BitTorrentTracker any
access-list outside_access_in deny tcp any object-group BitComet any
access-list outside_access_in deny tcp any any eq smtp log 1
access-list outside_access_in deny tcp any any eq 3127
access-list outside_access_in deny tcp any any eq 1214
access-list outside_access_in deny udp any object-group Sobig_Block any object-g
roup Sobig_Block
access-list outside_access_in deny udp any eq ntp any eq ntp
access-list outside_access_in remark Beagle.b Virus Back door Block
access-list outside_access_in deny tcp any any eq 8866
access-list outside_access_in deny tcp any object-group Sasser_Virus any object-
group Sasser_Virus
access-list outside_access_in deny ip any any
access-list outside_access_in permit tcp any object-group citifutures any object
-group citifutures
access-list inside_access_in permit tcp any object-group SIP any object-group SI
P log 1 interval 20
access-list inside_access_in permit ip any host evault log 5
access-list inside_access_in permit tcp any any object-group REDI_Internet
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in deny tcp any object-group NAPSTER any
access-list inside_access_in deny udp any any eq 8998
access-list inside_access_in deny tcp any object-group Sasser_Virus any object-g
roup Sasser_Virus
access-list inside_access_in deny tcp ExisInternalNet 255.255.0.0 any eq smtp lo
g 1
access-list inside_access_in deny tcp any any eq 1214
access-list inside_access_in deny tcp any any object-group BitComet
access-list inside_access_in deny tcp any any object-group BitTorrent
access-list inside_access_in deny tcp any any object-group BitTorrentTracker
access-list inside_access_in deny tcp any any object-group P2Papps
access-list inside_access_in permit ip any any
access-list acl_ins permit icmp any any echo
access-list acl_ins permit icmp any any
access-list acl_ins permit ip any any
access-list acl_out permit icmp any any echo-reply
pager lines 24
logging on
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.XX.XX.XX 255.255.255.240
ip address inside 10.XX.XX.XX 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.XX.XX.XX 255.255.255.255 inside
pdm location Software 255.255.255.0 outside
pdm location 68.XX.XX.XX 255.255.255.255 outside
pdm location 64.XX.XX.XX 255.255.255.255 outside
pdm location 64.XX.XX.XX 255.255.255.255 inside
pdm location Instaquote1 255.255.255.0 outside
pdm location Instaquote3 255.255.255.0 outside
pdm location Instaquote2 255.255.255.0 outside
pdm location Instaquote4 255.255.255.0 outside
pdm location evault 255.255.255.255 outside
pdm location tracker2 255.255.255.255 outside
pdm location Hamptons 255.255.255.0 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 InternalNet 255.255.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.XX.XX.XX 1
route inside Hamptons 255.255.255.0 10.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http InternalNet 255.255.0.0 inside
http Hamptons 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community eXis
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address 208.XX.XX.XX netmask 255.255.255.255 no-xauth no-
config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet InternalNet 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password g8rxkBgz2s/xqqU1 encrypted privilege 1
terminal width 80
Cryptochecksum:a50fd5e39a1
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SK/lhDTtaj.76ERQ encrypted
passwd SK/lhDTtaj.76ERQ encrypted
hostname xxxxxxx
domain-name xxxxxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.XX.XX.XX InternalNet
name 66.XX.XX.XX Instaquote4
name 63.XX.XX.XX Instaquote1
name 63.XX.XX.XX Instaquote3
name 63.XX.XX.XX Instaquote2
name 216.XX.XX.XX evault
name 218.XX.XX.XX tracker2
name 192.XX.XX.XX Hamptons
name 63.XX.XX.XX Software
object-group service FTP tcp
port-object eq ftp-data
port-object eq ftp
object-group service Bridge tcp-udp
port-object range 14000 14000
port-object range 6107 6107
port-object range 4301 4301
port-object range 4303 4303
object-group service Sobig_Block udp
port-object range 995 999
object-group service XXXX_Internet tcp
port-object range 16443 16443
port-object range 15443 15443
port-object range 18443 18443
port-object range 17443 17443
object-group service Sasser_Virus tcp
port-object range 445 445
port-object range 9996 9996
port-object range 5554 5554
object-group service CTS tcp
port-object range 23242 23242
port-object range 23502 23502
port-object range 23602 23602
object-group service instaquote tcp
port-object range 3200 3210
port-object range 3500 3510
port-object range 3550 3560
object-group service BitTorrent tcp-udp
port-object range 6881 6999
object-group service BitTorrentTracker tcp-udp
port-object range 6969 6969
object-group service BitComet tcp-udp
port-object range 19973 19973
object-group service P2Papps tcp-udp
description Bunch of peer to peer apps
port-object range 4762 4762
port-object range 8888 8889
port-object range 28864 28865
port-object range 7668 7668
port-object range 8311 8311
port-object range 41170 41170
port-object range 1214 1214
object-group service NAPSTER tcp
port-object range 6600 6699
port-object eq 4444
port-object eq 8888
port-object eq 5555
port-object eq 6666
port-object eq 8875
port-object eq 7777
object-group service SIP tcp-udp
port-object eq 3478
port-object range 8000 8001
port-object range 5060 5061
object-group service citifutures tcp-udp
port-object range 7001 7002
port-object range 5555 5556
access-list outside_access_in permit tcp any object-group CTS any object-group C
TS
access-list outside_access_in permit tcp any object-group SIP any object-group S
IP log 1
access-list outside_access_in deny tcp any object-group NAPSTER any
access-list outside_access_in deny tcp any object-group BitTorrent any
access-list outside_access_in deny tcp any object-group BitTorrentTracker any
access-list outside_access_in deny tcp any object-group BitComet any
access-list outside_access_in deny tcp any any eq smtp log 1
access-list outside_access_in deny tcp any any eq 3127
access-list outside_access_in deny tcp any any eq 1214
access-list outside_access_in deny udp any object-group Sobig_Block any object-g
roup Sobig_Block
access-list outside_access_in deny udp any eq ntp any eq ntp
access-list outside_access_in remark Beagle.b Virus Back door Block
access-list outside_access_in deny tcp any any eq 8866
access-list outside_access_in deny tcp any object-group Sasser_Virus any object-
group Sasser_Virus
access-list outside_access_in deny ip any any
access-list outside_access_in permit tcp any object-group citifutures any object
-group citifutures
access-list inside_access_in permit tcp any object-group SIP any object-group SI
P log 1 interval 20
access-list inside_access_in permit ip any host evault log 5
access-list inside_access_in permit tcp any any object-group REDI_Internet
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in deny tcp any object-group NAPSTER any
access-list inside_access_in deny udp any any eq 8998
access-list inside_access_in deny tcp any object-group Sasser_Virus any object-g
roup Sasser_Virus
access-list inside_access_in deny tcp ExisInternalNet 255.255.0.0 any eq smtp lo
g 1
access-list inside_access_in deny tcp any any eq 1214
access-list inside_access_in deny tcp any any object-group BitComet
access-list inside_access_in deny tcp any any object-group BitTorrent
access-list inside_access_in deny tcp any any object-group BitTorrentTracker
access-list inside_access_in deny tcp any any object-group P2Papps
access-list inside_access_in permit ip any any
access-list acl_ins permit icmp any any echo
access-list acl_ins permit icmp any any
access-list acl_ins permit ip any any
access-list acl_out permit icmp any any echo-reply
pager lines 24
logging on
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.XX.XX.XX 255.255.255.240
ip address inside 10.XX.XX.XX 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.XX.XX.XX 255.255.255.255 inside
pdm location Software 255.255.255.0 outside
pdm location 68.XX.XX.XX 255.255.255.255 outside
pdm location 64.XX.XX.XX 255.255.255.255 outside
pdm location 64.XX.XX.XX 255.255.255.255 inside
pdm location Instaquote1 255.255.255.0 outside
pdm location Instaquote3 255.255.255.0 outside
pdm location Instaquote2 255.255.255.0 outside
pdm location Instaquote4 255.255.255.0 outside
pdm location evault 255.255.255.255 outside
pdm location tracker2 255.255.255.255 outside
pdm location Hamptons 255.255.255.0 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 InternalNet 255.255.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.XX.XX.XX 1
route inside Hamptons 255.255.255.0 10.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http InternalNet 255.255.0.0 inside
http Hamptons 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community eXis
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
isakmp key ******** address 208.XX.XX.XX netmask 255.255.255.255 no-xauth no-
config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet InternalNet 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password g8rxkBgz2s/xqqU1 encrypted privilege 1
terminal width 80
Cryptochecksum:a50fd5e39a1
access-list inside_access_in permit icmp any any
Just bear with me and try it please.....
Just bear with me and try it please.....
ASKER
request timed out.
ASKER
request timed out when I tried to ping external address from pc on network.
God I hate networking sometimes....
can you do a sh access-list inside_access_in
can you do a sh access-list inside_access_in
ASKER
sh access-list inside_access_in
access-list inside_access_in; 46 elements
access-list inside_access_in line 1 permit tcp any object-group SIP any object-g
roup SIP log 1 interval 20
access-list inside_access_in line 1 permit tcp any eq 3478 any eq 3478 log 1 int
erval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any eq 3478 any range 8000 8001 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any eq 3478 any range 5060 5061 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any eq 3478 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any range 800
0 8001 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any range 506
0 5061 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any eq 3478 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any range 800
0 8001 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any range 506
0 5061 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 2 permit ip any host evault log 5 interval 300
(hitcnt=72)
access-list inside_access_in line 3 permit tcp any any object-group XXXX_Interne
t
access-list inside_access_in line 3 permit tcp any any range 16443 16443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 15443 15443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 18443 18443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 17443 17443 (hitcnt
=0)
access-list inside_access_in line 4 permit tcp any any eq https (hitcnt=5988)
access-list inside_access_in line 5 deny tcp any object-group NAPSTER any
access-list inside_access_in line 5 deny tcp any range 6600 6699 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 4444 any (hitcnt=43)
access-list inside_access_in line 5 deny tcp any eq 8888 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 5555 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 6666 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 8875 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 7777 any (hitcnt=0)
access-list inside_access_in line 6 deny udp any any eq 8998 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any object-group Sasser_Virus any o
bject-group Sasser_Virus
access-list inside_access_in line 7 deny tcp any range 445 445 any range 445 445
(hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 445 445 any range 9996 99
96 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 445 445 any range 5554 55
54 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 445 4
45 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 9996
9996 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 5554
5554 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 445 4
45 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 9996
9996 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 5554
5554 (hitcnt=0)
access-list inside_access_in line 8 deny tcp InternalNet 255.255.0.0 any eq
smtp log 1 interval 300 (hitcnt=15)
access-list inside_access_in line 9 deny tcp any any eq 1214 (hitcnt=0)
access-list inside_access_in line 10 deny tcp any any object-group BitComet
access-list inside_access_in line 10 deny tcp any any range 19973 19973 (hitcnt=
0)
access-list inside_access_in line 11 deny tcp any any object-group BitTorrent
access-list inside_access_in line 11 deny tcp any any range 6881 6999 (hitcnt=0)
access-list inside_access_in line 12 deny tcp any any object-group BitTorrentTra
cker
access-list inside_access_in line 12 deny tcp any any range 6969 6969 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any object-group P2Papps
access-list inside_access_in line 13 deny tcp any any range 4762 4762 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 8888 8889 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 28864 28865 (hitcnt=
0)
access-list inside_access_in line 13 deny tcp any any range 7668 7668 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 8311 8311 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 41170 41170 (hitcnt=
0)
access-list inside_access_in line 13 deny tcp any any range 1214 1214 (hitcnt=0)
access-list inside_access_in line 14 permit ip any any (hitcnt=128632)
access-list inside_access_in line 15 permit icmp any any (hitcnt=0)
access-list inside_access_in; 46 elements
access-list inside_access_in line 1 permit tcp any object-group SIP any object-g
roup SIP log 1 interval 20
access-list inside_access_in line 1 permit tcp any eq 3478 any eq 3478 log 1 int
erval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any eq 3478 any range 8000 8001 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any eq 3478 any range 5060 5061 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any eq 3478 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any range 800
0 8001 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 8000 8001 any range 506
0 5061 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any eq 3478 l
og 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any range 800
0 8001 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 1 permit tcp any range 5060 5061 any range 506
0 5061 log 1 interval 20 (hitcnt=0)
access-list inside_access_in line 2 permit ip any host evault log 5 interval 300
(hitcnt=72)
access-list inside_access_in line 3 permit tcp any any object-group XXXX_Interne
t
access-list inside_access_in line 3 permit tcp any any range 16443 16443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 15443 15443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 18443 18443 (hitcnt
=0)
access-list inside_access_in line 3 permit tcp any any range 17443 17443 (hitcnt
=0)
access-list inside_access_in line 4 permit tcp any any eq https (hitcnt=5988)
access-list inside_access_in line 5 deny tcp any object-group NAPSTER any
access-list inside_access_in line 5 deny tcp any range 6600 6699 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 4444 any (hitcnt=43)
access-list inside_access_in line 5 deny tcp any eq 8888 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 5555 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 6666 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 8875 any (hitcnt=0)
access-list inside_access_in line 5 deny tcp any eq 7777 any (hitcnt=0)
access-list inside_access_in line 6 deny udp any any eq 8998 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any object-group Sasser_Virus any o
bject-group Sasser_Virus
access-list inside_access_in line 7 deny tcp any range 445 445 any range 445 445
(hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 445 445 any range 9996 99
96 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 445 445 any range 5554 55
54 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 445 4
45 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 9996
9996 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 9996 9996 any range 5554
5554 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 445 4
45 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 9996
9996 (hitcnt=0)
access-list inside_access_in line 7 deny tcp any range 5554 5554 any range 5554
5554 (hitcnt=0)
access-list inside_access_in line 8 deny tcp InternalNet 255.255.0.0 any eq
smtp log 1 interval 300 (hitcnt=15)
access-list inside_access_in line 9 deny tcp any any eq 1214 (hitcnt=0)
access-list inside_access_in line 10 deny tcp any any object-group BitComet
access-list inside_access_in line 10 deny tcp any any range 19973 19973 (hitcnt=
0)
access-list inside_access_in line 11 deny tcp any any object-group BitTorrent
access-list inside_access_in line 11 deny tcp any any range 6881 6999 (hitcnt=0)
access-list inside_access_in line 12 deny tcp any any object-group BitTorrentTra
cker
access-list inside_access_in line 12 deny tcp any any range 6969 6969 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any object-group P2Papps
access-list inside_access_in line 13 deny tcp any any range 4762 4762 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 8888 8889 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 28864 28865 (hitcnt=
0)
access-list inside_access_in line 13 deny tcp any any range 7668 7668 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 8311 8311 (hitcnt=0)
access-list inside_access_in line 13 deny tcp any any range 41170 41170 (hitcnt=
0)
access-list inside_access_in line 13 deny tcp any any range 1214 1214 (hitcnt=0)
access-list inside_access_in line 14 permit ip any any (hitcnt=128632)
access-list inside_access_in line 15 permit icmp any any (hitcnt=0)
>keith: God I hate networking sometimes....
lol, I said the same thing late night the other week when dealing with some $%^# buggy Dell switches!
Here's what's killing it:
>access-list outside_access_in deny ip any any <- about the 15th line in ACL
>access-group outside_access_in in interface outside
You've still got the wrong ACL applied to the outside interface, & the line "deny ip any any" is blocking *all* IP traffic inbound: icmp echo-replies, tcp traffic, udp traffic, etc!!
Run this:
no access-group outside_access_in in interface outside
access-group acl_ins in interface outside
cheers
lol, I said the same thing late night the other week when dealing with some $%^# buggy Dell switches!
Here's what's killing it:
>access-list outside_access_in deny ip any any <- about the 15th line in ACL
>access-group outside_access_in in interface outside
You've still got the wrong ACL applied to the outside interface, & the line "deny ip any any" is blocking *all* IP traffic inbound: icmp echo-replies, tcp traffic, udp traffic, etc!!
Run this:
no access-group outside_access_in in interface outside
access-group acl_ins in interface outside
cheers
Or, you can simply do this:
no access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside
That way you won't have to reconfigure the "acl_ins" ACL to match your outside_access_in ACL.
cheers
no access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside
That way you won't have to reconfigure the "acl_ins" ACL to match your outside_access_in ACL.
cheers
lol, This is why I stick to ISA most of the time :)
ISA? No thanks, that's all yours Keith! ;)
cheers all
cheers all
ASKER
I put the following in my config, however, I still time out:
no access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside
no access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside
access-list outside_access_in line 1 permit icmp any any echo <- allow inbound pings
access-list outside_access_in line 2 permit icmp any any echo-reply <- so outbound pings work
access-group outside_access_in in interface outside
cheers
access-list outside_access_in line 2 permit icmp any any echo-reply <- so outbound pings work
access-group outside_access_in in interface outside
cheers
ASKER
I only added:
access-list outside_access_in line 2 permit icmp any any echo-reply
do not want to be able to ping from outside.
but I am now able to ping from inside out. Thanks
access-list outside_access_in line 2 permit icmp any any echo-reply
do not want to be able to ping from outside.
but I am now able to ping from inside out. Thanks
ASKER
tracert from inside out is not working, is there anything else I need to add for that.
Thanks for the help.
Thanks for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
access-list acl_out permit icmp any any echo-request
access-group acl_out out interface outside