alkhaleej
asked on
allow an acess for the inside pc from pix firewall
Dear Experts
I am having a PIX 525 with 7.01 with 3 zones outisde, DMZ and Inside.
I have configured a nat for a NMS server , I am collecting all the logs, netflow statics on the server. Now I am trying to configure netflow export from internet router with an IP 212.x.x.145 to an inside NMS server with an IP 10.0.0.6. I do have a NAT for 10.0.0.6 with 212.x.x.153 in my firewall. Once I create the access list NATing stops working and I am not recieveing any netflow packets from my router. Just let me know where i am wrong. I need to send netflow details to my NMS server in the inside network and also I have created a management portal in my NMS server I need to access this portal from any where using the internet.
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
access-group OutsidetoInside in interface inside
I am having a PIX 525 with 7.01 with 3 zones outisde, DMZ and Inside.
I have configured a nat for a NMS server , I am collecting all the logs, netflow statics on the server. Now I am trying to configure netflow export from internet router with an IP 212.x.x.145 to an inside NMS server with an IP 10.0.0.6. I do have a NAT for 10.0.0.6 with 212.x.x.153 in my firewall. Once I create the access list NATing stops working and I am not recieveing any netflow packets from my router. Just let me know where i am wrong. I need to send netflow details to my NMS server in the inside network and also I have created a management portal in my NMS server I need to access this portal from any where using the internet.
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
access-group OutsidetoInside in interface inside
ASKER
OK
Well the IP address above is the NATing IP for 10.0.0.6. My router IP 212.x.x.145, my firewall IP is 212.x.x.146 and the IP where I need to send the net flow is 212.x.x.153 from my router 212.x.x.145. Also I need to access my web portal at 10.0.0.6
Here is my configuration
xyz# sho run
: Saved
:
PIX Version 7.0(6)
!
hostname xyz
domain-name xyz.med.s
enable password
names
dns-guard
!
interface Ethernet0
description Connected to Outside
speed 100
duplex full
nameif outside
security-level 0
ip address 212.x.x.146 255.255.255.240
!
interface Ethernet1
description Connected to Inside
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.3 255.255.248.0
!
interface GigabitEthernet0
description Connected to DMZ
nameif dmz
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface GigabitEthernet1
shutdown
no nameif
no security-level
no ip address
!
x
ftp mode passive
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq ftp
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
access-list 101 extended permit ip 10.0.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 10.70.0.0 255.255.255.0 192.178.10.0 255.255.255.0
pager lines 24
logging enable
logging host inside 10.0.0.6
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool KFSHVPN 192.168.10.1-192.168.10.25
no failover
asdm image flash:/asdm-506.bin
no asdm history enable
arp timeout 14400
global (outside) 2 212.x.x.152 netmask 255.255.255.240
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 2 10.0.0.0 255.255.255.252
nat (inside) 2 50.0.0.0 255.255.255.250
nat (inside) 2 10.0.0.0 255.255.255.248
nat (inside) 2 10.46.0.0 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 212.x.x.157 172.16.31.10 netmask 255.255.255.255
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
access-group OutsidetoInside in interface inside
static (dmz,outside) 212.x.x.158 172.16.31.20 netmask 255.255.255.255
access-group OutsidetoDMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.x.x.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy KFSHBIO internal
group-policy KFSHBIO attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
group-policy KFSHVPN internal
group-policy KFSHVPN attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
username xyz password xyz encrypted privilege 15
http server enable
http 10.0.0.6 255.255.255.255 inside
snmp-server host inside 10.0.0.2 community xyz
snmp-server location xyz
snmp-server contact xyz
snmp-server community xyz
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group KFSHVPN type ipsec-ra
tunnel-group KFSHVPN general-attributes
address-pool KFSHVPN
authentication-server-grou p none
authorization-server-group LOCAL
default-group-policy KFSHVPN
tunnel-group KFSHVPN ipsec-attributes
pre-shared-key *
tunnel-group KFSHBIO type ipsec-ra
tunnel-group KFSHBIO general-attributes
authentication-server-grou p none
authorization-server-group LOCAL
default-group-policy KFSHBIO
tunnel-group KFSHBIO ipsec-attributes
pre-shared-key *
telnet 10.0.0.6 255.255.255.255 inside
telnet 10.0.0.1 255.255.255.255 inside
telnet 10.0.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:2ff53f5e31c 7b14585f2a 110c3590e4 8
: end
xyz#
Well the IP address above is the NATing IP for 10.0.0.6. My router IP 212.x.x.145, my firewall IP is 212.x.x.146 and the IP where I need to send the net flow is 212.x.x.153 from my router 212.x.x.145. Also I need to access my web portal at 10.0.0.6
Here is my configuration
xyz# sho run
: Saved
:
PIX Version 7.0(6)
!
hostname xyz
domain-name xyz.med.s
enable password
names
dns-guard
!
interface Ethernet0
description Connected to Outside
speed 100
duplex full
nameif outside
security-level 0
ip address 212.x.x.146 255.255.255.240
!
interface Ethernet1
description Connected to Inside
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.3 255.255.248.0
!
interface GigabitEthernet0
description Connected to DMZ
nameif dmz
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface GigabitEthernet1
shutdown
no nameif
no security-level
no ip address
!
x
ftp mode passive
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq ftp
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
access-list 101 extended permit ip 10.0.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 10.70.0.0 255.255.255.0 192.178.10.0 255.255.255.0
pager lines 24
logging enable
logging host inside 10.0.0.6
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool KFSHVPN 192.168.10.1-192.168.10.25
no failover
asdm image flash:/asdm-506.bin
no asdm history enable
arp timeout 14400
global (outside) 2 212.x.x.152 netmask 255.255.255.240
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 2 10.0.0.0 255.255.255.252
nat (inside) 2 50.0.0.0 255.255.255.250
nat (inside) 2 10.0.0.0 255.255.255.248
nat (inside) 2 10.46.0.0 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 212.x.x.157 172.16.31.10 netmask 255.255.255.255
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
access-group OutsidetoInside in interface inside
static (dmz,outside) 212.x.x.158 172.16.31.20 netmask 255.255.255.255
access-group OutsidetoDMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.x.x.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy KFSHBIO internal
group-policy KFSHBIO attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
group-policy KFSHVPN internal
group-policy KFSHVPN attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
username xyz password xyz encrypted privilege 15
http server enable
http 10.0.0.6 255.255.255.255 inside
snmp-server host inside 10.0.0.2 community xyz
snmp-server location xyz
snmp-server contact xyz
snmp-server community xyz
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group KFSHVPN type ipsec-ra
tunnel-group KFSHVPN general-attributes
address-pool KFSHVPN
authentication-server-grou
authorization-server-group
default-group-policy KFSHVPN
tunnel-group KFSHVPN ipsec-attributes
pre-shared-key *
tunnel-group KFSHBIO type ipsec-ra
tunnel-group KFSHBIO general-attributes
authentication-server-grou
authorization-server-group
default-group-policy KFSHBIO
tunnel-group KFSHBIO ipsec-attributes
pre-shared-key *
telnet 10.0.0.6 255.255.255.255 inside
telnet 10.0.0.1 255.255.255.255 inside
telnet 10.0.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:2ff53f5e31c
: end
xyz#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Rajesh
Sorry its not working and i am not recieving any netflows & even web portal is not working
Sorry its not working and i am not recieving any netflows & even web portal is not working
Can you post the config now ?
Cheers,
Rajesh
Cheers,
Rajesh
Regarding the web portal, have you changed the port to work with www on the Netflow ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Well I did changed the web portal to work with www, first i must receive the net flow to my NMS server 10.0.0.6 which I am not yet receiving, here is the current config
sho run
: Saved
:
PIX Version 7.0(6)
!
hostname xyz
domain-name xyz
enable password xyz
names
dns-guard
!
interface Ethernet0
description Connected to Outside
speed 100
duplex full
nameif outside
security-level 0
ip address 212.x.x.146 255.255.255.240
!
interface Ethernet1
description Connected to Inside
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.3 255.255.248.0
<--- More --->
!
interface GigabitEthernet0
description Connected to DMZ
nameif dmz
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface GigabitEthernet1
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq ftp
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq ftp
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq 8082
access-list 101 extended permit ip 10.0.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 10.70.0.0 255.255.255.0 192.178.10.0 255.255.255.0
access-list ISA extended permit tcp any host 212.x.x.158 eq pptp
access-list ISA extended permit gre any host 212.x.x.158
access-list OUT2IN extended permit tcp any host 212.x.x.153
access-list NO_INSIDE_OUTSIDE extended permit tcp any any
access-list YAAS extended permit tcp any host 212.x.x.153 eq 9996
access-list YAAS extended permit tcp any host 212.x.x.153 eq www
pager lines 24
logging enable
logging trap alerts
logging asdm errors
logging from-address yasirirfan@kfsh.med.sa
logging recipient-address yasirirfan@kfsh.med.sa level errors
logging device-id ipaddress inside
logging host inside 10.0.0.6
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool KFSHVPN 192.168.10.1-192.168.10.25
no failover
asdm image flash:/asdm-506.bin
no asdm history enable
arp timeout 14400
global (outside) 2 212.x.x.152 netmask 255.255.255.240
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 2 10.0.0.0 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
static (dmz,outside) 212.x.x.156 172.16.31.10 netmask 255.255.255.255
access-group YAAS in interface outside
access-group OutsidetoDMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 212.12.181.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy KFSHBIO internal
group-policy KFSHBIO attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
group-policy KFSHVPN internal
group-policy KFSHVPN attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
username yasir password B4Rq6X4WOBR20dAi encrypted privilege 15
http server enable
<--- More --->
http 10.0.0.6 255.255.255.255 inside
snmp-server host inside 10.0.0.1 community
snmp-server host inside 10.0.0.2 community
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
<--- More --->
tunnel-group KFSHVPN type ipsec-ra
tunnel-group KFSHVPN general-attributes
address-pool KFSHVPN
authentication-server-grou p none
authorization-server-group LOCAL
default-group-policy KFSHVPN
tunnel-group KFSHVPN ipsec-attributes
pre-shared-key *
tunnel-group KFSHBIO type ipsec-ra
tunnel-group KFSHBIO general-attributes
authentication-server-grou p none
authorization-server-group LOCAL
default-group-policy KFSHBIO
tunnel-group KFSHBIO ipsec-attributes
pre-shared-key *
telnet 10.0.0.6 255.255.255.255 inside
telnet 10.0.0.1 255.255.255.255 inside
telnet 10.0.0.2 255.255.255.255 inside
telnet 172.16.31.8 255.255.255.25 dmz
telnet 172.16.31.10 255.255.255.255 dmz
telnet timeout 5
ssh 10.0.0.6 255.255.255.255 inside
ssh timeout 5
console timeout 0
<--- More --->
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:88846dc5db0 b4339d73da 538f3bdda1 d
<--- More --->
: end
xyz#
sho run
: Saved
:
PIX Version 7.0(6)
!
hostname xyz
domain-name xyz
enable password xyz
names
dns-guard
!
interface Ethernet0
description Connected to Outside
speed 100
duplex full
nameif outside
security-level 0
ip address 212.x.x.146 255.255.255.240
!
interface Ethernet1
description Connected to Inside
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.3 255.255.248.0
<--- More --->
!
interface GigabitEthernet0
description Connected to DMZ
nameif dmz
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface GigabitEthernet1
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq ftp
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq ftp
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq 8082
access-list 101 extended permit ip 10.0.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 10.70.0.0 255.255.255.0 192.178.10.0 255.255.255.0
access-list ISA extended permit tcp any host 212.x.x.158 eq pptp
access-list ISA extended permit gre any host 212.x.x.158
access-list OUT2IN extended permit tcp any host 212.x.x.153
access-list NO_INSIDE_OUTSIDE extended permit tcp any any
access-list YAAS extended permit tcp any host 212.x.x.153 eq 9996
access-list YAAS extended permit tcp any host 212.x.x.153 eq www
pager lines 24
logging enable
logging trap alerts
logging asdm errors
logging from-address yasirirfan@kfsh.med.sa
logging recipient-address yasirirfan@kfsh.med.sa level errors
logging device-id ipaddress inside
logging host inside 10.0.0.6
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool KFSHVPN 192.168.10.1-192.168.10.25
no failover
asdm image flash:/asdm-506.bin
no asdm history enable
arp timeout 14400
global (outside) 2 212.x.x.152 netmask 255.255.255.240
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 2 10.0.0.0 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
static (dmz,outside) 212.x.x.156 172.16.31.10 netmask 255.255.255.255
access-group YAAS in interface outside
access-group OutsidetoDMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 212.12.181.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy KFSHBIO internal
group-policy KFSHBIO attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
group-policy KFSHVPN internal
group-policy KFSHVPN attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-idle-timeout 20
split-tunnel-policy tunnelall
username yasir password B4Rq6X4WOBR20dAi encrypted privilege 15
http server enable
<--- More --->
http 10.0.0.6 255.255.255.255 inside
snmp-server host inside 10.0.0.1 community
snmp-server host inside 10.0.0.2 community
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
<--- More --->
tunnel-group KFSHVPN type ipsec-ra
tunnel-group KFSHVPN general-attributes
address-pool KFSHVPN
authentication-server-grou
authorization-server-group
default-group-policy KFSHVPN
tunnel-group KFSHVPN ipsec-attributes
pre-shared-key *
tunnel-group KFSHBIO type ipsec-ra
tunnel-group KFSHBIO general-attributes
authentication-server-grou
authorization-server-group
default-group-policy KFSHBIO
tunnel-group KFSHBIO ipsec-attributes
pre-shared-key *
telnet 10.0.0.6 255.255.255.255 inside
telnet 10.0.0.1 255.255.255.255 inside
telnet 10.0.0.2 255.255.255.255 inside
telnet 172.16.31.8 255.255.255.25 dmz
telnet 172.16.31.10 255.255.255.255 dmz
telnet timeout 5
ssh 10.0.0.6 255.255.255.255 inside
ssh timeout 5
console timeout 0
<--- More --->
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:88846dc5db0
<--- More --->
: end
xyz#
The config looks okay to me.
Can you enable icmp traffic also in YAAS acl and then see from router the 'ping' works.
Cheers,
Rajesh
Can you enable icmp traffic also in YAAS acl and then see from router the 'ping' works.
Cheers,
Rajesh
ASKER
sure I will do that
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So far no luck its not working but i can ping
ASKER
Thanks a lot Rajesh and Yasir its working now , Yasir you are right the problem was with tcp it should be udp and 8080 for web access.
Cool.
Cheers,
Rajesh
Cheers,
Rajesh
Let me know, as well post the complete configuration of the PIX for better understanding.
Cheers,
Rajesh