randy_94108 at yahoo
Apr 14, 2012, 3:08 PM
Post #2 of 2
(297 views)
Permalink
|
--- On Sat, 4/14/12, Gary Smith <lists [at] l33t-d00d> wrote:
> From: Gary Smith <lists [at] l33t-d00d>
> Subject: [c-nsp] Pix config help
> To: cisco-nsp [at] puck
> Date: Saturday, April 14, 2012, 8:22 AM
> Hi there,
>
> I'm struggling with a Pix configuration issue which has
> really got me scratching my head.
>
> It seems quite basic, but I've so far got to the end of my
> troubleshooting.
>
> The Inside interface of the Pix has the network
> 192.168.70.0/24. The outside interface has the network
> 192.168.70.0/24. The next hop from the Pix on the outside is
> 192.168.71.1 (the Pix is at 192.168.71.2). The next hop is a
> 2811.
> On the 2811, I have ACLs set up to allow connection to a
> machine on the inside interface of the Pix (192.168.71.5).
> If I attempt to connect from a machine allowed through on
> the ACL, this works.
>
> I've also allowed some machines from another internal
> network (but beyond the outside interface on the Pix) (for
> instance, 192.168.50.3) via an ACL to connect to
> 192.168.71.5. To the best of my problem solving skills,
> these are being allowed but aren't actually connecting. And
> this is the bit I'm struggling with. If, for instance, I
> attempt to RDP through, then it's logged at both the 2811
> and the Pix as being allowed (so far as I can see):
>
> From the Pix:
> 302013: Built inbound TCP connection 7972 for
> outside:192.168.50.3/4992 (192.168.50.3/4992) to
> inside:192.168.70.5/3389 (192.168.71.5/3389)
> From the 2811:
> Apr 14 15:16:58 62.49.229.217 568: 000564: Apr 14 15:16:57:
> %SEC-6-IPACCESSLOGP: list 122 permitted tcp
> 192.168.50.3(4995) -> 192.168.71.5(3389), 1 packet
>
> For what it's worth, though, the Pix, immediately after
> logging the connection being built doesn't show it in the
> show conn output. With the static output listed in the
> config below, it's always got the relevant info in the
> xlate.
>
> So, to my understanding, this should work. I think I've
> ruled out the machine as I can connect in from beyond the
> outside interface of the 2811. Similarly, the config rules
> which allow that connection exactly mirror that which I'm
> attempting to use for 192.168.50.3. So what am I doing
> wrong? I've put the relevant bits of the config here:
>
>
> Pix bits:
> access-list serverout permit tcp host [machine beyond the
> outside interface of 2811] host 192.168.71.5
> access-list serverout permit tcp host 192.168.50.3 host
> 192.168.71.5
> ip address outside 192.168.71.1 255.255.255.0
> ip address inside 192.168.70.1 255.255.255.0
> static (inside,outside) 192.168.71.5 192.168.70.5 netmask
> 255.255.255.255 0 0
> access-group serverout in interface outside
>
> Bits from the 2811:
> Extended IP access list 122
> 25 permit ip host 192.168.50.3 host
> 192.168.71.5 log (6 matches)
> 30 permit ip host [machine beyond outside
> interface of the 2811] host 192.168.71.5 log (1029 matches)
> 310 deny ip any any log (69 matches)
>
> So - any thoughts anyone?
>
> Gary
Why am I thinking application-inspection is the issue here.
Have you tried -
fixup protocol rdp 3389?
./Randy
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
