inbound PIX Traffic



Went to the dc to replace, still cannot access any of th internal
services. Outgoing works no problem, just cannot bring up any of the
websites. Here is the latest:

It was my understanding that when you nat 0 an access list that
automatically sets up all of the statics for the incoming traffic ie
web sites, dns etc...


Outbound ICMP wasn't working, any help with this would be greatly
appreciated.


Thanks


PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan35 physical
interface ethernet1 vlan20 logical
interface ethernet1 vlan21 logical
interface ethernet1 vlan22 logical
interface ethernet1 vlan23 logical
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif vlan20 priv security96
nameif vlan21 reggie security99
nameif vlan22 net3 security98
nameif vlan23 net4 security97
hostname dimepix1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network REGGIE_STATIC_HOSTS
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.84
network-object host 72.29.91.85
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
network-object host 72.29.91.89
network-object host 72.29.91.90
object-group network priv_hosts
network-object host 72.29.91.66
network-object host 72.29.91.67
network-object host 72.29.91.68
network-object host 72.29.91.69
network-object host 72.29.91.70
network-object host 72.29.91.71
network-object host 72.29.91.72
network-object host 72.29.91.73
network-object host 72.29.91.74
network-object host 72.29.91.76
network-object host 72.29.91.75
network-object host 72.29.91.77
network-object host 72.29.91.78
object-group network net3_hosts
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.100
network-object host 72.29.91.101
network-object host 72.29.91.102
network-object host 72.29.91.103
network-object host 72.29.91.104
network-object host 72.29.91.105
network-object host 72.29.91.106
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
network-object host 72.29.91.110
object-group network net4_hosts
network-object host 72.29.91.114
network-object host 72.29.91.115
network-object host 72.29.91.116
network-object host 72.29.91.117
network-object host 72.29.91.118
object-group protocol webservices
protocol-object tcp
object-group service web_service tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group service mail_service tcp
description Allows mail services inbound
port-object eq smtp
port-object eq imap4
port-object eq pop3
object-group network webhosts
network-object host 72.29.91.84
network-object host 72.29.91.82
network-object host 72.29.91.85
network-object host 72.29.91.83
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
network-object host 72.29.91.89
network-object host 72.29.91.66
network-object host 72.29.91.67
network-object host 72.29.91.68
network-object host 72.29.91.69
network-object host 72.29.91.70
network-object host 72.29.91.71
network-object host 72.29.91.72
network-object host 72.29.91.73
network-object host 72.29.91.77
network-object host 72.29.91.78
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.100
network-object host 72.29.91.101
network-object host 72.29.91.102
network-object host 72.29.91.103
network-object host 72.29.91.104
network-object host 72.29.91.105
network-object host 72.29.91.106
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
network-object host 72.29.91.74
object-group network mailhosts
network-object host 72.29.91.83
network-object host 72.29.91.66
network-object host 72.29.91.99
network-object host 72.29.91.114
network-object host 72.29.91.115
object-group network rdp_hosts
network-object host 72.29.91.84
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.85
network-object host 72.29.91.66
network-object host 72.29.91.69
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
object-group network dnshosts
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.73
network-object host 72.29.91.76
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.114
network-object host 72.29.91.115
access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
any
access-list priv_out_acl permit ip object-group priv_hosts any
access-list net3_out_acl permit ip object-group net3_hosts any
access-list net4_out_acl permit ip object-group net4_hosts any
access-list acl_in permit tcp any object-group webhosts object-group
web_service
access-list acl_in permit tcp any object-group mailhosts object-group
mail_service
access-list acl_in permit tcp any object-group rdp_hosts eq 3389
access-list acl_in permit tcp any object-group dnshosts eq domain
access-list acl_in permit udp any object-group dnshosts eq domain
access-list acl_in permit tcp any host 72.29.91.83 eq 7099
access-list acl_in permit tcp any host 72.29.91.82 eq 8888
access-list acl_in permit icmp any any
access-list acl_in permit tcp any host 72.29.91.66 eq 81
access-list acl_in permit tcp any host 72.29.91.66 range 7000 7500
access-list acl_in permit tcp any host 72.29.91.107 range 7000 7500
access-list acl_in permit tcp any host 72.29.91.114 eq ssh
access-list acl_in permit tcp any host 72.29.91.114 eq 993
access-list acl_in permit tcp any host 72.29.91.114 eq 995
access-list acl_in permit tcp any host 72.29.91.76 eq 9080
access-list acl_in permit tcp host 64.3.246.250 host 72.29.91.76 eq
1090
access-list acl_in permit tcp host 24.73.161.202 any eq ssh
access-list acl_in permit tcp host 24.73.161.202 any eq 3389
access-list acl_in permit tcp host 24.73.161.202 any eq 9999
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 72.29.91.125 255.255.255.248
no ip address inside
ip address intf2 10.5.250.1 255.255.0.0
ip address priv 72.29.91.65 255.255.255.240
ip address reggie 72.29.91.81 255.255.255.240
ip address net3 72.29.91.97 255.255.255.240
ip address net4 72.29.91.113 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address priv
no failover ip address reggie
no failover ip address net3
no failover ip address net4
pdm history enable
arp timeout 14400
nat (priv) 0 access-list priv_out_acl
nat (reggie) 0 access-list reggie_out_acl
nat (net3) 0 access-list net3_out_acl
nat (net4) 0 access-list net4_out_acl
access-group priv_out_acl in interface priv
access-group reggie_out_acl in interface reggie
access-group net3_out_acl in interface net3
access-group net4_out_acl in interface net4
route outside 0.0.0.0 0.0.0.0 72.29.91.126 1

.



Relevant Pages

  • Re: Pix 515 and inbound services
    ... fixup protocol dns maximum-length 512 ... network-object host 72.29.91.82 ... access-list acl_in permit tcp any object-group dnshosts eq domain ... access-group reggie_out_acl in interface reggie ...
    (comp.dcom.sys.cisco)
  • Re: Pix 515 VLAN NAT0 issues
    ... Think I got it, only one access-group per interface, so this is what I ... fixup protocol dns maximum-length 512 ... network-object host 72.29.91.82 ...
    (comp.dcom.sys.cisco)
  • Re: Pix 515 VLAN NAT0 issues
    ... interface ethernet1 vlan35 physical ... fixup protocol dns maximum-length 512 ... network-object host 72.29.91.82 ... access-group web_in in interface reggie ...
    (comp.dcom.sys.cisco)
  • Pix 515 and inbound services
    ... fixup protocol dns maximum-length 512 ... network-object host 72.29.91.82 ... access-list acl_in permit tcp host 72.29.91.83 any eq 7099 ... access-group priv_out_acl in interface priv ...
    (comp.dcom.sys.cisco)
  • Re: SSL for OWA
    ... fixup protocol h323 h225 1720 ... access-list out_in permit tcp any any eq domain ... access-group out_in in interface outside ... isakmp policy 10 authentication pre-share ...
    (comp.dcom.sys.cisco)