syntax for acl on PIX 515E allowing a range of ports open

[hellboy101]

Hello to all-


Does anyone know the syntax in order to open a range of ports via an access-list on a Pix 515E?

access-list acl_dmz permit tcp any hostname eq (range of 7937-9938)

The range is not working and don't know if this is even possible to define a port range in an access list.

Essentially I need to have Legato networker server communicate with legato client that are positioned in my DMZ.. Legato documentation states that a range of ports needs to be opened for tcp/udp traffic on my pix.. not sure of the syntax

Thank you for any attempts made in correcting this matter.

hb101

 

[kmills]

I use

access-list acl_dmz permit tcp any hostname range 7937 9938

 

[hellboy101]

hi kmills-

Thats what I thought too but when I try that command the PIX returns "invalid IP address range" Is there a syntax issue here or additional word needed?

thx so much
hb101

 

[kmills]

hellboy101,
Actually, I do all of my work using the PDM, much easier. So, at command line, I also had to create service object groups. Object groups make it easier to modify things later.

syntax: object-group service <group-id> tcp|udp
example: object-group legato tcp

syntax: port-object range <begin-port> <end-port>
example: port-object range 7937 9938

then --
example: access-list acl_dmz permit tcp any hostname object-group legato
kmills

 

[hellboy101]

Hi kmills-

We're almost there. I was able to create the service groups without a problem from the command line. One thing I can't do is assign it in the access-list, it errors out at the object-group (says invalid IP address object-group)

there has to be a syntax issue, when I type in sho object-group, I receive good values set form the legato object-group, but my acl doesn't compile. the syntax I'm using is
access-list acl_dmz permit tcp any hostname object-group legato

any ideas?
thanks again
hb101

 

[kmills]

hb101,
I think you have to include the word "host".

example: access-list acl_dmz permit tcp any host hostname object-group legato

kmills

 

[kmills]

hb101,
I think you need the word "host" in there.

example:
access-list acl_dmz permit tcp any host hostname object-group legato

 

[hellboy101]

Hello kmills-

Hoping your holiday was a safe one depending on where you are on this globe?

We'll I've tried multipe measures to make this legato solution work (backing up servers with legato client in the dMZ via a PIX 515E) but nothing is working. netstat -a shows proper listening ports for server but not connection which is 10001-30000 I believe.. it just doesn't work and was wondering if there was anything else you could add to this scenario that might have me acheive a successful backup.

the service groups based on objects and ports -looked rather promising but I still get nothing. Are there any other ports that might need to be opened?

Thx for any additional support
hb101

 

[dopehead]

probably your nat config is not done correctly, you need to decide if you wan't to do no-nat or nat in a pix, it wont forward the packets no matter how many alcs you create if your nat is not configured. I am guessing that your legato client needs access to the server and not the other way around ?, you could do a static nat like this : "static(inside,dmz) <ip of the server> <ip of the server> netmask 255.255.255.255" this will nat the server to its own address on the dmz, and you should be able to reach it from the client, given that your acls are correct. Also an easy way to check is to do "logging console debug" or "logging monitor debug" for a while, while trying to connect, the output will say something like "no translation found for x.x.x.x" if your nat is wrong, and "denied tcp/udp connection for x.x.x.x" if its your acls.

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :

http://www.csaforum.dk

 

[hellboy101]

Hi dopehead,

Is it possible I could cut n paste a copy of my watered down config? maybe it will allow you to better direct me towards a solution?

thx again
hb101

 

[dopehead]

sure, go ahead

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :

http://www.csaforum.dk

 

[hellboy101]

Thanks, I appreciate it DH-

the top got alittle cut off in hyperterminal but I'm sure it will give you what is needed, in order to troubleshoot.

name 172.17.79.6 sales_track
name 172.17.79.15 dmz_as400
name 172.17.79.16 dmz_dns_server
name 172.16.80.1 inside_as400
name 172.17.79.99 sales_track_dns
name 172.16.80.59 inside_dns_server
name 172.16.80.54 mib2
name 206.204.52.98 gateways.dis.symantec.com
name 172.17.80.102 spny01pcon001
name 172.17.80.103 spny01spt002
name 172.17.80.7 spny01sql002
object-group service legato tcp
port-object range 10001 30000
object-group service legato1 udp
port-object range 10001 30000
object-group service legato3 tcp
port-object range 7937 9938
object-group service legato4 udp
port-object range 7937 9938
access-list acl_dmz permit tcp any host dmz_as400 eq telnet
access-list acl_dmz permit tcp any host spny01pcon001 eq 135
access-list acl_dmz permit tcp any host dmz_as400 eq 445
access-list acl_dmz permit tcp any host dmz_as400 eq 8471
access-list acl_dmz permit tcp any host dmz_as400 eq 8476
access-list acl_dmz permit tcp any host dmz_as400 eq 8475
access-list acl_dmz permit tcp any host dmz_as400 eq 4004
access-list acl_dmz permit udp any host dmz_dns_server eq domain
access-list acl_dmz permit tcp any host dmz_as400 eq 449
access-list acl_dmz permit ip host sales_track host 172.16.80.2
access-list acl_dmz permit ip host sales_track host 172.16.80.99
access-list acl_dmz permit ip host sales_track host inside_dns_server
access-list acl_dmz permit ip host sales_track host 172.16.80.60
access-list acl_dmz permit ip host sales_track host inside_as400
access-list acl_dmz permit icmp 172.17.79.0 255.255.255.0 172.17.
5.0
access-list acl_dmz permit tcp host sales_track host 172.17.80.54 eq ftp
access-list acl_dmz permit ip host sales_track host mib2
access-list acl_dmz permit udp any host sales_track eq 2301
access-list acl_dmz permit tcp 172.17.79.0 255.255.255.0 any eq https
access-list acl_dmz permit tcp any host dmz_as400
access-list acl_dmz permit tcp any host inside_as400
access-list acl_dmz permit tcp host sales_track host 172.17.80.54 eq www
access-list acl_dmz permit tcp 172.17.80.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp host 172.17.80.0 any eq www
access-list acl_dmz permit tcp host spny01sql002 any eq www
access-list acl_dmz permit tcp host spny01pcon001 host 172.17.80.54 eq www
access-list acl_dmz permit tcp any host 172.17.0.80 eq www
access-list acl_dmz permit tcp any host spny01pcon001 eq www
access-list acl_dmz permit tcp host spny01spt002 eq 3389 any
access-list acl_dmz permit ip host spny01spt002 any
access-list acl_dmz permit tcp host 24.74.106.220 host xx.xx.53.118 eq 9000
access-list acl_dmz permit tcp host 24.74.106.220 host xx.xx.53.118 eq ftp
access-list acl_dmz permit tcp host 24.74.106.220 host xx.xx.53.118 eq 3389
access-list acl_dmz permit tcp host spny01spt002 eq ftp any
access-list acl_dmz permit tcp any host xx.xx.53.118 eq www
access-list acl_dmz permit tcp any host sales_track eq 7939
access-list acl_dmz permit tcp any host sales_track eq 9936
access-list acl_dmz permit udp any host sales_track eq 10001
access-list acl_dmz permit tcp any host sales_track eq 30000
access-list acl_dmz permit tcp any host spny01spt002 object-group legato
access-list acl_dmz permit udp any host spny01spt002 object-group legato1
access-list acl_dmz permit tcp host spny01spt002 host 172.16.80.87 range 10001 3
0000
access-list acl_dmz permit udp host spny01spt002 host 172.16.80.87 range 10001 3
0000
access-list acl_dmz permit tcp host 172.16.80.87 host spny01spt002 range 10001 3
0000
access-list acl_dmz permit udp host 172.16.80.87 host spny01spt002 range 10001 3
0000
access-list acl_dmz permit udp host 172.16.80.87 host spny01spt002 range 7937 99
36
access-list acl_dmz permit tcp host 172.16.80.87 host spny01spt002 range 7937 99
36
access-list acl_dmz permit tcp host spny01pcon001 host 172.16.80.87 range 7937 9
936
access-list acl_dmz permit udp host spny01pcon001 host 172.16.80.87 range 7937 9
936
access-list acl_dmz permit udp host spny01pcon001 host 172.16.80.87 range 10001
30000
access-list acl_dmz permit tcp host spny01pcon001 host 172.16.80.87 range 10001
30000
access-list acl_dmz permit tcp any host spny01pcon001 object-group legato
access-list acl_dmz permit udp any host spny01pcon001 object-group legato1
access-list acl_dmz permit tcp any host spny01pcon001 object-group legato3
access-list acl_dmz permit udp any host spny01pcon001 object-group legato4
access-list acl_dmz permit tcp host spny01pcon001 host 172.16.80.60 eq 135
access-list acl_dmz permit tcp host spny01spt002 host 172.16.80.60 eq 135
access-list acl_dmz permit tcp any host xx.xx.53.120 eq www
access-list outside_cryptomap_dyn_20 permit ip 172.16.0.0 255.255.0.0 172.16.79.
0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 172.16.0.0 255.255.0.0 192.168.15
0.0 255.255.255.0
access-list acl_homs12 permit ip any any
access-list acl_homs14 permit ip any any
access-list acl_in permit tcp host 68.125.230.34 host spny01pcon001 eq 3389
access-list acl_in permit tcp any host spny01pcon001 eq 135
access-list acl_in permit tcp any host xx.xx.53.113 eq https
access-list acl_in permit tcp host 68.125.
access-list acl_in permit tcp host 68.125.0.36 host spny01sql002 eq 3389
access-list acl_in permit tcp any host xx.xx.53.113 eq www
access-list acl_in permit tcp any host xx.xx.53.110
access-list acl_in permit tcp any host xx.xx.53.114 eq ident
access-list acl_in permit tcp any host xx.xx.53.114 eq smtp
access-list acl_in permit tcp any host xx.xx.53.114 eq www
access-list acl_in permit tcp any host xx.xx.53.114 eq https
access-list acl_in permit tcp any host xx.xx.53.114 eq 8999
access-list acl_in permit tcp a
access-list acl_in permit tcp any host xx.xx.53.114 eq 3666
access-list acl_in permit tcp any host xx.xx.53.114 eq 5000
access-list acl_in permit tcp any host xx.xx.53.112 eq ftp
access-list acl_in permit tcp any host xx.xx.53.112 eq ident
access-list acl_in permit tcp any host xx.xx.53.116
access-list acl_in permit tcp host 209.74.98.130 eq pptp any
access-list acl_in permit gre host 209.74.98.130 any
access-list acl_in permit udp any any eq ntp
access-list acl_in permit udp any host sales_track eq snmp
access-list acl_in permit ip host 209.74.121.5 any
access-list acl_in permit ip any host 209.74.121.5
access-list acl_in permit ip host spny01spt002 any
access-list acl_in permit ip host 172.16.79.6 any
access-list acl_in permit ip host sales_track any
access-list acl_in permit tcp any host xx.xx.53.97 eq 3389
access-list acl_in permit tcp any host spny01spt002
access-list acl_in permit tcp any host xx.xx.53.117 eq www
access-list acl_in permit tcp host xx.xx.230.33 host xx.xx.53.117 eq 3389
access-list acl_in permit tcp host xx.xx.230.36 host xx.xx.53.117 eq 3389
access-list acl_in permit tcp any host xx.xx.53.117 eq 3389
access-list acl_in permit tcp host 24.74.106.220 host xx.xx.53.118 eq 3389
access-list acl_in permit tcp any host xx.xx.53.118 eq www
access-list acl_in permit tcp any host 172.16.80.103 eq www
access-list acl_in permit tcp any host spny01spt002 eq www
access-list acl_in permit tcp host xx.xx.193.19 host xx.xx.53.118 eq ftp
access-list acl_in permit tcp host xx.xx.193.19 host
access-list acl_in permit tcp any host xx.xx.53.120 eq www
access-list acl_in permit tcp host xx.xx.193.19 host xx.xx.53.119 eq 3389
access-list acl_in permit tcp host 24.74.106.220 host xx.xx.53.118 eq ftp
access-list acl_in permit tcp host 172.16.80.10 any eq www
access-list acl_in permit tcp any host spny01spt002 object-group legato
access-list acl_in permit udp any host spny01pcon001 range 7937 9938
access-list acl_in permit tcp any host spny01pcon001 range 7937 9938
access-list acl_in permit tcp any host
access-list acl_in permit udp any host spny01pcon001 range 10001 30000
access-list acl_in permit udp any host spny01spt002 object-group legato1
access-list acl_in permit tcp host spny01spt002 host 172.16.80.87 eq 10001
access-list acl_in permit udp host spny01spt002 host 172.16.80.87 eq 10001
access-list acl_in permit udp host spny01spt002 host 172.16.80.87 range 10001 30
000
access-list acl_in permit tcp host spny01spt002 host 172.16.80.87 range 10001 30
000
access-list acl_in permit tcp host spny01spt002 host
access-list acl_in permit tcp host spny01pcon001 host 172.16.80.60 eq 135
access-list HOMS14_VPN permit ip host 10.133.14.51 192.168.150.0 255.255.255.0
access-list HOMS14_VPN permit ip host 10.133.14.52 192.168.150.0 255.255.255.0
access-list ww5group_splitTunnelAcl permit ip 172.16.0.0 255.255.0.0 192.168.150
.0 255.255.255.0
access-list ww5group_splitTunnelAcl permit ip 10.133.14.0 255.255.255.0 192.168.
150.0 255.255.255.0
access-list inside_as400 permit tcp any host sales_track
access-list 150 permit tcp a
access-list 150 permit tcp any host xx.xx.53.118
access-list 150 permit tcp host spny01spt002 any
access-list 100 permit tcp any host sales_track
access-list 100 permit tcp any host xx.xx.53.113
access-list 100 permit tcp host 172.16.79.6 any
access-list 100 permit tcp host sales_track any
no pager
logging on
logging buffered notifications
logging queue 500
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu homs12 1500
mtu homs14 1500
mtu intf5 1500
ip address outside xx.xx.53.98 255.255.2
ip address inside 172.16.79.254 255.255.0.0
ip address dmz 172.17.79.1 255.255.0.0
ip address homs12 10.133.12.1 255.255.255.192
ip address homs14 10.133.14.1 255.255.254.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool clients 192.168.150.1-192.168.150.15
failover
failover timeout 0:00:00
failover poll 5
failover ip address outside xx.xx.53.99
failover ip address inside 172.16.79.253
failover ip address dmz 172.17.79.2
failover ip address homs12 10.133.12.3
failover ip address homs14 10.133.14.2
no failover ip address intf5
pdm location dmz_dns_server 255.255.255.255 dmz
pdm location inside_as400 255.255.255.255 inside
pdm location 172.16.80.0 255.255.255.0 inside
pdm location sales_track 255.255.255.255 dmz
pdm location 172.17.79.0 255.255.255.0 dmz
pdm location 10.133.14.0 255.255.255.0 inside
pdm location mib2 255.255.255.255 inside
pdm location 172.16.80.99 255.255.255.255 inside
pdm location 10.133.12.8 255.255.255.255 inside
pdm location 172.16.79.59 255.255.2
pdm location 172.16.80.5 255.255.255.255 inside
pdm location 172.16.80.27 255.255.255.255 inside
pdm location 172.16.80.40 255.255.255.255 inside
pdm location 172.16.80.175 255.255.255.255 inside
pdm location 10.15.1.0 255.255.255.0 homs12
pdm location 10.133.12.2 255.255.255.255 homs12
pdm location 10.0.0.0 255.0.0.0 homs12
pdm location 209.74.98.51 255.255.255.255 homs12
pdm location 209.74.98.105 255.255.255.255 homs12
pdm location 209.74.98.130 255.255.255.255 homs12
pdm location 209.74.98.227 255.255.255.25
pdm location 209.74.98.228 255.255.255.255 homs12
pdm location 209.74.98.230 255.255.255.255 homs12
pdm location 209.74.98.240 255.255.255.255 homs12
pdm location 209.74.98.0 255.255.255.0 homs12
pdm location 209.74.98.130 255.255.255.255 outside
pdm location 10.133.16.0 255.255.255.0 homs12
pdm location xx.xx.53.97 255.255.255.255 inside
pdm location xx.xx.53.97 255.255.255.255 homs12
pdm location 209.74.97.92 255.255.255.255 homs12
pdm location 209.74.98.106 255.255.255.255 homs12
pdm location 10.133.14.51 255
pdm location xx.xx.53.97 255.255.255.255 homs14
pdm location xx.xx.53.97 255.255.255.255 dmz
pdm location 12.14.71.155 255.255.255.255 outside
pdm location 155.212.0.49 255.255.255.255 outside
pdm location 192.168.150.0 255.255.255.0 outside
pdm location 209.74.97.60 255.255.255.255 homs12
pdm location 209.74.97.215 255.255.255.255 homs12
pdm location 209.74.97.0 255.255.255.0 homs12
pdm location 10.133.14.52 255.255.255.255 homs14
pdm location 209.74.121.5 255.255.255.255 outside
pdm location 209.74.112.0 255.2
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.53.101
global (outside) 10 interface
global (dmz) 1 172.17.79.200-172.17.79.220
nat (inside) 0 access-list outside_cryptomap_dyn_20
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (dmz) 10 172.17.0.0 255.255.0.0 0 0
nat (homs12) 1 10.133.12.0 255.255.255.192 0 0
nat (homs14) 0 access-list HOMS14_VPN
nat (homs14) 1 10.133.14.0 255.255.254.0 0 0
alias (inside) xx.xx.53.118 spny01spt002 255.255.255.255
static (inside,dmz) dmz_as400 inside_as400 netmask 255.
static (dmz,outside) xx.xx.53.113 sales_track netmask 255.255.255.255 0 0
static (dmz,inside) 172.16.79.6 sales_track netmask 255.255.255.255 0 0
static (inside,dmz) sales_track_dns 172.16.80.99 netmask 255.255.255.255 0 0
static (inside,homs12) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,homs14) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (homs14,homs12) 10.133.14.0 10.133.14.0 netmask 255.255.254.0 0 0
static (homs12,homs14) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (homs12,homs14) 209.74.98.0 209.74.98.0 netmask 255.255.255.0 0 0
static (inside,dmz) dmz_dns_server inside_dns_server netmask 255.255.255.255 0 0

static (inside,outside) xx.xx.53.116 172.16.80.5 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.115 10.133.12.8 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.114 inside_as400 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.112 172.16.80.175 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.110 172.16.80.27
static (homs12,homs14) 209.74.97.0 209.74.97.0 netmask 255.255.255.0 0 0
static (inside,dmz) 172.17.80.54 mib2 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xx.53.117 spny01spt002 netmask 255.255.255.255 0 0
static (inside,dmz) spny01spt002 172.16.80.103 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xx.53.118 spny01spt002 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.119 172.16.80.8 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.113 172.16.79.6 netmask 255.255.255.255 0
static (inside,dmz) sales_track 172.16.80.87 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xx.53.120 172.17.80.98 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group acl_dmz in interface dmz
access-group acl_homs12 in interface homs12
access-group acl_homs14 in interface homs14
route outside 0.0.0.0 0.0.0.0 xx.xx.53.97 1
route homs12 10.0.0.0 255.0.0.0 10.133.12.2 1
route homs12 209.74.97.60 255.255.255.255 10.133.12.2 1
route homs12 209.74.97.92 255.255.255.255 10.133.12.2 1
route homs12 209.74.97.215 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.51 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.105 255.255.255.255 10.133.12.1 1
route homs12 209.74.98.106 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.130 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.227 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.228 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.230 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.240 255.255.255.255 10.133.12.2 1
route outside 209.74.112.0 255.255.240.0 xx.xx.53.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host inside_dns_server wwradius
http server enable
http 172.17.0.0 255.255.0.0 outside
http 172.16.0.0 255.255.0.0 outside
http 172.16.0.0 255.255.0.0 inside
http 172.17.0.0 255.255.0.0 inside
http 172.17.0.0 255.255.0.0 dmz
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5Type help or '?' for a list of available commands.
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_mapord: **********
pixfirewall# wr t
crypto map outside_map client authentication partnerauth: Saved
:
PIX Version 6.3(3)
i
crypto map outside_map interface outside
interface ethernet1 100full
isakmp enable outside
interface ether
isakmp identity address
interfa
isakmp policy 20 authentication pre-share
interface ethernet4 100full
isakmp policy 20 encryption aes-256et5 auto shutdown
vpngroup ww5group split-tunnel ww5group_splitTunnelAcl
vpngroup ww5group idle-time 86400
vpngroup ww5group password ********
telnet xx.xx.193.19 255.255.255.255 outside
telnet 172.16.0.0 255.255.0.0 inside
telnet xx.xx.53.97 255.255.255.255 inside
telnet xx.xx.53.97 255.255.255.255 dmz
telnet xx.xx.53.97 255.255.255.255 homs12
telnet 10.133.12.2 255.255.255.255 homs12
telnet xx.xx.53.97 255.255.255.255 homs14
telnet 10.133.14.52 255.255.255.255 homs14
telnet xx.xx.53.97 255.255.255.255 intf5
telnet timeout 5
ssh 155.212.0.49 255.255.255.255 outside
ssh xx.xx.193.19 255.255.255.255 outside
ssh 172.16.78.87 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:1e58cb7ab90b87a02ec8a6df23fac1ff
: end
[OK]
pixfirewall#

 

[hellboy101]

My humble apologies dopehead,

perhaps next time I'll truly look at what I've posted. lol.. this is the complete (slightly modified) config.. hoping you will still try and give me a hand. :-(

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 homs12 security99
nameif ethernet4 homs14 security98
nameif ethernet5 intf5 security10
enable password cSCpYhypihDko09R encrypted
passwd cSCpYhypihDko09R encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx17.79.6 sales_track
name xxx17.79.15 dmz_as400
name xxx17.79.16 dmz_dns_server
name xxx16.80.1 inside_as400
name xxx17.79.99 sales_track_dns
name xxx16.80.59 inside_dns_server
name xxx16.80.54 mib2
name 206.204.52.98 gateways.dis.symantec.com
name xxx17.80.102 spny01pcon001
name xxx17.80.103 spny01spt002
name xxx17.80.7 spny01sql002
object-group service legato tcp
port-object range 10001 30000
object-group service legato1 udp
port-object range 10001 30000
object-group service legato3 tcp
port-object range 7937 9938
object-group service legato4 udp
port-object range 7937 9938
access-list acl_dmz permit tcp any host dmz_as400 eq telnet
access-list acl_dmz permit tcp any host spny01pcon001 eq 135
access-list acl_dmz permit tcp any host dmz_as400 eq 445
access-list acl_dmz permit tcp any host dmz_as400 eq 8471
access-list acl_dmz permit tcp any host dmz_as400 eq 8476
access-list acl_dmz permit tcp any host dmz_as400 eq 8475
access-list acl_dmz permit tcp any host dmz_as400 eq 4004
access-list acl_dmz permit udp any host dmz_dns_server eq domain
access-list acl_dmz permit tcp any host dmz_as400 eq 449
access-list acl_dmz permit ip host sales_track host xxx16.80.2
access-list acl_dmz permit ip host sales_track host xxx16.80.99
access-list acl_dmz permit ip host sales_track host inside_dns_server
access-list acl_dmz permit ip host sales_track host xxx16.80.60
access-list acl_dmz permit ip host sales_track host inside_as400
access-list acl_dmz permit icmp xxx17.79.0 255.255.255.0 xxx17.79.0 255.255.255.0
access-list acl_dmz permit tcp host sales_track host xxx17.80.54 eq ftp
access-list acl_dmz permit ip host sales_track host mib2
access-list acl_dmz permit udp any host sales_track eq 2301
access-list acl_dmz permit tcp xxx17.79.0 255.255.255.0 any eq https
access-list acl_dmz permit tcp any host dmz_as400
access-list acl_dmz permit tcp any host inside_as400
access-list acl_dmz permit tcp host sales_track host xxx17.80.54 eq www
access-list acl_dmz permit tcp xxx17.80.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp host xxx17.80.0 any eq www
access-list acl_dmz permit tcp host spny01sql002 any eq www
access-list acl_dmz permit tcp host spny01pcon001 host xxx17.80.54 eq www
access-list acl_dmz permit tcp any host xxx17.0.80 eq www
access-list acl_dmz permit tcp any host spny01pcon001 eq www
access-list acl_dmz permit tcp host spny01spt002 eq 3389 any
access-list acl_dmz permit ip host spny01spt002 any
access-list acl_dmz permit tcp host 24.74.106.220 host xx.xx.53.118 eq 9000
access-list acl_dmz permit tcp host 24.74.106.220 host xx.xx.53.118 eq ftp
access-list acl_dmz permit tcp host 24.74.106.220 host xx.xx.53.118 eq 3389
access-list acl_dmz permit tcp host spny01spt002 eq ftp any
access-list acl_dmz permit tcp any host xx.xx.53.118 eq www
access-list acl_dmz permit tcp any host sales_track eq 7939
access-list acl_dmz permit tcp any host sales_track eq 9936
access-list acl_dmz permit udp any host sales_track eq 10001
access-list acl_dmz permit tcp any host sales_track eq 30000
access-list acl_dmz permit tcp any host spny01spt002 object-group legato
access-list acl_dmz permit udp any host spny01spt002 object-group legato1
access-list acl_dmz permit tcp host spny01spt002 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit udp host spny01spt002 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit tcp host xxx16.80.87 host spny01spt002 range 10001 30000
access-list acl_dmz permit udp host xxx16.80.87 host spny01spt002 range 10001 30000
access-list acl_dmz permit udp host xxx16.80.87 host spny01spt002 range 7937 9936
access-list acl_dmz permit tcp host xxx16.80.87 host spny01spt002 range 7937 9936
access-list acl_dmz permit tcp host spny01pcon001 host xxx16.80.87 range 7937 9936
access-list acl_dmz permit udp host spny01pcon001 host xxx16.80.87 range 7937 9936
access-list acl_dmz permit udp host spny01pcon001 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit tcp host spny01pcon001 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit tcp any host spny01pcon001 object-group legato
access-list acl_dmz permit udp any host spny01pcon001 object-group legato1
access-list acl_dmz permit tcp any host spny01pcon001 object-group legato3
access-list acl_dmz permit udp any host spny01pcon001 object-group legato4
access-list acl_dmz permit tcp host spny01pcon001 host xxx16.80.60 eq 135
access-list acl_dmz permit tcp host spny01spt002 host xxx16.80.60 eq 135
access-list acl_dmz permit tcp any host xx.xx.53.120 eq www
access-list outside_cryptomap_dyn_20 permit ip xxx16.0.0 255.255.0.0 xxx16.79.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip xxx16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
access-list acl_homs12 permit ip any any
access-list acl_homs14 permit ip any any
access-list acl_in permit tcp host 68.125.230.34 host spny01pcon001 eq 3389
access-list acl_in permit tcp any host spny01pcon001 eq 135
access-list acl_in permit tcp any host xx.xx.53.113 eq https
access-list acl_in permit tcp host 68.125.230.36 host spny01spt002 eq 3389
access-list acl_in permit tcp host 68.125.0.36 host spny01sql002 eq 3389
access-list acl_in permit tcp any host xx.xx.53.113 eq www
access-list acl_in permit tcp any host xx.xx.53.110
access-list acl_in permit tcp any host xx.xx.53.114 eq ident
access-list acl_in permit tcp any host xx.xx.53.114 eq smtp
access-list acl_in permit tcp any host xx.xx.53.114 eq www
access-list acl_in permit tcp any host xx.xx.53.114 eq https
access-list acl_in permit tcp any host xx.xx.53.114 eq 8999
access-list acl_in permit tcp any host xx.xx.53.114 eq 992
access-list acl_in permit tcp any host xx.xx.53.114 eq 3666
access-list acl_in permit tcp any host xx.xx.53.114 eq 5000
access-list acl_in permit tcp any host xx.xx.53.112 eq ftp
access-list acl_in permit tcp any host xx.xx.53.112 eq ident
access-list acl_in permit tcp any host xx.xx.53.116
access-list acl_in permit tcp host 209.74.98.130 eq pptp any
access-list acl_in permit gre host 209.74.98.130 any
access-list acl_in permit udp any any eq ntp
access-list acl_in permit udp any host sales_track eq snmp
access-list acl_in permit ip host 209.74.121.5 any
access-list acl_in permit ip any host 209.74.121.5
access-list acl_in permit ip host spny01spt002 any
access-list acl_in permit ip host xxx16.79.6 any
access-list acl_in permit ip host sales_track any
access-list acl_in permit tcp any host xx.xx.53.97 eq 3389
access-list acl_in permit tcp any host spny01spt002
access-list acl_in permit tcp any host xx.xx.53.117 eq www
access-list acl_in permit tcp host 65.125.230.33 host xx.xx.53.117 eq 3389
access-list acl_in permit tcp host 65.125.230.36 host xx.xx.53.117 eq 3389
access-list acl_in permit tcp any host xx.xx.53.117 eq 3389
access-list acl_in permit tcp host 24.74.106.220 host xx.xx.53.118 eq 3389
access-list acl_in permit tcp any host xx.xx.53.118 eq www
access-list acl_in permit tcp any host xxx16.80.103 eq www
access-list acl_in permit tcp any host spny01spt002 eq www
access-list acl_in permit tcp host xx.113.193.19 host xx.xx.53.118 eq ftp
access-list acl_in permit tcp host xx.113.193.19 host xx.xx.53.118 eq 3389
access-list acl_in permit tcp any host xx.xx.53.120 eq www
access-list acl_in permit tcp host xx.113.193.19 host xx.xx.53.119 eq 3389
access-list acl_in permit tcp host 24.74.106.220 host xx.xx.53.118 eq ftp
access-list acl_in permit tcp host xxx16.80.10 any eq www
access-list acl_in permit tcp any host spny01spt002 object-group legato
access-list acl_in permit udp any host spny01pcon001 range 7937 9938
access-list acl_in permit tcp any host spny01pcon001 range 7937 9938
access-list acl_in permit tcp any host spny01pcon001 range 10001 30000
access-list acl_in permit udp any host spny01pcon001 range 10001 30000
access-list acl_in permit udp any host spny01spt002 object-group legato1
access-list acl_in permit tcp host spny01spt002 host xxx16.80.87 eq 10001
access-list acl_in permit udp host spny01spt002 host xxx16.80.87 eq 10001
access-list acl_in permit udp host spny01spt002 host xxx16.80.87 range 10001 30000
access-list acl_in permit tcp host spny01spt002 host xxx16.80.87 range 10001 30000
access-list acl_in permit tcp host spny01spt002 host xxx16.80.60 eq 135
access-list acl_in permit tcp host spny01pcon001 host xxx16.80.60 eq 135
access-list HOMS14_VPN permit ip host 10.133.14.51 192.168.150.0 255.255.255.0
access-list HOMS14_VPN permit ip host 10.133.14.52 192.168.150.0 255.255.255.0
access-list ww5group_splitTunnelAcl permit ip xxx16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
access-list ww5group_splitTunnelAcl permit ip 10.133.14.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list inside_as400 permit tcp any host sales_track
access-list 150 permit tcp any host spny01spt002
access-list 150 permit tcp any host xx.xx.53.118
access-list 150 permit tcp host spny01spt002 any
access-list 100 permit tcp any host sales_track
access-list 100 permit tcp any host xx.xx.53.113
access-list 100 permit tcp host xxx16.79.6 any
access-list 100 permit tcp host sales_track any
no pager
logging on
logging buffered notifications
logging queue 500
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu homs12 1500
mtu homs14 1500
mtu intf5 1500
ip address outside xx.xx.53.98 255.255.255.224
ip address inside xxx16.79.254 255.255.0.0
ip address dmz xxx17.79.1 255.255.0.0
ip address homs12 10.133.12.1 255.255.255.192
ip address homs14 10.133.14.1 255.255.254.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool clients 192.168.150.1-192.168.150.15
failover
failover timeout 0:00:00
failover poll 5
failover ip address outside xx.xx.53.99
failover ip address inside xxx16.79.253
failover ip address dmz xxx17.79.2
failover ip address homs12 10.133.12.3
failover ip address homs14 10.133.14.2
no failover ip address intf5
pdm location dmz_dns_server 255.255.255.255 dmz
pdm location inside_as400 255.255.255.255 inside
pdm location xxx16.80.0 255.255.255.0 inside
pdm location sales_track 255.255.255.255 dmz
pdm location xxx17.79.0 255.255.255.0 dmz
pdm location 10.133.14.0 255.255.255.0 inside
pdm location mib2 255.255.255.255 inside
pdm location xxx16.80.99 255.255.255.255 inside
pdm location 10.133.12.8 255.255.255.255 inside
pdm location xxx16.79.59 255.255.255.255 inside
pdm location xxx16.80.5 255.255.255.255 inside
pdm location xxx16.80.27 255.255.255.255 inside
pdm location xxx16.80.40 255.255.255.255 inside
pdm location xxx16.80.175 255.255.255.255 inside
pdm location 10.15.1.0 255.255.255.0 homs12
pdm location 10.133.12.2 255.255.255.255 homs12
pdm location 10.0.0.0 255.0.0.0 homs12
pdm location 209.74.98.51 255.255.255.255 homs12
pdm location 209.74.98.105 255.255.255.255 homs12
pdm location 209.74.98.130 255.255.255.255 homs12
pdm location 209.74.98.227 255.255.255.255 homs12
pdm location 209.74.98.228 255.255.255.255 homs12
pdm location 209.74.98.230 255.255.255.255 homs12
pdm location 209.74.98.240 255.255.255.255 homs12
pdm location 209.74.98.0 255.255.255.0 homs12
pdm location 209.74.98.130 255.255.255.255 outside
pdm location 10.133.16.0 255.255.255.0 homs12
pdm location xx.xx.53.97 255.255.255.255 inside
pdm location xx.xx.53.97 255.255.255.255 homs12
pdm location 209.74.97.92 255.255.255.255 homs12
pdm location 209.74.98.106 255.255.255.255 homs12
pdm location 10.133.14.51 255.255.255.255 homs14
pdm location xx.xx.53.97 255.255.255.255 homs14
pdm location xx.xx.53.97 255.255.255.255 dmz
pdm location 12.14.71.155 255.255.255.255 outside
pdm location 155.212.0.49 255.255.255.255 outside
pdm location 192.168.150.0 255.255.255.0 outside
pdm location 209.74.97.60 255.255.255.255 homs12
pdm location 209.74.97.215 255.255.255.255 homs12
pdm location 209.74.97.0 255.255.255.0 homs12
pdm location 10.133.14.52 255.255.255.255 homs14
pdm location 209.74.121.5 255.255.255.255 outside
pdm location 209.74.112.0 255.255.240.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.53.101
global (outside) 10 interface
global (dmz) 1 xxx17.79.200-xxx17.79.220
nat (inside) 0 access-list outside_cryptomap_dyn_20
nat (inside) 1 xxx16.0.0 255.255.0.0 0 0
nat (dmz) 10 xxx17.0.0 255.255.0.0 0 0
nat (homs12) 1 10.133.12.0 255.255.255.192 0 0
nat (homs14) 0 access-list HOMS14_VPN
nat (homs14) 1 10.133.14.0 255.255.254.0 0 0
alias (inside) xx.xx.53.118 spny01spt002 255.255.255.255
static (inside,dmz) dmz_as400 inside_as400 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xx.53.113 sales_track netmask 255.255.255.255 0 0
static (dmz,inside) xxx16.79.6 sales_track netmask 255.255.255.255 0 0
static (inside,dmz) sales_track_dns xxx16.80.99 netmask 255.255.255.255 0 0
static (inside,homs12) xxx16.0.0 xxx16.0.0 netmask 255.255.0.0 0 0
static (inside,homs14) xxx16.0.0 xxx16.0.0 netmask 255.255.0.0 0 0
static (homs14,homs12) 10.133.14.0 10.133.14.0 netmask 255.255.254.0 0 0
static (homs12,homs14) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (homs12,homs14) 209.74.98.0 209.74.98.0 netmask 255.255.255.0 0 0
static (inside,dmz) dmz_dns_server inside_dns_server netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.116 xxx16.80.5 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.115 10.133.12.8 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.114 inside_as400 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.112 xxx16.80.175 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.110 xxx16.80.27 netmask 255.255.255.255 0 0
static (homs12,homs14) 209.74.97.0 209.74.97.0 netmask 255.255.255.0 0 0
static (inside,dmz) xxx17.80.54 mib2 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xx.53.117 spny01spt002 netmask 255.255.255.255 0 0
static (inside,dmz) spny01spt002 xxx16.80.103 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xx.53.118 spny01spt002 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.119 xxx16.80.8 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.53.113 xxx16.79.6 netmask 255.255.255.255 0 0
static (inside,dmz) sales_track xxx16.80.87 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xx.53.120 xxx17.80.98 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group acl_dmz in interface dmz
access-group acl_homs12 in interface homs12
access-group acl_homs14 in interface homs14
route outside 0.0.0.0 0.0.0.0 xx.xx.53.97 1
route homs12 10.0.0.0 255.0.0.0 10.133.12.2 1
route homs12 209.74.97.60 255.255.255.255 10.133.12.2 1
route homs12 209.74.97.92 255.255.255.255 10.133.12.2 1
route homs12 209.74.97.215 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.51 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.105 255.255.255.255 10.133.12.1 1
route homs12 209.74.98.106 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.130 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.227 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.228 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.230 255.255.255.255 10.133.12.2 1
route homs12 209.74.98.240 255.255.255.255 10.133.12.2 1
route outside 209.74.112.0 255.255.240.0 xx.xx.53.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host inside_dns_server wwradius timeout 10
http server enable
http xxx17.0.0 255.255.0.0 outside
http xxx16.0.0 255.255.0.0 outside
http xxx16.0.0 255.255.0.0 inside
http xxx17.0.0 255.255.0.0 inside
http xxx17.0.0 255.255.0.0 dmz
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ww4group idle-time 1800
vpngroup ww5group address-pool clients
vpngroup ww5group dns-server inside_dns_server
vpngroup ww5group wins-server inside_dns_server
vpngroup ww5group default-domain getko
vpngroup ww5group split-tunnel ww5group_splitTunnelAcl
vpngroup ww5group idle-time 86400
vpngroup ww5group password ********
telnet xx.113.193.19 255.255.255.255 outside
telnet xxx16.0.0 255.255.0.0 inside
telnet xx.xx.53.97 255.255.255.255 inside
telnet xx.xx.53.97 255.255.255.255 dmz
telnet xx.xx.53.97 255.255.255.255 homs12
telnet 10.133.12.2 255.255.255.255 homs12
telnet xx.xx.53.97 255.255.255.255 homs14
telnet 10.133.14.52 255.255.255.255 homs14
telnet xx.xx.53.97 255.255.255.255 intf5
telnet timeout 5
ssh 155.212.0.49 255.255.255.255 outside
ssh xx.113.193.19 255.255.255.255 outside
ssh xxx16.78.87 255.255.255.255 inside
ssh timeout 5
man

 

[dopehead]

I Think maybe the alias command is making this fail, try removing "alias (inside) xx.xx.53.118 spny01spt002 255.255.255.255"

also this static "static (inside,dmz) spny01spt002 xxx16.80.103 netmask 255.255.255.255 0 0" will nat the source of xxx16.80.103 to the adress of spny01spt002 (xxx17.80.103) so is spny01spt002 the server or the client ??? what network is the server attached to and where is the client, and what ip/name does it have ?

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :

http://www.csaforum.dk

 

[hellboy101]

hi dopehead,

Those entries above for spny01spt002 are for a sharepoint server that is in the dmz.. the legato server is 172.16.80.87 (inside network) and the legato clients are servers in the dmz using 172.17.x.x IP addresses. notice the second octet..

so spny01spt002 (172.17.x.x in the DMZ) is a legato client
that needs to be backed up via the 172.16.80.87 (lgto server)

But I've tried other servers from the dmz.. same results, backups just don't work..

Can you walk me thru a proper nat rule and/or acl process with what I've given you above?

thx for any help possible.
hb101

 

[dopehead]

ok, i see. that server is already nat'ed to the adresse called sales_track here : "static (inside,dmz) sales_track xxx16.80.87 netmask 255.255.255.255 0 0" which means that if you wan't to reach the legato server from the dmz you need to connect using that adress (172.17.79.6). Now from your acls i can see you have tried quite a few different things, if you do a "show access-list acl_dmz" after trying does any counters increment in the (matches/hits) on those acls ?:

access-list acl_dmz permit tcp any host sales_track eq 7939
access-list acl_dmz permit tcp any host sales_track eq 9936
access-list acl_dmz permit udp any host sales_track eq 10001
access-list acl_dmz permit tcp any host sales_track eq 30000

access-list acl_dmz permit tcp any host spny01spt002
object-group legato
access-list acl_dmz permit udp any host spny01spt002 object-group legato1
access-list acl_dmz permit tcp host spny01spt002 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit udp host spny01spt002 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit tcp host xxx16.80.87 host spny01spt002 range 10001 30000
access-list acl_dmz permit udp host xxx16.80.87 host spny01spt002 range 10001 30000
access-list acl_dmz permit udp host xxx16.80.87 host spny01spt002 range 7937 9936
access-list acl_dmz permit tcp host xxx16.80.87 host spny01spt002 range 7937 9936
access-list acl_dmz permit tcp host spny01pcon001 host xxx16.80.87 range 7937 9936
access-list acl_dmz permit udp host spny01pcon001 host xxx16.80.87 range 7937 9936
access-list acl_dmz permit udp host spny01pcon001 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit tcp host spny01pcon001 host xxx16.80.87 range 10001 30000
access-list acl_dmz permit tcp any host spny01pcon001 object-group legato
access-list acl_dmz permit udp any host spny01pcon001 object-group legato1
access-list acl_dmz permit tcp any host spny01pcon001 object-group legato3
access-list acl_dmz permit udp any host spny01pcon001 object-group legato4


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :

http://www.csaforum.dk

 

[hellboy101]

hi dopehead,

unfortunately, no hit count on the ones we need to work. what does hit count do precisely? sorry for my long delay, got pushed into other projects as usual - hee hee!

thanks again
hb101