# Cisco 501 pix Access list



## Domini (Aug 13, 2009)

Hello everybody

I really need help whit access rules.
Before i destroyed them they look like this :

access-list inside_access_out line 1 permit tcp any any eq 28960
access-list outside_access_in line 2 permit tcp any any eq 51096
access-list inside_access_out line 3 permit tcp any any eq 25999
access-list inside_access_out line 1 permit tcp any any
access-list inside_access_out line 2 permit udp any any
access-list inside_access_out line 3 deny icmp any any 

and the same way in PDM too, now in PDM is only :

allow IP inside tcp any outside tcp any inside ( outbound )

and in terminal 
sh access-list is :
nothing 

I really dont get it. Translation rules looks good, but access rules are messed up.

wr t looks like this :

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 
passwd encrypted
hostname 
domain-name 
clock timezone 
clock summer-time recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.100 
name 192.168.2.101 
object-group service utorrent tcp
port-object eq 51096
pager lines 24
logging on
logging trap informational
logging device-id hostname
logging host inside pc 17/1550
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name DefaultInfo info action alarm
ip audit name Default attack action alarm drop
ip audit interface outside DefaultInfo
ip audit interface outside Default
ip audit interface inside DefaultInfo
ip audit interface inside Default
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.0 255.255.255.0 inside
pdm location pc 255.255.255.255 inside
pdm location pc 255.255.255.255 outside
pdm location pc 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location xxxxxxxxx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp interface 44322 pc 44322 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp interface 55654 pc 55654 netmask 255.255.255.25
5 0 0
static (outside,inside) udp interface 28960 pc 28960 netmask 255.255.255.25
5 0 0
static (inside,outside) udp interface 28960 pc 28960 netmask 255.255.255.255
5 0 0
static (inside,outside) tcp ISPs IP 51096 pc 51096 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp ISPs IP 11224 pc 11224 netmask 255.255.2
55.255 0 0
static (outside,inside) tcp interface 25999 pc 25999 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 192.168.2.1 25999 pc 25999 netmask 255.255.255.
255 0 0
routing interface outside
routing interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.2.1.66 source outside prefer
ntp server 193.2.1.92 source outside
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
auth-prompt prompt prompt
auth-prompt accept Stay Away
auth-prompt reject Everything is Monitored and Logged !
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname 
vpdn group pppoe_group ppp authentication xxx
vpdn username xxxxx password 
dhcpd address 1pc-2pc inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxx
dhcpd auto_config outside
dhcpd enable inside
username admin password xxxxxxxxx encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
banner exec ########################################################
banner exec If you don't belong here, get out!
banner exec ########################################################
banner login ########################################################
banner login If you don't belong here, get out!
banner login ########################################################
banner motd ################################################################
banner motd Unauthorized access is prohibited. Everything is Monitered and Logge
d!!
banner motd ################################################################

and this is missing :

access-list inside_access_out line 1 permit tcp any any eq 28960
access-list outside_access_in line 2 permit tcp any any eq 51096
access-list inside_access_out line 3 permit tcp any any eq 25999
access-list inside_access_out line 1 permit tcp any any
access-list inside_access_out line 2 permit udp any any
access-list inside_access_out line 3 deny icmp any any .

If i add rule via terminal :
access-list inside_access_out line 1 permit tcp any any

it should show in PDM Access list too right? It doesnt ! 0_o
What am i doing wrong? Please help 



bbs 

whit regards, Domini


----------



## Domini (Aug 13, 2009)

i forgot, network configuration looks like this :

modem -- cisco -- 2PCs

bbs


----------



## Domini (Aug 13, 2009)

I am reading Todd Lammla: CCNA study guide, 6th edition, and it looks very comlicated, so please enyone who can help me creating access-list rules for my configuration !

c ya


----------



## Domini (Aug 13, 2009)

Enybody? I cant figure it out !!


----------



## srini5884 (Aug 25, 2009)

Would you explain me if you have done any configuration chages on this?I am wondering,that there might be some rules you might have tried to run?

Thanks, 
Sri


----------



## Domini (Aug 13, 2009)

Hi

Well i only tryed to add some access list rules to block some ICMPs from In to Out, and there problems start to show.

This --> access-list inside_access_out line 1 permit tcp any any eq 28960
has gone, but only in PDM. In Command line it was still there.
Becouse i couldnt figure it out, i deleted all access list rules. 
After that i tried to add new ones, same as they were before :

access-list inside_access_out line 1 permit tcp any any eq 28960
access-list outside_access_in line 2 permit tcp any any eq 51096
access-list inside_access_out line 3 permit tcp any any eq 25999
access-list inside_access_out line 1 permit tcp any any
access-list inside_access_out line 2 permit udp any any
access-list inside_access_out line 3 deny icmp any any 

but they dont work, they dont show in PDM, and, port 51096 is for P2P file sharing program utorrent, showe me red ( port apears to be closed ).

So basicly yes i did some changes to configuration, hope i can fix this ...


----------

