do you have something like this:
static (inside,outside) 172.16.0.149 192.168.82.42 netmask 255.255.255.255
access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 80
access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 23
access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo
access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo-reply
access-group acl_outside in interface outside
The above assumes the following:
your mac se/30 = 192.168.82.42 you have 172.16.0.149 available as a free IP on the 'internet'
This allows tcp port 80 http and tcp port 23 telnet to the published IP of 172.16.0.149
it also allows pinging.
the access-group command applies the access-list to the outside interface.
If you have further questions, send me your lab config (strip passwords and such).
-James
At 17:50 7/22/2003, Glenn English wrote:
I got a 506E (first experience with Cisco) last Friday, and I'm learning how to use it with the 172.16.0.146/28 (a LAN around the building) as the Internet and 192.168.82.40/29 (my workstation) as the protected LAN. (And an old Mac SE/30 as the terminal.)
Configuring from the terminal works, telnet works, https works, tftp works, the Java PDM pretty much works, and connecting from inside to outside works.
But I can't figure out how to get through the firewall in the other direction. There's a static map from an "Internet" IP to my workstation, and the PIX' log shows a connection attempt. But what I specifically permit is being denied. Is the anti-spoofing blocking it? If so, why is it not blocking packets returning to the PAT address?
-- Glenn English [EMAIL PROTECTED]
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
