Hi Glen, It sounds as though you have just created a static map, but not implemented either a conduit or an access list. Conduits are exceptions to the Adaptive Security Algorithm that allow for traffic to pass from an interface with a lower security setting to one with a higher security setting. Cisco also in later PIXOS releases use access lists for the same purpose. You may need to use an access list to permit the specific port you want open.
The question is however, do you really need access from the outside. If you do, and it is for administration only, consider SSH or only open up the firewall when you need to administer. Regards, Paul Benedek Director Excis Networks Limited http://www.excis.co.uk -----Original Message----- From: Glenn English [mailto:[EMAIL PROTECTED] Sent: 22 July 2003 23:50 To: 'Security-Basics' Subject: Some Cisco PIX newbie questions I got a 506E (first experience with Cisco) last Friday, and I'm learning how to use it with the 172.16.0.146/28 (a LAN around the building) as the Internet and 192.168.82.40/29 (my workstation) as the protected LAN. (And an old Mac SE/30 as the terminal.) Configuring from the terminal works, telnet works, https works, tftp works, the Java PDM pretty much works, and connecting from inside to outside works. But I can't figure out how to get through the firewall in the other direction. There's a static map from an "Internet" IP to my workstation, and the PIX' log shows a connection attempt. But what I specifically permit is being denied. Is the anti-spoofing blocking it? If so, why is it not blocking packets returning to the PAT address? -- Glenn English [EMAIL PROTECTED] --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
