Cisco probleempje [Archief] - webhostingtalk.nl

Bekijk Volledige Versie : Cisco probleempje

1ms

29/09/08, 19:32

Cisco Pix 501 firewall heeft onderstaande configuratie.

Site: www.blablabla.nl:8080

Is niet bereikbaar.

Hoe kan dat?! Wat moet ik aanpassen om hem wel bereikbaar te maken.

Written by enable_15 at 16:47:42.432 CET Mon Sep 22 2008

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 Eth0-outside security0

nameif ethernet1 Eth1-inside security99

enable password 3V5EUz4hvMdbfZrn encrypted

passwd 3V5EUz4hvMdbfZrn encrypted

hostname s-PIX

domain-name Kantoor.local

clock timezone CET 1

clock summer-time CET recurring last Sun Mar 1:00 last Sun Oct 1:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol ftp 10000

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

no fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.14.1 s-01

name 10.10.14.2 s-02

name 10.10.14.253 LWAP54G

name 10.10.14.254 CPF501

name 10.0.0.42 CPF501-outside

name 10.0.0.138 TST570i

name 10.10.14.43 Picasso

name 10.10.14.44 Satellite042-E

name 10.10.14.201 s-W004

name 10.10.14.45 Ilum

access-list Local-ACL permit icmp any any

access-list Local-ACL permit tcp any any eq www

access-list Local-ACL permit tcp any any eq https

access-list Local-ACL permit tcp any any eq ftp

access-list Local-ACL permit tcp any any eq 3389

access-list Local-ACL permit tcp any any eq imap4

access-list Local-ACL permit tcp any any eq 587

access-list Local-ACL permit udp any any eq 6903 log

access-list Local-ACL permit udp any any eq 6901 log

access-list Local-ACL permit udp any any eq 11112 log

access-list Local-ACL permit tcp any host S-01 eq 33890

access-list Local-ACL permit tcp host S-02 any eq 33890 log

access-list Local-ACL permit tcp any host S-01 eq 3390

access-list Local-ACL permit tcp host S-01 any eq domain

access-list Local-ACL permit udp host S-01 any eq domain

access-list Local-ACL permit udp host S-01 any eq ntp

access-list Local-ACL permit tcp host S-01 any eq smtp

access-list Local-ACL permit tcp host S-01 any eq pop3

access-list Local-ACL permit tcp host S-01 any eq 10000

access-list Local-ACL permit tcp host S-01 any eq 4343

access-list Local-ACL permit tcp host S-01 any eq pptp

access-list Local-ACL permit tcp host S-01 any eq 5756 log 7

access-list Local-ACL permit ah host S-01 any

access-list Local-ACL permit esp host S-01 any

access-list Local-ACL permit udp host S-01 eq isakmp any

access-list Local-ACL permit gre host S-01 any

access-list Local-ACL permit tcp host S-02 any eq 19638

access-list Local-ACL permit tcp host S-02 any eq 16667

access-list Local-ACL permit tcp host 10.10.14.202 any eq 5756 log 7

access-list Local-ACL permit tcp host Picasso any eq smtp

access-list Local-ACL permit tcp host Picasso any eq pop3

access-list Local-ACL permit tcp host Picasso any eq pptp

access-list Local-ACL permit ah host Picasso any

access-list Local-ACL permit esp host Picasso any

access-list Local-ACL permit udp host Picasso eq isakmp any

access-list Local-ACL permit gre host Picasso any

access-list Local-ACL permit tcp host Picasso any range 5800 6000

access-list Local-ACL permit tcp host Picasso any eq 33890

access-list Local-ACL permit tcp host Satellite042-E any eq smtp

access-list Local-ACL permit tcp host Satellite042-E any eq pop3

access-list Local-ACL permit tcp host Satellite042-E any eq pptp

access-list Local-ACL permit ah host Satellite042-E any

access-list Local-ACL permit esp host Satellite042-E any

access-list Local-ACL permit udp host Satellite042-E eq isakmp any

access-list Local-ACL permit gre host Satellite042-E any

access-list Local-ACL permit tcp host Satellite042-E any range 5800 6000

access-list Local-ACL permit tcp host Satellite042-E any eq 33890

access-list Local-ACL permit tcp host Satellite042-E any eq 15138

access-list Local-ACL permit tcp host Satellite042-E any eq 15137

access-list Local-ACL permit tcp host Satellite042-E any eq 10000

access-list Local-ACL permit ip host Ilum any

access-list Local-ACL permit tcp host S-W004 any eq 8443

access-list Local-ACL permit tcp host S-W004 any eq nntp

access-list Local-ACL permit tcp host S-W004 any eq domain

access-list Local-ACL permit udp host S-W004 any eq domain

access-list Local-ACL permit tcp host S-W004 any eq smtp

access-list Local-ACL permit tcp host S-W004 any eq pop3

access-list Local-ACL permit tcp host S-W004 any eq pptp

access-list Local-ACL permit ah host S-W004 any

access-list Local-ACL permit esp host S-W004 any

access-list Local-ACL permit udp host S-W004 eq isakmp any

access-list Local-ACL permit gre host S-W004 any

access-list Local-ACL permit tcp host S-W004 any eq 15138

access-list Local-ACL permit tcp host S-W004 any eq 15137

access-list Local-ACL permit tcp host S-W004 any eq 10000

access-list Local-ACL permit tcp host S-W004 any range 5800 6000

access-list Local-ACL permit tcp host S-W004 any eq 19638

access-list Local-ACL permit tcp host S-W004 any eq 33890

access-list Local-ACL deny udp any any log 7

access-list Local-ACL deny tcp any any log 7

access-list Local-ACL deny ip any any log 7

access-list Local-ACL permit tcp any any eq 8080

access-list Local-ACL permit udp any any eq 8080

access-list Internet-ACL permit icmp any any echo-reply

access-list Internet-ACL permit icmp any any time-exceeded

access-list Internet-ACL permit icmp any any unreachable

access-list Internet-ACL permit tcp any host CPF501-outside eq smtp

access-list Internet-ACL permit tcp any host CPF501-outside eq https

access-list Internet-ACL permit tcp any host CPF501-outside eq 3389

access-list Internet-ACL permit tcp any host CPF501-outside eq 3390

access-list Internet-ACL permit tcp any host CPF501-outside eq 10000

access-list Internet-ACL permit tcp any host CPF501-outside eq 4343

access-list Internet-ACL permit tcp any host CPF501-outside eq 8080

access-list Internet-ACL permit tcp host S-01 host CPF501-outside eq 5756

access-list Internet-ACL permit tcp host 10.10.14.202 host CPF501-outside eq 575

6

access-list Internet-ACL permit gre any host CPF501-outside

access-list Internet-ACL permit ah any host CPF501-outside

access-list Internet-ACL permit esp any host CPF501-outside

access-list Internet-ACL permit udp any host CPF501-outside eq isakmp

access-list Internet-ACL deny tcp any host CPF501-outside eq www log 3

access-list Internet-ACL deny ip any any log 5

access-list Internet-ACL deny icmp any any log 3

access-list Internet-ACL permit tcp any host 0.0.31.144 eq 8080

access-list Internet-ACL permit udp any host CPF501-outside eq 8080

access-list Internet-ACL permit tcp any host S-02 eq 8080

access-list RAS-ACL permit ip 10.10.14.0 255.255.255.0 10.10.14.0 255.255.255.0

access-list inside_access_in permit tcp any host 0.0.31.144

pager lines 24

logging on

logging timestamp

logging standby

logging monitor informational

logging trap debugging

logging history warnings

logging facility 23

logging host Eth1-inside S-01 6/1468

mtu Eth0-outside 1500

mtu Eth1-inside 1500

ip address Eth0-outside CPF501-outside 255.255.255.0

ip address Eth1-inside CPF501 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool RAS-POOL 10.10.14.32-10.10.14.41

pdm logging informational 100

pdm history enable

arp timeout 14400

global (Eth0-outside) 1 interface

nat (Eth1-inside) 0 access-list RAS-ACL

nat (Eth1-inside) 1 10.10.14.0 255.255.255.0 0 0

static (Eth1-inside,Eth0-outside) tcp CPF501-outside smtp S-01 smtp netmask 2

55.255.255.255 0 0

static (Eth1-inside,Eth0-outside) tcp CPF501-outside 3390 S-01 3389 netmask 2

55.255.255.255 0 0

static (Eth1-inside,Eth0-outside) tcp CPF501-outside https S-01 https netmask

255.255.255.255 0 0

static (Eth1-inside,Eth0-outside) tcp CPF501-outside 3389 S-02 3389 netmask 2

55.255.255.255 0 0

static (Eth1-inside,Eth0-outside) tcp CPF501-outside 4343 S-01 4343 netmask 2

55.255.255.255 0 0

static (Eth1-inside,Eth0-outside) tcp CPF501-outside 8080 S-02 8080 netmask 2

55.255.255.255 0 0

access-group Internet-ACL in interface Eth0-outside

access-group Local-ACL in interface Eth1-inside

route Eth0-outside 0.0.0.0 0.0.0.0 TST570i 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server VPN-AAA protocol radius

aaa-server VPN-AAA (Eth1-inside) host S-01 Villeroy&Boch timeout 5

aaa authentication include gre Eth0-outside CPF501-outside 255.255.255.255 0.0.0

.0 0.0.0.0 VPN-AAA

aaa authentication include esp Eth0-outside CPF501-outside 255.255.255.255 0.0.0

.0 0.0.0.0 VPN-AAA

aaa authentication include gre Eth1-inside CPF501 255.255.255.255 0.0.0.0 0.0.0.

0 VPN-AAA

aaa authentication include esp Eth1-inside CPF501 255.255.255.255 0.0.0.0 0.0.0.

0 VPN-AAA

aaa authentication ssh console VPN-AAA

ntp server S-01 source Eth1-inside prefer

http server enable

http 10.10.14.0 255.255.255.0 Eth1-inside

snmp-server location Mettlach

no snmp-server contact

snmp-server community Villeroy&Boch

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

auth-prompt prompt Dit toegangspunt gaat trachten u door de domeinserver te late

n authoriseren ...

auth-prompt accept Welkom, u bent door de domeinserver geautoriseerd voor toegan

g op het netwerk.

auth-prompt reject Helaas, de domeinserver heeft uw authenticatie negatief beant

woord. Controleer uw gegevens en/of contacteer uw systeembeheerder.

telnet timeout 5

ssh 10.10.14.0 255.255.255.0 Eth1-inside

ssh timeout 5

console timeout 0

vpdn group VPN-GROUP accept dialin pptp

vpdn group VPN-GROUP ppp authentication pap

vpdn group VPN-GROUP ppp authentication chap

vpdn group VPN-GROUP ppp authentication mschap

vpdn group VPN-GROUP ppp encryption mppe 40 required

vpdn group VPN-GROUP client configuration address local RAS-POOL

vpdn group VPN-GROUP client authentication aaa VPN-AAA

vpdn group VPN-GROUP pptp echo 60

vpdn enable Eth0-outside

vpdn enable Eth1-inside

username bauto password UBV6KksNYQ6BNp7M encrypted privilege 15

username admin password u8JefVIRKyEh/90D encrypted privilege 15

terminal width 80

Cryptochecksum:0bc786b0237fa2cf296bbecf0420919c

Wido

30/09/08, 10:19

Heb je deze config zelf gebouwd of via ASDM gedaan?

Daarnaast, wat zegt de logfile over de packets die gedropt worden?

diedsj

30/09/08, 13:02

het is een bestaande config door iemand anders gebouwd (die ik niet ken)
en waar ik wat regels mbt port 8080 en portforwarding in het gezet.
(zonder effect overigens)

computer S-02 gebruik ik als station van waar ik naar die webportal over port 8080 heen wil.

Ik ga even de logfiles bekijken en dna post ik die wel even.

host3000

30/09/08, 13:05

Even uit de losse pols,

als je alle permits nu eens boven de eerste deny zet?

mdf

30/09/08, 13:16

Hans heeft gelijk; de regels die je toegevoegd hebt staan onder de deny regels; dat gaat niet werken. De deny regels moeten aan het eind staan.

diedsj

01/10/08, 11:10

misschien heel noob van mij, maar hoe zet je ze ervoor?
ik weet alleen hoe je regels toevoegd, wist niet dat je ze ook een locatie kon toekennen.
...

ps.

de gevraagde log: van een periode van 3 minuten waarin in probeer in te loggen op die portal:

2008-10-01 11:07:18 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:18: %PIX-5-304001: 10.10.14.108 Accessed URL 85.17.175.234:/statics/rsh/blank.html?media=3.262246580.y9A1&searchhyver=&__state__=1
2008-10-01 11:07:18 Local7.Info 10.10.14.254 Oct 01 2008 11:07:18: %PIX-6-302014: Teardown TCP connection 175857 for Eth0-outside:85.17.175.234/80 to Eth1-inside:10.10.14.108/2753 duration 0:00:01 bytes 2310 TCP FINs
2008-10-01 11:07:18 Local7.Debug 10.10.14.254 Oct 01 2008 11:07:18: %PIX-7-106100: access-list Local-ACL denied tcp Eth1-inside/10.10.14.108(2754) -> Eth0-outside/87.255.34.75(81) hit-cnt 1 (first hit)
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2755 to Eth0-outside:10.0.0.42/38305
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302013: Built outbound TCP connection 175858 for Eth0-outside:85.17.175.234/80 (85.17.175.234/80) to Eth1-inside:10.10.14.108/2755 (10.0.0.42/38305)
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2756 to Eth0-outside:10.0.0.42/38306
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302013: Built outbound TCP connection 175859 for Eth0-outside:94.100.113.202/80 (94.100.113.202/80) to Eth1-inside:10.10.14.108/2756 (10.0.0.42/38306)
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2757 to Eth0-outside:10.0.0.42/38307
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302013: Built outbound TCP connection 175860 for Eth0-outside:85.17.175.234/80 (85.17.175.234/80) to Eth1-inside:10.10.14.108/2757 (10.0.0.42/38307)
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2758 to Eth0-outside:10.0.0.42/38308
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302013: Built outbound TCP connection 175861 for Eth0-outside:64.233.183.127/80 (64.233.183.127/80) to Eth1-inside:10.10.14.108/2758 (10.0.0.42/38308)
2008-10-01 11:07:19 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:19: %PIX-5-304001: 10.10.14.108 Accessed URL 94.100.113.202:/262200001-262250000/262246501-262246600/262246580_5_y9A1.jpeg
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302014: Teardown TCP connection 175860 for Eth0-outside:85.17.175.234/80 to Eth1-inside:10.10.14.108/2757 duration 0:00:00 bytes 0 TCP Reset-I
2008-10-01 11:07:19 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:19: %PIX-5-304001: 10.10.14.108 Accessed URL 64.233.183.127:/__utm.gif?utmwv=1&utmn=1687719118&utmcs=iso-8859-1&utmsr=1280x1024&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=9.0&utmdt=FRIENDitem%2FALBUMitem%2FPHOTOitem%2Fmediaaj ax%2Floggedin%2F%2F2&utmhn=stakrasi.hyves.nl&utmr=0&utmp=/album/31403912/Deepacabana_Letta_labanda_Dininho_Stakra/IeJd/photos/261347596/0/Xvf3/&utmac=UA-288839-1&utmcc=__utma%3D95163397.1983739309.1191849566.1222 674019.1222850925.80%3B%2B__utmb%3D95163397%3B%2B_ _utmc
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302014: Teardown TCP connection 175859 for Eth0-outside:94.100.113.202/80 to Eth1-inside:10.10.14.108/2756 duration 0:00:01 bytes 20544 TCP FINs
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302014: Teardown TCP connection 175858 for Eth0-outside:85.17.175.234/80 to Eth1-inside:10.10.14.108/2755 duration 0:00:01 bytes 9486 TCP FINs
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2759 to Eth0-outside:10.0.0.42/38309
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302013: Built outbound TCP connection 175862 for Eth0-outside:94.100.113.124/80 (94.100.113.124/80) to Eth1-inside:10.10.14.108/2759 (10.0.0.42/38309)
2008-10-01 11:07:19 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:19: %PIX-5-304001: 10.10.14.108 Accessed URL 94.100.113.124:/367000001-367050000/367041901-367042000/367041912_2__SSk.jpeg
2008-10-01 11:07:19 Local7.Info 10.10.14.254 Oct 01 2008 11:07:19: %PIX-6-302014: Teardown TCP connection 175862 for Eth0-outside:94.100.113.124/80 to Eth1-inside:10.10.14.108/2759 duration 0:00:01 bytes 9076 TCP FINs
2008-10-01 11:07:20 Local7.Info 10.10.14.254 Oct 01 2008 11:07:20: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2760 to Eth0-outside:10.0.0.42/38310
2008-10-01 11:07:20 Local7.Info 10.10.14.254 Oct 01 2008 11:07:20: %PIX-6-302013: Built outbound TCP connection 175863 for Eth0-outside:85.17.175.234/80 (85.17.175.234/80) to Eth1-inside:10.10.14.108/2760 (10.0.0.42/38310)
2008-10-01 11:07:20 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:20: %PIX-5-304001: 10.10.14.108 Accessed URL 85.17.175.234:/statics/rsh/blank.html?media=2.298625492.UoCg&searchhyver=&__state__=2
2008-10-01 11:07:20 Local7.Info 10.10.14.254 Oct 01 2008 11:07:20: %PIX-6-302014: Teardown TCP connection 175863 for Eth0-outside:85.17.175.234/80 to Eth1-inside:10.10.14.108/2760 duration 0:00:01 bytes 2311 TCP FINs
2008-10-01 11:07:21 Local7.Debug 10.10.14.254 Oct 01 2008 11:07:21: %PIX-7-106100: access-list Local-ACL denied tcp Eth1-inside/10.10.14.2(3734) -> Eth0-outside/83.172.154.13(8080) hit-cnt 1 (first hit)
2008-10-01 11:07:21 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2761 to Eth0-outside:10.0.0.42/38311
2008-10-01 11:07:21 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-302013: Built outbound TCP connection 175864 for Eth0-outside:85.17.175.234/80 (85.17.175.234/80) to Eth1-inside:10.10.14.108/2761 (10.0.0.42/38311)
2008-10-01 11:07:21 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2762 to Eth0-outside:10.0.0.42/38312
2008-10-01 11:07:21 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-302013: Built outbound TCP connection 175865 for Eth0-outside:94.100.113.222/80 (94.100.113.222/80) to Eth1-inside:10.10.14.108/2762 (10.0.0.42/38312)
2008-10-01 11:07:21 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2763 to Eth0-outside:10.0.0.42/38313
2008-10-01 11:07:21 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-302013: Built outbound TCP connection 175866 for Eth0-outside:85.17.175.234/80 (85.17.175.234/80) to Eth1-inside:10.10.14.108/2763 (10.0.0.42/38313)
2008-10-01 11:07:21 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:21: %PIX-5-304001: 10.10.14.108 Accessed URL 94.100.113.222:/298600001-298650000/298625401-298625500/298625492_5_UoCg.jpeg
2008-10-01 11:07:21 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-302014: Teardown TCP connection 175866 for Eth0-outside:85.17.175.234/80 to Eth1-inside:10.10.14.108/2763 duration 0:00:00 bytes 0 TCP Reset-I
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:21: %PIX-6-302014: Teardown TCP connection 175864 for Eth0-outside:85.17.175.234/80 to Eth1-inside:10.10.14.108/2761 duration 0:00:01 bytes 9319 TCP FINs
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2764 to Eth0-outside:10.0.0.42/38314
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-302013: Built outbound TCP connection 175867 for Eth0-outside:94.100.113.18/80 (94.100.113.18/80) to Eth1-inside:10.10.14.108/2764 (10.0.0.42/38314)
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2765 to Eth0-outside:10.0.0.42/38315
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-302013: Built outbound TCP connection 175868 for Eth0-outside:85.17.225.245/80 (85.17.225.245/80) to Eth1-inside:10.10.14.108/2765 (10.0.0.42/38315)
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2766 to Eth0-outside:10.0.0.42/38316
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-302013: Built outbound TCP connection 175869 for Eth0-outside:94.100.113.18/80 (94.100.113.18/80) to Eth1-inside:10.10.14.108/2766 (10.0.0.42/38316)
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2767 to Eth0-outside:10.0.0.42/38317
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-302013: Built outbound TCP connection 175870 for Eth0-outside:85.17.225.245/80 (85.17.225.245/80) to Eth1-inside:10.10.14.108/2767 (10.0.0.42/38317)
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-305011: Built dynamic TCP translation from Eth1-inside:10.10.14.108/2768 to Eth0-outside:10.0.0.42/38318
2008-10-01 11:07:22 Local7.Info 10.10.14.254 Oct 01 2008 11:07:22: %PIX-6-302013: Built outbound TCP connection 175871 for Eth0-outside:87.251.36.86/80 (87.251.36.86/80) to Eth1-inside:10.10.14.108/2768 (10.0.0.42/38318)
2008-10-01 11:07:22 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:22: %PIX-5-304001: 10.10.14.108 Accessed URL 94.100.113.18:/333950001-334000000/333992401-333992500/333992466_1_HxG5.jpeg
2008-10-01 11:07:22 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:22: %PIX-5-304001: 10.10.14.108 Accessed URL 85.17.225.245:/images/smilies/default/smiley_toohot.gif
2008-10-01 11:07:22 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:22: %PIX-5-304001: 10.10.14.108 Accessed URL 94.100.113.18:/333950001-334000000/333992401-333992500/333992466_1_HxG5.jpeg
2008-10-01 11:07:22 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:22: %PIX-5-304001: 10.10.14.108 Accessed URL 85.17.225.245:/images/smilies/default/smiley_toohot.gif
2008-10-01 11:07:22 Local7.Notice 10.10.14.254 Oct 01 2008 11:07:22: %PIX-5-304001: 10.10.14.108 Accessed URL 87.251.36.86:/clients/GEP-C-86/GEP-P-5836/bin/REDB162108_serve.asp

mdf

01/10/08, 11:45

Om in de 'dummy' style te blijven; de makkelijkste manier is ze gewoon verwijderen en opnieuw aanmaken:

no access-list Local-ACL deny udp any any log 7
no access-list Local-ACL deny tcp any any log 7
no access-list Local-ACL deny ip any any log 7
no access-list Internet-ACL deny ip any any log 5
no access-list Internet-ACL deny icmp any any log 3
access-list Local-ACL deny udp any any log 7
access-list Local-ACL deny tcp any any log 7
access-list Local-ACL deny ip any any log 7
access-list Internet-ACL deny ip any any log 5
access-list Internet-ACL deny icmp any any log 3

Op die manier 'sluiten ze weer achter in de rij aan' en staan ze dus onderaan de access-list :)

diedsj

01/10/08, 12:01

Sorry, dat spreekt inderdaad nogal voorzich... ik ben nogal noob :)
Ik ga het meteen even erin zetten en uitproberen!

veel dank en kudo's tot noch toe!