It looks like you have 2 different access-lists here. One called acl_out (with an underscore) and one called acl-out (with a hyphen). Is this correct? Did you mean for these to be configured as one access list? How are these applied?
Jay Wehring Platforms Manager The Container Store 2000 Valwood Parkway Dallas, Texas 75234 (214)654-3385 -----Original Message----- From: George Lutch [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 10:59 AM To: [EMAIL PROTECTED] Subject: Citrix Thru PIX I am trying to statically nat a Citrix MetaFrame XP server thru a PIX 506 firewall. I can ping the natted address on the outside but cannot access the Citrix server with the ICA client or the Terminal services client. I have the followint access rules set up on the PIX. access-list acl_out permit tcp any host 12.x.x.98 eq smtp access-list acl_out permit icmp any any access-list acl_out permit tcp any host 12.x.x.101 eq www access-list acl-out permit tcp any host 12.x.x.102 access-list acl-out permit udp any host 12.x.x.102 access-list acl-out permit tcp any host 12.x.x.102 eq www access-list acl-out permit tcp any host 12.x.x.102 eq 1494 access-list acl-out permit udp any host 12..x.102 eq 1494 I did a log on the PIX and received the followint entry. 106023: Deny tcp src outside:206.x.x.247/3237 dst inside:12.x.x.102/1494 by access-group "acl_out" The PIX firmware rev is 5.2(5) _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls