PIX ACL not hitting

Unanswered Question
Sep 5th, 2007


I'm new at PIX configuration and have the following pb :

I have 2 PIX connected via VPN LAN-to-LAN.

Network_A behind PIX_A and network_B behind PIX_B can fully communicate.

Then I want to prevent one PC (PC_A) from network_A to communicate with one PC (PC_B) in network_B.

To do that, I configured an ACL on PIX_A :

access-list ACL_A_inside deny ip host <PC_A IPaddr> host <PC_B IPaddr>

access-list ACL_A_inside permit ip <network_A> <network_mask> <network_B> <network_mask>

access-list ACL_A_inside deny ip any any

access-group ACL_A_inside in interface inside

The problem is that PC_A can still initiate the communication (ping, http ...) to PC_B and when issuing the sh access-list ACL_A_inside command, I have 0 hitcnt nor for the deny ACE concerning the 2 PCs, neither for the permit ACE concerning the networks.

I only have 2 or 3 matches for the last deny ip any any but appeared before trying to ping or http from PC_A to PC_B.

I can't understand. All is getting as if I had no ACL configured, or no deny ACE.

Can anyone help me please ?

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 09/05/2007 - 08:17

You will have to remove the sysopt connection permit-ipsec or permit-vpn command. This will cause all of your ipsec vpn traffic to have to be allowed in any of your interface acls.


This Discussion