02-18-2008 04:18 PM - edited 03-11-2019 05:04 AM
I'm running a PIX 525 with software version 7.2(2)...I'm having a weird acl problem. I've inserted a few lines to the beginning of the acl inside_access_out, however the firewall seems to ignore them and just skip to the end. Here is what I get from the show access-list command (My IP is 10.14.2.39):
access-list inside_access_out; 13 elements
access-list inside_access_out line 1 extended permit ip host 10.14.2.39 host x.x.x.x(hitcnt=0) 0x7a832d4
access-list inside_access_out line 2 extended permit ip host 10.14.2.39 any (hitcnt=0) 0x28f7c337
access-list inside_access_out line 3 extended permit tcp host 10.11.2.184 host x.x.x.x eq https (hitcnt=0) 0x428081
access-list inside_access_out line 4 extended permit ip host 10.11.2.184 host x.x.x.x (hitcnt=0) 0x331c68af
access-list inside_access_out line 5 extended permit ip host 10.14.2.30 host x.x.x.x (hitcnt=0) 0x2a424acd
access-list inside_access_out line 6 extended permit ip host 10.14.2.68 host x.x.x.x (hitcnt=0) 0xc049a2b
access-list inside_access_out line 7 extended permit ip host 10.14.2.52 host x.x.x.x (hitcnt=0) 0x8be52cb1
access-list inside_access_out line 8 extended permit ip 192.168.14.0 255.255.255.0 host x.x.x.x (hitcnt=0) 0xfbe0b816
access-list inside_access_out line 9 extended permit tcp any any eq www (hitcnt=10659185) 0xe7714247
access-list inside_access_out line 10 extended permit tcp any any eq https (hitcnt=1505514) 0xec7b1d
access-list inside_access_out line 11 extended permit icmp any any (hitcnt=464352) 0x4416cbd7
access-list inside_access_out line 12 extended permit udp any any (hitcnt=10074659) 0x9c2207a6
access-list inside_access_out line 13 extended permit ip any any (hitcnt=2341790) 0xbc49651
access-group inside_access_out out interface outside
I replaced some IP addresses with x.x.x.x.
As you can see all the lines before the tcp any any www line get a hit count of 0. Any idea why that would be? I know I've initiated www traffic (and many other types of traffic), yet it doesn't seem to register.
02-19-2008 07:31 AM
Any ideas why the PIX is doing this?
02-19-2008 08:29 AM
simple..thats because the traffic not matching the ACLs
do this set this capture on Pix which would verify this
acsess-l abc permit ip host 10.x.x.x host x.x.x.x
capture cpo access-l abc packet-length 1518 interface outside
replace the hosts in the above ACL with actual hosts from access-lists where you don't have hit count
Now get me
sh cap cpo
02-19-2008 08:25 AM
I believe this is because since your acl is applied out of the outside interface, your source address is no longer 10.14.2.39, it is whatever you are natting to.
Therefore, your acl would need to be...
access-list inside_access_out line 1 extended permit ip host
If you wanted to use the 10. address you could apply the acl into the inside interface
access-group inside_access_out in interface inside
02-19-2008 09:07 AM
Ah I think you're right...I'm going to try applying the acl for inbound filtering on the inside interface instead.
Thanks, I'll try that tonight.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide