Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
10
Helpful
4
Replies

ACL Problem

niro
Level 1
Level 1

‎02-18-2008 04:18 PM - edited ‎03-11-2019 05:04 AM

I'm running a PIX 525 with software version 7.2(2)...I'm having a weird acl problem. I've inserted a few lines to the beginning of the acl inside_access_out, however the firewall seems to ignore them and just skip to the end. Here is what I get from the show access-list command (My IP is 10.14.2.39):

access-list inside_access_out; 13 elements

access-list inside_access_out line 1 extended permit ip host 10.14.2.39 host x.x.x.x(hitcnt=0) 0x7a832d4

access-list inside_access_out line 2 extended permit ip host 10.14.2.39 any (hitcnt=0) 0x28f7c337

access-list inside_access_out line 3 extended permit tcp host 10.11.2.184 host x.x.x.x eq https (hitcnt=0) 0x428081

access-list inside_access_out line 4 extended permit ip host 10.11.2.184 host x.x.x.x (hitcnt=0) 0x331c68af

access-list inside_access_out line 5 extended permit ip host 10.14.2.30 host x.x.x.x (hitcnt=0) 0x2a424acd

access-list inside_access_out line 6 extended permit ip host 10.14.2.68 host x.x.x.x (hitcnt=0) 0xc049a2b

access-list inside_access_out line 7 extended permit ip host 10.14.2.52 host x.x.x.x (hitcnt=0) 0x8be52cb1

access-list inside_access_out line 8 extended permit ip 192.168.14.0 255.255.255.0 host x.x.x.x (hitcnt=0) 0xfbe0b816

access-list inside_access_out line 9 extended permit tcp any any eq www (hitcnt=10659185) 0xe7714247

access-list inside_access_out line 10 extended permit tcp any any eq https (hitcnt=1505514) 0xec7b1d

access-list inside_access_out line 11 extended permit icmp any any (hitcnt=464352) 0x4416cbd7

access-list inside_access_out line 12 extended permit udp any any (hitcnt=10074659) 0x9c2207a6

access-list inside_access_out line 13 extended permit ip any any (hitcnt=2341790) 0xbc49651

access-group inside_access_out out interface outside

I replaced some IP addresses with x.x.x.x.

As you can see all the lines before the tcp any any www line get a hit count of 0. Any idea why that would be? I know I've initiated www traffic (and many other types of traffic), yet it doesn't seem to register.

Labels:
0 Helpful
4 Replies 4

niro
Level 1
Level 1

‎02-19-2008 07:31 AM

Any ideas why the PIX is doing this?

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to niro

‎02-19-2008 08:29 AM

simple..thats because the traffic not matching the ACLs

do this set this capture on Pix which would verify this

acsess-l abc permit ip host 10.x.x.x host x.x.x.x

capture cpo access-l abc packet-length 1518 interface outside

replace the hosts in the above ACL with actual hosts from access-lists where you don't have hit count

Now get me

sh cap cpo

0 Helpful

acomiskey
Level 10
Level 10

‎02-19-2008 08:25 AM

I believe this is because since your acl is applied out of the outside interface, your source address is no longer 10.14.2.39, it is whatever you are natting to.

Therefore, your acl would need to be...

access-list inside_access_out line 1 extended permit ip host host x.x.x.x

If you wanted to use the 10. address you could apply the acl into the inside interface

access-group inside_access_out in interface inside

niro
Level 1
Level 1
In response to acomiskey

‎02-19-2008 09:07 AM

Ah I think you're right...I'm going to try applying the acl for inbound filtering on the inside interface instead.

Thanks, I'll try that tonight.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card