×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACL issue on PIX 501 6.3(4)

Unanswered Question
Aug 13th, 2006
User Badges:

Hi all,


Last weekend we ran into an ACL problem on a PIX 501 (running OS 6.3(4)). A colleague of mine needed to add a rule to the ACL applied to the outside interface. He isn't used to handling a PIX, so he did what he normally does on a Cisco device, which is a "no access-list outside-acl" and then he remakes the ACL with all the previous rules in there. (He does this in 1 paste.)


On the PIX however this produced some problems. Seemingly, everything was pasted OK (read: no errors reported), but afterwards my colleague noticed problems with connectivity through the firewall. He didn't troubleshoot this further, he just reloaded the PIX which fixed the issue. He then called me to ask what to do and I had him add the rule the way I'm used to doing it, which is prepare 1 paste to: add the rule, remove the deny any any and add the deny any any (moving it back to the end). There might be better ways to do this (feel free to suggest some, thanks).


My question is now: does anybody have any idea what might have caused the connectivity issues? I am -guessing- that doing a "no access-list acl-outside" not only removed the ACL, but also removed the ACL named "acl-outside" from being applied to the outside interface. That way, after recreating the ACL, the ACL was there, but it wasn't applied on any interface.

That is just my guess though, does anyone with more PIX experience agree or disagree with this?


Thanks in advance for the feedback.


With kind regards,


Kevin Huysmans

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Mon, 08/14/2006 - 02:37
User Badges:
  • Gold, 750 points or more

Hi .. if you are using that version of software then you don't need to do the copy/paste procedure.You can simply do a show access-list which will show you the entries with line numbers. you can then insert any entry before a line number for example lets say that the output os show access-list < ACl name> reads:


access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq www (hitcnt=0)

access-list Packet_Capture line 3 permit ip host 10.11.240.40 any (hitcnt=0)


you can insert


access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp


and the end results will be


access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp (hitcnt=0)

access-list Packet_Capture line 3 permit tcp host 10.11.240.40 any eq www (hitcnt=0)

access-list Packet_Capture line 4 permit ip host 10.11.240.40 any (hitcnt=0)


In regards to the connectivity issue is really difficult to tell as they way your friend perform the procedure is not correct. He was supposed to remove the access-list from the interface first and then modify the access-list and finally apply the access list to the interface.



I hope it helps .. please rate it if it does !!





Actions

This Discussion