Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Ability toTest Firewall Rules on PIX 6.x or 7.x???

Does anyone know if there are any methods, procedures, or commands on a PIX firewall or FWSM to display any matches on the specified ACL?

For example is there a command where I can test if host "x" to host "y" via ACL "z" matches any lines on ACL "z"?

The reason I ask is because I have a PIX firewall that has an ACL that contains over 40,000 elements when I do a "show access-list <name>" to check for hits.

There is no way I'm going to browse thru 40,000+ entries of ACL to test to see if I have any hits for a particular source to destination and port # hit.

If my example is confusing I have another way of explaining thats hopefully better.

Example #2: I would like to issue a command to test if host 10.1.1.1 to 10.3.1.1 port TCP 3389 is permitted on ACL "myaclname".

It shows a match on ACL "myaclname" line #25 and displays the ACL which shows "access-list myaclname line 22 permit tcp 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0 eq 3389 (hitcnt=44)"

I'm crossing my fingers hoping to see if this feature is available on PIX 6.x or 7.x or a procedure/method that is equivalent.

3 REPLIES

Re: Ability toTest Firewall Rules on PIX 6.x or 7.x???

Hi Danny,

We do have diagnostic commands/packet trace/packet capture options which will easily help us to test what is going on for a specific traffic.

However going through your requirements, it appears that you want to test/check whether any matching rules exists the firewall configuration for a particular type of traffic.

As far as i know, such feature is not available yet.

Would be a very good feature if it is implemented.

-VJ

Community Member

Re: Ability toTest Firewall Rules on PIX 6.x or 7.x???

Actually... I found my answer after a week and having a need to resolve an issue on the network. I stumbled upon the "packet-tracer" command that displays LINE by LINE exactly what the PIX firewall process does!

This is the greatest PIX command ever developed in my opinion! About time!!! PIX 7.0+ and ASA.

Reference Doc: http://cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Community Member

Re: Ability toTest Firewall Rules on PIX 6.x or 7.x???

Anyone who does troubleshooting or configures a PIX or ASA firewall, definitly NEEDS this command. Also another interesting thing I ran into with an ASA5540 firewall was that SHUN was enabled and blocking a PC that had a virus on there. The SHUN did not have any timers set so it was on there permanently. I wonder is thats on by default on version 7.2(1)24

141
Views
0
Helpful
3
Replies
CreatePlease to create content