Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
0
Helpful
1
Replies

Access-list statements on Version 7.0(6)

Kevin Melton
Level 2
Level 2

‎11-21-2006 11:12 AM - edited ‎03-11-2019 01:58 AM

I have an extended ACE configured on a PIX Firewall. The purpose of the Firewall is a choke point coming off of the customer's DMZ into the Production networks.

There are a couple of hosts on networks inside of the Firewall that hosts in the DMZ need access to.

I have configured the ACE based upon sniffer traces which are giving me the destination ports being sought.

For whatever reason, when I do a show access-list command, I do not see the hit counts incrementing for the ports I have opened; even though I know the traffic is making it thru based upon the data captured in the sniffer.

Here is an example statement:

access-list outside_inside line 34 extended permit tcp host 172.16.1.8 eq 445 host 198.100.100.147 (hitcnt=0).

Based upon the app launched on the DMZ box, and the traffic captured in the sniffer, this ACE statement should have a hit.

I have tried launching the applicaiton over and over in an attempt to see the hit count increment, but to no avail.

I would think that maybe I had these statements configured incorrectly, but I dont think that is the case either.

Any suggestions welcome.

Thank You.

Labels:
Preview file
4 KB
0 Helpful
1 Reply 1

bhooker
Level 4
Level 4

‎11-21-2006 01:07 PM

can you send me the output from:

show run access-group

show nameif

I'm guessing that access-list outside_inside is applied to your outside interface and there is a different one applied to your DMZ interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card