Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL Problem

I'm running a PIX 525 with software version 7.2(2)...I'm having a weird acl problem. I've inserted a few lines to the beginning of the acl inside_access_out, however the firewall seems to ignore them and just skip to the end. Here is what I get from the show access-list command (My IP is 10.14.2.39):

access-list inside_access_out; 13 elements

access-list inside_access_out line 1 extended permit ip host 10.14.2.39 host x.x.x.x(hitcnt=0) 0x7a832d4

access-list inside_access_out line 2 extended permit ip host 10.14.2.39 any (hitcnt=0) 0x28f7c337

access-list inside_access_out line 3 extended permit tcp host 10.11.2.184 host x.x.x.x eq https (hitcnt=0) 0x428081

access-list inside_access_out line 4 extended permit ip host 10.11.2.184 host x.x.x.x (hitcnt=0) 0x331c68af

access-list inside_access_out line 5 extended permit ip host 10.14.2.30 host x.x.x.x (hitcnt=0) 0x2a424acd

access-list inside_access_out line 6 extended permit ip host 10.14.2.68 host x.x.x.x (hitcnt=0) 0xc049a2b

access-list inside_access_out line 7 extended permit ip host 10.14.2.52 host x.x.x.x (hitcnt=0) 0x8be52cb1

access-list inside_access_out line 8 extended permit ip 192.168.14.0 255.255.255.0 host x.x.x.x (hitcnt=0) 0xfbe0b816

access-list inside_access_out line 9 extended permit tcp any any eq www (hitcnt=10659185) 0xe7714247

access-list inside_access_out line 10 extended permit tcp any any eq https (hitcnt=1505514) 0xec7b1d

access-list inside_access_out line 11 extended permit icmp any any (hitcnt=464352) 0x4416cbd7

access-list inside_access_out line 12 extended permit udp any any (hitcnt=10074659) 0x9c2207a6

access-list inside_access_out line 13 extended permit ip any any (hitcnt=2341790) 0xbc49651

access-group inside_access_out out interface outside

I replaced some IP addresses with x.x.x.x.

As you can see all the lines before the tcp any any www line get a hit count of 0. Any idea why that would be? I know I've initiated www traffic (and many other types of traffic), yet it doesn't seem to register.

  • Firewalling
4 REPLIES
New Member

Re: ACL Problem

Any ideas why the PIX is doing this?

Cisco Employee

Re: ACL Problem

simple..thats because the traffic not matching the ACLs

do this set this capture on Pix which would verify this

acsess-l abc permit ip host 10.x.x.x host x.x.x.x

capture cpo access-l abc packet-length 1518 interface outside

replace the hosts in the above ACL with actual hosts from access-lists where you don't have hit count

Now get me

sh cap cpo

Green

Re: ACL Problem

I believe this is because since your acl is applied out of the outside interface, your source address is no longer 10.14.2.39, it is whatever you are natting to.

Therefore, your acl would need to be...

access-list inside_access_out line 1 extended permit ip host host x.x.x.x

If you wanted to use the 10. address you could apply the acl into the inside interface

access-group inside_access_out in interface inside

New Member

Re: ACL Problem

Ah I think you're right...I'm going to try applying the acl for inbound filtering on the inside interface instead.

Thanks, I'll try that tonight.

143
Views
10
Helpful
4
Replies
This widget could not be displayed.