Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX ACL not hitting


I'm new at PIX configuration and have the following pb :

I have 2 PIX connected via VPN LAN-to-LAN.

Network_A behind PIX_A and network_B behind PIX_B can fully communicate.

Then I want to prevent one PC (PC_A) from network_A to communicate with one PC (PC_B) in network_B.

To do that, I configured an ACL on PIX_A :

access-list ACL_A_inside deny ip host <PC_A IPaddr> host <PC_B IPaddr>

access-list ACL_A_inside permit ip <network_A> <network_mask> <network_B> <network_mask>

access-list ACL_A_inside deny ip any any

access-group ACL_A_inside in interface inside

The problem is that PC_A can still initiate the communication (ping, http ...) to PC_B and when issuing the sh access-list ACL_A_inside command, I have 0 hitcnt nor for the deny ACE concerning the 2 PCs, neither for the permit ACE concerning the networks.

I only have 2 or 3 matches for the last deny ip any any but appeared before trying to ping or http from PC_A to PC_B.

I can't understand. All is getting as if I had no ACL configured, or no deny ACE.

Can anyone help me please ?

Thanks in advance


Re: PIX ACL not hitting

You will have to remove the sysopt connection permit-ipsec or permit-vpn command. This will cause all of your ipsec vpn traffic to have to be allowed in any of your interface acls.

CreatePlease to create content