Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
0
Helpful
1
Replies

PIX ACL not hitting

cminard
Level 1
Level 1

‎09-05-2007 07:06 AM - edited ‎03-11-2019 04:07 AM

Hi

I'm new at PIX configuration and have the following pb :

I have 2 PIX connected via VPN LAN-to-LAN.

Network_A behind PIX_A and network_B behind PIX_B can fully communicate.

Then I want to prevent one PC (PC_A) from network_A to communicate with one PC (PC_B) in network_B.

To do that, I configured an ACL on PIX_A :

access-list ACL_A_inside deny ip host <PC_A IPaddr> host <PC_B IPaddr>

access-list ACL_A_inside permit ip <network_A> <network_mask> <network_B> <network_mask>

access-list ACL_A_inside deny ip any any

access-group ACL_A_inside in interface inside

The problem is that PC_A can still initiate the communication (ping, http ...) to PC_B and when issuing the sh access-list ACL_A_inside command, I have 0 hitcnt nor for the deny ACE concerning the 2 PCs, neither for the permit ACE concerning the networks.

I only have 2 or 3 matches for the last deny ip any any but appeared before trying to ping or http from PC_A to PC_B.

I can't understand. All is getting as if I had no ACL configured, or no deny ACE.

Can anyone help me please ?

Thanks in advance

Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎09-05-2007 08:17 AM

You will have to remove the sysopt connection permit-ipsec or permit-vpn command. This will cause all of your ipsec vpn traffic to have to be allowed in any of your interface acls.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card