Access list question

christopher_hall · ‎01-25-2006

I am trying to create an access list and the pix is not accepting it. I thought

for sure I'm typing this correctly, but something must be wrong. I have a dmz setup on the pix and one machine located inside the dmz. I want to allow that machine to send syslog data from it to my workstation. Here's the access list I created:

access-list dmz permit udp host 10.1.1.1 host 10.2.1.24 eq 514. I've also tried

substituting syslog for the port number and any for the host 10.2.1.24.

Looks pretty simple to me, but the pix doesn't like it.

Thanks for the advice.

Chris

varakantam · ‎01-25-2006

try

"access-list dmz extended permit udp host 10.1.1.1" you are using an extended version.

christopher_hall · ‎01-25-2006

thanks for the reply. I gave this a shot, but it didn't work. Once again, I get the syntax rules when I try to enter the command.

flopez · ‎01-25-2006

Don't forget to apply the access-list to an interface.

access-group in interface dmz

christopher_hall · ‎01-25-2006

Thanks. I'll keep that in mind once I get the access-list accepted.

varakantam · ‎01-25-2006

Can you please paste the console logs ? The sytax is correct and I guess maybe you might have maxed out the ACL Limit

do

logging console enable debugging

try to create access-list then

christopher_hall · ‎01-26-2006

Okay, this is odd. I did the logging command above, it gave me a usage message: Usage: clear logging. Then, I tried entering the command again and it took! I just have a few items in that access list and here they are:

access-list dmz permit tcp host 10.20.10.11 any eq smtp

access-list dmz permit udp host 10.20.10.11 any eq domain

access-list dmz permit tcp host 10.20.10.11 any eq www

access-list dmz permit udp host 10.20.10.11 host 10.20.102.24 eq syslog

I'm still not getting the syslog on my box, but I'm not seeing anything blocking the syslog traffic.

Thanks,

Chris

jackko · ‎01-26-2006

assuming the acl has been configured as well as being applied on the interface, some sort of nat/pat needs to be configured.

try applying the commands:

static (inside,dmz) 10.20.102.0 10.20.102.0 netmask 255.255.255.0

static (dmz,inside) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

these commands will technically disable the nat for traffic between the dmz and inside.

rob_lay · ‎01-29-2006

Hi,

A couple of questions, what version of Pix OS are you running on your PIX??

Also, are you not seeing anything in the logs dropping the traffic, if not then add an ACL line at the end of the ACL which says "deny ip any any". Whilst there is an implied deny statement at the end of each ACL, traffic dropped by this implied statement is not logged, if you add the deny ip any any line in at the end then traffic dropped will be logged. This is useful for troubleshooting, if its being dropped by this rule then you can see why its missing the other rules. Once you've fixed the problems then you can remove the line and free up your logs again.

Cheers

Rob

christopher_hall · ‎01-30-2006

Thanks for the help, everybody. Not sure what was different, but I typed the command in again and it worked. I guess I wasn't holding my jaw right.