I am trying to create an access list and the pix is not accepting it. I thought
for sure I'm typing this correctly, but something must be wrong. I have a dmz setup on the pix and one machine located inside the dmz. I want to allow that machine to send syslog data from it to my workstation. Here's the access list I created:
access-list dmz permit udp host 10.1.1.1 host 10.2.1.24 eq 514. I've also tried
substituting syslog for the port number and any for the host 10.2.1.24.
Looks pretty simple to me, but the pix doesn't like it.
Thanks for the advice.
thanks for the reply. I gave this a shot, but it didn't work. Once again, I get the syntax rules when I try to enter the command.
Can you please paste the console logs ? The sytax is correct and I guess maybe you might have maxed out the ACL Limit
logging console enable debugging
try to create access-list then
Okay, this is odd. I did the logging command above, it gave me a usage message: Usage: clear logging. Then, I tried entering the command again and it took! I just have a few items in that access list and here they are:
access-list dmz permit tcp host 10.20.10.11 any eq smtp
access-list dmz permit udp host 10.20.10.11 any eq domain
access-list dmz permit tcp host 10.20.10.11 any eq www
access-list dmz permit udp host 10.20.10.11 host 10.20.102.24 eq syslog
I'm still not getting the syslog on my box, but I'm not seeing anything blocking the syslog traffic.
assuming the acl has been configured as well as being applied on the interface, some sort of nat/pat needs to be configured.
try applying the commands:
static (inside,dmz) 10.20.102.0 10.20.102.0 netmask 255.255.255.0
static (dmz,inside) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
these commands will technically disable the nat for traffic between the dmz and inside.
A couple of questions, what version of Pix OS are you running on your PIX??
Also, are you not seeing anything in the logs dropping the traffic, if not then add an ACL line at the end of the ACL which says "deny ip any any". Whilst there is an implied deny statement at the end of each ACL, traffic dropped by this implied statement is not logged, if you add the deny ip any any line in at the end then traffic dropped will be logged. This is useful for troubleshooting, if its being dropped by this rule then you can see why its missing the other rules. Once you've fixed the problems then you can remove the line and free up your logs again.
Thanks for the help, everybody. Not sure what was different, but I typed the command in again and it worked. I guess I wasn't holding my jaw right.