01-25-2006 09:38 AM - edited 02-20-2020 09:35 PM
I am trying to create an access list and the pix is not accepting it. I thought
for sure I'm typing this correctly, but something must be wrong. I have a dmz setup on the pix and one machine located inside the dmz. I want to allow that machine to send syslog data from it to my workstation. Here's the access list I created:
access-list dmz permit udp host 10.1.1.1 host 10.2.1.24 eq 514. I've also tried
substituting syslog for the port number and any for the host 10.2.1.24.
Looks pretty simple to me, but the pix doesn't like it.
Thanks for the advice.
Chris
01-25-2006 10:44 AM
try
"access-list dmz extended permit udp host 10.1.1.1" you are using an extended version.
01-25-2006 11:54 AM
thanks for the reply. I gave this a shot, but it didn't work. Once again, I get the syntax rules when I try to enter the command.
01-25-2006 11:58 AM
Don't forget to apply the access-list to an interface.
access-group
01-25-2006 12:08 PM
Thanks. I'll keep that in mind once I get the access-list accepted.
01-25-2006 02:34 PM
Can you please paste the console logs ? The sytax is correct and I guess maybe you might have maxed out the ACL Limit
do
logging console enable debugging
try to create access-list then
01-26-2006 05:53 AM
Okay, this is odd. I did the logging command above, it gave me a usage message: Usage: clear logging. Then, I tried entering the command again and it took! I just have a few items in that access list and here they are:
access-list dmz permit tcp host 10.20.10.11 any eq smtp
access-list dmz permit udp host 10.20.10.11 any eq domain
access-list dmz permit tcp host 10.20.10.11 any eq www
access-list dmz permit udp host 10.20.10.11 host 10.20.102.24 eq syslog
I'm still not getting the syslog on my box, but I'm not seeing anything blocking the syslog traffic.
Thanks,
Chris
01-26-2006 02:46 PM
assuming the acl has been configured as well as being applied on the interface, some sort of nat/pat needs to be configured.
try applying the commands:
static (inside,dmz) 10.20.102.0 10.20.102.0 netmask 255.255.255.0
static (dmz,inside) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
these commands will technically disable the nat for traffic between the dmz and inside.
01-29-2006 03:17 AM
Hi,
A couple of questions, what version of Pix OS are you running on your PIX??
Also, are you not seeing anything in the logs dropping the traffic, if not then add an ACL line at the end of the ACL which says "deny ip any any". Whilst there is an implied deny statement at the end of each ACL, traffic dropped by this implied statement is not logged, if you add the deny ip any any line in at the end then traffic dropped will be logged. This is useful for troubleshooting, if its being dropped by this rule then you can see why its missing the other rules. Once you've fixed the problems then you can remove the line and free up your logs again.
Cheers
Rob
01-30-2006 12:22 PM
Thanks for the help, everybody. Not sure what was different, but I typed the command in again and it worked. I guess I wasn't holding my jaw right.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide