08-13-2006 11:55 PM - edited 02-21-2020 01:06 AM
Hi all,
Last weekend we ran into an ACL problem on a PIX 501 (running OS 6.3(4)). A colleague of mine needed to add a rule to the ACL applied to the outside interface. He isn't used to handling a PIX, so he did what he normally does on a Cisco device, which is a "no access-list outside-acl" and then he remakes the ACL with all the previous rules in there. (He does this in 1 paste.)
On the PIX however this produced some problems. Seemingly, everything was pasted OK (read: no errors reported), but afterwards my colleague noticed problems with connectivity through the firewall. He didn't troubleshoot this further, he just reloaded the PIX which fixed the issue. He then called me to ask what to do and I had him add the rule the way I'm used to doing it, which is prepare 1 paste to: add the rule, remove the deny any any and add the deny any any (moving it back to the end). There might be better ways to do this (feel free to suggest some, thanks).
My question is now: does anybody have any idea what might have caused the connectivity issues? I am -guessing- that doing a "no access-list acl-outside" not only removed the ACL, but also removed the ACL named "acl-outside" from being applied to the outside interface. That way, after recreating the ACL, the ACL was there, but it wasn't applied on any interface.
That is just my guess though, does anyone with more PIX experience agree or disagree with this?
Thanks in advance for the feedback.
With kind regards,
Kevin Huysmans
08-14-2006 02:37 AM
Hi .. if you are using that version of software then you don't need to do the copy/paste procedure.You can simply do a show access-list
access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)
access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq www (hitcnt=0)
access-list Packet_Capture line 3 permit ip host 10.11.240.40 any (hitcnt=0)
you can insert
access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp
and the end results will be
access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)
access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp (hitcnt=0)
access-list Packet_Capture line 3 permit tcp host 10.11.240.40 any eq www (hitcnt=0)
access-list Packet_Capture line 4 permit ip host 10.11.240.40 any (hitcnt=0)
In regards to the connectivity issue is really difficult to tell as they way your friend perform the procedure is not correct. He was supposed to remove the access-list from the interface first and then modify the access-list and finally apply the access list to the interface.
I hope it helps .. please rate it if it does !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide