Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ACL issue on PIX 501 6.3(4)

Hi all,

Last weekend we ran into an ACL problem on a PIX 501 (running OS 6.3(4)). A colleague of mine needed to add a rule to the ACL applied to the outside interface. He isn't used to handling a PIX, so he did what he normally does on a Cisco device, which is a "no access-list outside-acl" and then he remakes the ACL with all the previous rules in there. (He does this in 1 paste.)

On the PIX however this produced some problems. Seemingly, everything was pasted OK (read: no errors reported), but afterwards my colleague noticed problems with connectivity through the firewall. He didn't troubleshoot this further, he just reloaded the PIX which fixed the issue. He then called me to ask what to do and I had him add the rule the way I'm used to doing it, which is prepare 1 paste to: add the rule, remove the deny any any and add the deny any any (moving it back to the end). There might be better ways to do this (feel free to suggest some, thanks).

My question is now: does anybody have any idea what might have caused the connectivity issues? I am -guessing- that doing a "no access-list acl-outside" not only removed the ACL, but also removed the ACL named "acl-outside" from being applied to the outside interface. That way, after recreating the ACL, the ACL was there, but it wasn't applied on any interface.

That is just my guess though, does anyone with more PIX experience agree or disagree with this?

Thanks in advance for the feedback.

With kind regards,

Kevin Huysmans

1 REPLY

Re: ACL issue on PIX 501 6.3(4)

Hi .. if you are using that version of software then you don't need to do the copy/paste procedure.You can simply do a show access-list which will show you the entries with line numbers. you can then insert any entry before a line number for example lets say that the output os show access-list < ACl name> reads:

access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq www (hitcnt=0)

access-list Packet_Capture line 3 permit ip host 10.11.240.40 any (hitcnt=0)

you can insert

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp

and the end results will be

access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp (hitcnt=0)

access-list Packet_Capture line 3 permit tcp host 10.11.240.40 any eq www (hitcnt=0)

access-list Packet_Capture line 4 permit ip host 10.11.240.40 any (hitcnt=0)

In regards to the connectivity issue is really difficult to tell as they way your friend perform the procedure is not correct. He was supposed to remove the access-list from the interface first and then modify the access-list and finally apply the access list to the interface.

I hope it helps .. please rate it if it does !!

264
Views
0
Helpful
1
Replies
CreatePlease to create content