Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
1
Replies

ACL issue on PIX 501 6.3(4)

khuysmans
Level 1
Level 1

‎08-13-2006 11:55 PM - edited ‎02-21-2020 01:06 AM

Hi all,

Last weekend we ran into an ACL problem on a PIX 501 (running OS 6.3(4)). A colleague of mine needed to add a rule to the ACL applied to the outside interface. He isn't used to handling a PIX, so he did what he normally does on a Cisco device, which is a "no access-list outside-acl" and then he remakes the ACL with all the previous rules in there. (He does this in 1 paste.)

On the PIX however this produced some problems. Seemingly, everything was pasted OK (read: no errors reported), but afterwards my colleague noticed problems with connectivity through the firewall. He didn't troubleshoot this further, he just reloaded the PIX which fixed the issue. He then called me to ask what to do and I had him add the rule the way I'm used to doing it, which is prepare 1 paste to: add the rule, remove the deny any any and add the deny any any (moving it back to the end). There might be better ways to do this (feel free to suggest some, thanks).

My question is now: does anybody have any idea what might have caused the connectivity issues? I am -guessing- that doing a "no access-list acl-outside" not only removed the ACL, but also removed the ACL named "acl-outside" from being applied to the outside interface. That way, after recreating the ACL, the ACL was there, but it wasn't applied on any interface.

That is just my guess though, does anyone with more PIX experience agree or disagree with this?

Thanks in advance for the feedback.

With kind regards,

Kevin Huysmans

0 Helpful
1 Reply 1

Fernando_Meza
Level 7
Level 7

‎08-14-2006 02:37 AM

Hi .. if you are using that version of software then you don't need to do the copy/paste procedure.You can simply do a show access-list which will show you the entries with line numbers. you can then insert any entry before a line number for example lets say that the output os show access-list < ACl name> reads:

access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq www (hitcnt=0)

access-list Packet_Capture line 3 permit ip host 10.11.240.40 any (hitcnt=0)

you can insert

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp

and the end results will be

access-list Packet_Capture line 1 permit tcp host 10.11.240.40 any eq https (hitcnt=0)

access-list Packet_Capture line 2 permit tcp host 10.11.240.40 any eq ftp (hitcnt=0)

access-list Packet_Capture line 3 permit tcp host 10.11.240.40 any eq www (hitcnt=0)

access-list Packet_Capture line 4 permit ip host 10.11.240.40 any (hitcnt=0)

In regards to the connectivity issue is really difficult to tell as they way your friend perform the procedure is not correct. He was supposed to remove the access-list from the interface first and then modify the access-list and finally apply the access list to the interface.

I hope it helps .. please rate it if it does !!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card