Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

pix 515 inbound port access

I have a user application that works a little different than most client/server implementations that i have run across. Once the user logins in, the server (that lives on the external interface of the pix) looks up the user in its database and finds out their ip address and then the server starts to communicate with the client at the found ip. I have tried adding access lists for the 2 ports that the server needs, but it has not allowed the server to talk to the client.

Thanks for your assistance,

Todd

4 REPLIES
Silver

Re: pix 515 inbound port access

What does the firewall say? Do the ACEs you configured show the hits? (count=x)

Using logging to troubleshoot. Log everything to the buffer using [logging buffered 7]. Then issue [show log] repeatedly while the server is suppose to be connecting. Look for any entry with that server's IP address.

If you're syslogging your firewall to a server, you can use this instead of [show log] if logging is high enough. [logging trap 7].

-S

New Member

Re: pix 515 inbound port access

Thanks for reposnding.

No, I haven't seen the hits, is that something that needs to be enabled? I will give the logging a try.

Todd

Silver

Re: pix 515 inbound port access

You don't need to turn on logging for the ACL hit counters to work. They work by default and can be seen by using the [show access-list] command.

With no hits on your ACL, it means the traffic from the server isn't getting to you at all, the traffic is from a different IP than expected, or the traffic is not on the ports you expect.

Using the logging, you'll see exactly what ports the traffic is coming in on, from what address, and whether or not it is denied. That is accomplished with [logging buffered 7] and [logging on]. To see the messages while you're troubleshooting, issue [show log] repeatedly and look for the external or internal address in question.

Silver

Re: pix 515 inbound port access

When you use [show access-list] it will show all ACLs and also show the total number of times traffic has matched each ACE. This will tell you if the server's traffic is making to the firewall and matching the ACE. This is usually the first time in my troubleshooting process for issues through the Pix.

179
Views
0
Helpful
4
Replies
CreatePlease to create content