I have a user application that works a little different than most client/server implementations that i have run across. Once the user logins in, the server (that lives on the external interface of the pix) looks up the user in its database and finds out their ip address and then the server starts to communicate with the client at the found ip. I have tried adding access lists for the 2 ports that the server needs, but it has not allowed the server to talk to the client.
What does the firewall say? Do the ACEs you configured show the hits? (count=x)
Using logging to troubleshoot. Log everything to the buffer using [logging buffered 7]. Then issue [show log] repeatedly while the server is suppose to be connecting. Look for any entry with that server's IP address.
If you're syslogging your firewall to a server, you can use this instead of [show log] if logging is high enough. [logging trap 7].
You don't need to turn on logging for the ACL hit counters to work. They work by default and can be seen by using the [show access-list] command.
With no hits on your ACL, it means the traffic from the server isn't getting to you at all, the traffic is from a different IP than expected, or the traffic is not on the ports you expect.
Using the logging, you'll see exactly what ports the traffic is coming in on, from what address, and whether or not it is denied. That is accomplished with [logging buffered 7] and [logging on]. To see the messages while you're troubleshooting, issue [show log] repeatedly and look for the external or internal address in question.
When you use [show access-list] it will show all ACLs and also show the total number of times traffic has matched each ACE. This will tell you if the server's traffic is making to the firewall and matching the ACE. This is usually the first time in my troubleshooting process for issues through the Pix.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :