Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
4
Replies

PIX 7.0 access-list problem

erickflamenco
Level 1
Level 1

‎01-27-2006 04:01 PM - edited ‎02-21-2020 12:40 AM

Hello,

I'm configuring a new pix with 7.0 and having an issue with

access-list inside_access_in extended permit udp any any eq domain

and line 4 with tcp eq www

The traffic pass ok through the pix

when I put:

line 1 permit icmp any any (htcnt = 84573287)

line 2 permit ip any any (htcnt = 128432)

...line 3 permit udp any any eq domain (htcnt=0)

...line 4 permit tcp any any eq www (htcnt=0)

But, If I put:

...line 1 permit icmp any any (htcnt = 84595353)

...line 2 permit udp any any eq domain (htcnt=0)

...line 3 permit tcp any any eq www (htcnt=0)

...line 4 permit ip any any (htcnt=0)

I just have hitcnt in line 1 icmp

and all of the web traffic is down!!!

Do you know, What could be happennig?

Thanks a lot for your help!!!

Erick Flamenco

0 Helpful
4 Replies 4

varakantam
Level 1
Level 1

‎01-28-2006 01:06 AM

a) In the first arangement basically your lines 3 and 4 are useless as they are never hit due to line 2 and evertyhing is permitted which explains being fine

I am not sure why 2 doesn't work but would recommed giving lesser preference to ICMP than anything else.

0 Helpful

fausto-oliveira
Level 1
Level 1

‎01-28-2006 07:44 AM

A question do you have servers on the inside segment ?

Another advice configure logging and see in the firewall logs why the traffic is being denied.

0 Helpful

wferrell
Level 1
Level 1

‎01-28-2006 10:29 PM

I agree that once you entered line two everything was wide open but

I had the same issues the my acl. I can tell you its the syntax but i cant remember the right syntax fix

dont forget to clear xlate and clear your acl counters and enter the ip any any in the last line until you get it right.

adjust the tcp terms in the long run you want to specify scource and destination ips in order to get ROI from you PIX

0 Helpful

rob_lay
Level 1
Level 1

‎01-29-2006 03:07 AM

Hi,

Your first version of the acl is a bit risky, granted it will allow your web traffic but its also allowing everything else. I would also restrict your ICMP line to just the types necessary, do you simply want to allow ping access??

With regards to your web traffic problem, can you configure logging and post the lines that show the traffic being dropped??

You may need to change the logging level for a short while to show the details necessary to sort this.

Cheers

Rob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card