Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 7.0 access-list problem

Hello,

I'm configuring a new pix with 7.0 and having an issue with

access-list inside_access_in extended permit udp any any eq domain

and line 4 with tcp eq www

The traffic pass ok through the pix

when I put:

line 1 permit icmp any any (htcnt = 84573287)

line 2 permit ip any any (htcnt = 128432)

...line 3 permit udp any any eq domain (htcnt=0)

...line 4 permit tcp any any eq www (htcnt=0)

But, If I put:

...line 1 permit icmp any any (htcnt = 84595353)

...line 2 permit udp any any eq domain (htcnt=0)

...line 3 permit tcp any any eq www (htcnt=0)

...line 4 permit ip any any (htcnt=0)

I just have hitcnt in line 1 icmp

and all of the web traffic is down!!!

Do you know, What could be happennig?

Thanks a lot for your help!!!

Erick Flamenco

4 REPLIES
New Member

Re: PIX 7.0 access-list problem

a) In the first arangement basically your lines 3 and 4 are useless as they are never hit due to line 2 and evertyhing is permitted which explains being fine

I am not sure why 2 doesn't work but would recommed giving lesser preference to ICMP than anything else.

New Member

Re: PIX 7.0 access-list problem

A question do you have servers on the inside segment ?

Another advice configure logging and see in the firewall logs why the traffic is being denied.

New Member

Re: PIX 7.0 access-list problem

I agree that once you entered line two everything was wide open but

I had the same issues the my acl. I can tell you its the syntax but i cant remember the right syntax fix

dont forget to clear xlate and clear your acl counters and enter the ip any any in the last line until you get it right.

adjust the tcp terms in the long run you want to specify scource and destination ips in order to get ROI from you PIX

New Member

Re: PIX 7.0 access-list problem

Hi,

Your first version of the acl is a bit risky, granted it will allow your web traffic but its also allowing everything else. I would also restrict your ICMP line to just the types necessary, do you simply want to allow ping access??

With regards to your web traffic problem, can you configure logging and post the lines that show the traffic being dropped??

You may need to change the logging level for a short while to show the details necessary to sort this.

Cheers

Rob

114
Views
0
Helpful
4
Replies
CreatePlease login to create content