Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX Firewall 525 access list problem

Hi.

I have teh following problem. After insert a access-list, in spite of seeing packets related to the list, these do not do " match ", that is to say, it is as if the list was not doing his work.

Which can be the cause of this behavior?

PIX Model 525

IOS 6.3(4)

Thanks.

Ramiro Marulanda Z.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: PIX Firewall 525 access list problem

Are all the syslogs sent correctly to the remote host? In the affirmative I'd say the udp connection is never closed by the PIX. Let's say the connection never hit the timeout in the pix config. So the connection remains open and doesnot increment the hitcount for your access-list. I have a PIX that does the same behaviour.

Also the hitcount increment is based on the connection and not on every packet passing by the PIX.

You may use a debug command to see packet going thru the PIX.

HTH

Mike

5 REPLIES
Community Member

Re: PIX Firewall 525 access list problem

What's the syslog related to this behavior?

Also you may add the following statement to your pix config

access-group acl_name in interface your_intf

Mike

Community Member

Re: PIX Firewall 525 access list problem

Ok, thanks for your help. the behavior is the following one:

this is the access list:

access-list 10 permit udp host 10.2.2.29 host 208.135.186.182 eq syslog

access-group 10 in interface inside

The packets are seen entering the interface inside and going out for the outside, but changes are not seen in the hits of the access list.

Regards,

R.@.M.

Community Member

Re: PIX Firewall 525 access list problem

Are all the syslogs sent correctly to the remote host? In the affirmative I'd say the udp connection is never closed by the PIX. Let's say the connection never hit the timeout in the pix config. So the connection remains open and doesnot increment the hitcount for your access-list. I have a PIX that does the same behaviour.

Also the hitcount increment is based on the connection and not on every packet passing by the PIX.

You may use a debug command to see packet going thru the PIX.

HTH

Mike

Community Member

Re: PIX Firewall 525 access list problem

In my preceeding answer I forgot telling you to use this command. To help you seeing if the connection is up between hosts:

This command "show local..." will resume the "sh conn..." and "sh xlate..." commands

sh local 10.2.2.29 detail

You may also try the "show timeout" command to see what's the timeout configured on the pix for udp connections.

Mike

Community Member

Re: PIX Firewall 525 access list problem

Hi Mike. Your help has been of great utility.

I will carry out his recommendations and I am going to observe the results.

Thanks again, and regards!

R.@.M.

157
Views
0
Helpful
5
Replies
CreatePlease to create content