Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ports denied not shown...


We have a pix with the following configuration.

nameif ethernet2 perim security50

access-list acl_dmz permit tcp any eq www

access-list acl_dmz permit udp any eq domain

access-list acl_dmz permit tcp any eq smtp

logging monitor notifications

access-group acl_dmz in interface perim

static (perim,outside) xx.xx.xx.10 netmask 0 0



Servers on the DMZ used to be able to download windows update from microsoft site. However when the administrator tried to download the windows update recently, it failed. I monitored the PIX as he was doing it but no ports were being denied. I add the following in

access-list acl_dmz permit tcp any

It started working. Can someone explain why? Your input is much appreciated.


New Member

Re: Ports denied not shown...

as i know (really not much because i dont really like it) Micro$oft uses tcp to resolve dns queries too.

Normally, dns uses udp to resolve names, and tcp for zone transfer and resolves bigger than 512 bytes. But MS uses tcp for resolve too.

Try adding a line to permit the hosts in the dmz reach the dns servers via tcp, and quit the generally tcp permit.

I hope it can help you.


Alexis Fidalgo

Systems Engineer

AT&T Argentina

New Member

Re: Ports denied not shown...

I just did a quick packet capture for this and it revealed that a connection was made to port 443 during the update. You should be able to just add:

access-list acl_dmz permit tcp any eq 443

hope this helps,


New Member

Re: Ports denied not shown...

Thanks very much Brian.

That was exactly what I needed. I did a sh log and saw that the port 443 was being denied. What I am a bit confused is that when I monitored it (term mon) as the user tried to access the site, I did not see any ports being denied. We have the following logging set on the firewall.

logging on

logging console notifications

logging monitor notifications

logging buffered notifications

Shouldn't a term mon showed the ports blocked with logging console notifications (5)? As exptected, the ports blocked were shown in sh log. It should have shown with term mon as well, true?