Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ports denied not shown...

Hi,

We have a pix with the following configuration.

nameif ethernet2 perim security50

access-list acl_dmz permit tcp 172.16.16.0 255.255.255.0 any eq www

access-list acl_dmz permit udp 172.16.16.0 255.255.255.0 any eq domain

access-list acl_dmz permit tcp 172.16.16.0 255.255.255.0 any eq smtp

logging monitor notifications

access-group acl_dmz in interface perim

static (perim,outside) xx.xx.xx.10 172.16.16.10 netmask 255.255.255.255 0 0

.

.

Servers on the DMZ used to be able to download windows update from microsoft site. However when the administrator tried to download the windows update recently, it failed. I monitored the PIX as he was doing it but no ports were being denied. I add the following in

access-list acl_dmz permit tcp 172.16.16.0 255.255.255.0 any

It started working. Can someone explain why? Your input is much appreciated.

Thanks.

3 REPLIES
New Member

Re: Ports denied not shown...

as i know (really not much because i dont really like it) Micro$oft uses tcp to resolve dns queries too.

Normally, dns uses udp to resolve names, and tcp for zone transfer and resolves bigger than 512 bytes. But MS uses tcp for resolve too.

Try adding a line to permit the hosts in the dmz reach the dns servers via tcp, and quit the generally tcp permit.

I hope it can help you.

--

Alexis Fidalgo

Systems Engineer

AT&T Argentina

New Member

Re: Ports denied not shown...

I just did a quick packet capture for this and it revealed that a connection was made to port 443 during the update. You should be able to just add:

access-list acl_dmz permit tcp 172.16.16.0 255.255.255.0 any eq 443

hope this helps,

Brian

New Member

Re: Ports denied not shown...

Thanks very much Brian.

That was exactly what I needed. I did a sh log and saw that the port 443 was being denied. What I am a bit confused is that when I monitored it (term mon) as the user tried to access the site, I did not see any ports being denied. We have the following logging set on the firewall.

logging on

logging console notifications

logging monitor notifications

logging buffered notifications

Shouldn't a term mon showed the ports blocked with logging console notifications (5)? As exptected, the ports blocked were shown in sh log. It should have shown with term mon as well, true?

Thanks.

98
Views
0
Helpful
3
Replies