https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500083#M528197 <P>Hello,</P><P></P><P>I'm configuring a new pix with 7.0 and having an issue with</P><P> </P><P>access-list inside_access_in extended permit udp any any eq domain </P><P></P><P>and line 4 with tcp eq www</P><P></P><P>The traffic pass ok through the pix </P><P>when I put:</P><P> </P><P>line 1 permit icmp any any (htcnt = 84573287)</P><P>line 2 permit ip any any (htcnt = 128432)</P><P>...line 3 permit udp any any eq domain (htcnt=0)</P><P>...line 4 permit tcp any any eq www (htcnt=0)</P><P></P><P>But, If I put: </P><P></P><P>...line 1 permit icmp any any (htcnt = 84595353)</P><P>...line 2 permit udp any any eq domain (htcnt=0)</P><P>...line 3 permit tcp any any eq www (htcnt=0)</P><P>...line 4 permit ip any any (htcnt=0)</P><P></P><P>I just have hitcnt in line 1 icmp </P><P>and all of the web traffic is down!!!</P><P></P><P>Do you know, What could be happennig?</P><P></P><P>Thanks a lot for your help!!!</P><P></P><P>Erick Flamenco</P> Fri, 21 Feb 2020 08:40:43 GMT erickflamenco 2020-02-21T08:40:43Z https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500083#M528197 <P>Hello,</P><P></P><P>I'm configuring a new pix with 7.0 and having an issue with</P><P> </P><P>access-list inside_access_in extended permit udp any any eq domain </P><P></P><P>and line 4 with tcp eq www</P><P></P><P>The traffic pass ok through the pix </P><P>when I put:</P><P> </P><P>line 1 permit icmp any any (htcnt = 84573287)</P><P>line 2 permit ip any any (htcnt = 128432)</P><P>...line 3 permit udp any any eq domain (htcnt=0)</P><P>...line 4 permit tcp any any eq www (htcnt=0)</P><P></P><P>But, If I put: </P><P></P><P>...line 1 permit icmp any any (htcnt = 84595353)</P><P>...line 2 permit udp any any eq domain (htcnt=0)</P><P>...line 3 permit tcp any any eq www (htcnt=0)</P><P>...line 4 permit ip any any (htcnt=0)</P><P></P><P>I just have hitcnt in line 1 icmp </P><P>and all of the web traffic is down!!!</P><P></P><P>Do you know, What could be happennig?</P><P></P><P>Thanks a lot for your help!!!</P><P></P><P>Erick Flamenco</P> Fri, 21 Feb 2020 08:40:43 GMT https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500083#M528197 erickflamenco 2020-02-21T08:40:43Z https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500084#M528198 <HTML><HEAD></HEAD><BODY><P>a) In the first arangement basically your lines 3 and 4 are useless as they are never hit due to line 2 and evertyhing is permitted which explains being fine</P><P></P><P>I am not sure why 2 doesn't work but would recommed giving lesser preference to ICMP than anything else.</P></BODY></HTML> Sat, 28 Jan 2006 09:06:03 GMT https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500084#M528198 varakantam 2006-01-28T09:06:03Z https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500085#M528199 <HTML><HEAD></HEAD><BODY><P>A question do you have servers on the inside segment ?</P><P></P><P>Another advice configure logging and see in the firewall logs why the traffic is being denied.</P></BODY></HTML> Sat, 28 Jan 2006 15:44:05 GMT https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500085#M528199 fausto-oliveira 2006-01-28T15:44:05Z https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500086#M528200 <HTML><HEAD></HEAD><BODY><P>I agree that once you entered line two everything was wide open but</P><P>I had the same issues the my acl. I can tell you its the syntax but i cant remember the right syntax fix</P><P>dont forget to clear xlate and clear your acl counters and enter the ip any any in the last line until you get it right.</P><P>adjust the tcp terms in the long run you want to specify scource and destination ips in order to get ROI from you PIX</P></BODY></HTML> Sun, 29 Jan 2006 06:29:34 GMT https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500086#M528200 wferrell 2006-01-29T06:29:34Z https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500087#M528201 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Your first version of the acl is a bit risky, granted it will allow your web traffic but its also allowing everything else. I would also restrict your ICMP line to just the types necessary, do you simply want to allow ping access??</P><P>With regards to your web traffic problem, can you configure logging and post the lines that show the traffic being dropped?? </P><P>You may need to change the logging level for a short while to show the details necessary to sort this.</P><P></P><P>Cheers</P><P>Rob</P></BODY></HTML> Sun, 29 Jan 2006 11:07:05 GMT https://community.cisco.com/t5/network-security/pix-7-0-access-list-problem/m-p/500087#M528201 rob_lay 2006-01-29T11:07:05Z