topic Re: pix 515 inbound port access in Network Security

pix 515 inbound port access

toddjohnson — Fri, 21 Feb 2020 07:12:13 GMT

I have a user application that works a little different than most client/server implementations that i have run across. Once the user logins in, the server (that lives on the external interface of the pix) looks up the user in its database and finds out their ip address and then the server starts to communicate with the client at the found ip. I have tried adding access lists for the 2 ports that the server needs, but it has not allowed the server to talk to the client.

Thanks for your assistance,

Todd

Re: pix 515 inbound port access

shannong — Mon, 19 Jan 2004 20:40:05 GMT

What does the firewall say? Do the ACEs you configured show the hits? (count=x)

Using logging to troubleshoot. Log everything to the buffer using [logging buffered 7]. Then issue [show log] repeatedly while the server is suppose to be connecting. Look for any entry with that server's IP address.

If you're syslogging your firewall to a server, you can use this instead of [show log] if logging is high enough. [logging trap 7].

-S

Re: pix 515 inbound port access

toddjohnson — Tue, 20 Jan 2004 01:35:03 GMT

Thanks for reposnding.

No, I haven't seen the hits, is that something that needs to be enabled? I will give the logging a try.

Todd

Re: pix 515 inbound port access

shannong — Tue, 20 Jan 2004 02:29:35 GMT

When you use [show access-list] it will show all ACLs and also show the total number of times traffic has matched each ACE. This will tell you if the server's traffic is making to the firewall and matching the ACE. This is usually the first time in my troubleshooting process for issues through the Pix.

Re: pix 515 inbound port access

shannong — Tue, 20 Jan 2004 03:30:58 GMT

You don't need to turn on logging for the ACL hit counters to work. They work by default and can be seen by using the [show access-list] command.

With no hits on your ACL, it means the traffic from the server isn't getting to you at all, the traffic is from a different IP than expected, or the traffic is not on the ports you expect.

Using the logging, you'll see exactly what ports the traffic is coming in on, from what address, and whether or not it is denied. That is accomplished with [logging buffered 7] and [logging on]. To see the messages while you're troubleshooting, issue [show log] repeatedly and look for the external or internal address in question.