topic Re: ACL Problem in Network Security

ACL Problem

niro — Mon, 11 Mar 2019 12:04:18 GMT

I'm running a PIX 525 with software version 7.2(2)...I'm having a weird acl problem. I've inserted a few lines to the beginning of the acl inside_access_out, however the firewall seems to ignore them and just skip to the end. Here is what I get from the show access-list command (My IP is 10.14.2.39):

access-list inside_access_out; 13 elements

access-list inside_access_out line 1 extended permit ip host 10.14.2.39 host x.x.x.x(hitcnt=0) 0x7a832d4

access-list inside_access_out line 2 extended permit ip host 10.14.2.39 any (hitcnt=0) 0x28f7c337

access-list inside_access_out line 3 extended permit tcp host 10.11.2.184 host x.x.x.x eq https (hitcnt=0) 0x428081

access-list inside_access_out line 4 extended permit ip host 10.11.2.184 host x.x.x.x (hitcnt=0) 0x331c68af

access-list inside_access_out line 5 extended permit ip host 10.14.2.30 host x.x.x.x (hitcnt=0) 0x2a424acd

access-list inside_access_out line 6 extended permit ip host 10.14.2.68 host x.x.x.x (hitcnt=0) 0xc049a2b

access-list inside_access_out line 7 extended permit ip host 10.14.2.52 host x.x.x.x (hitcnt=0) 0x8be52cb1

access-list inside_access_out line 8 extended permit ip 192.168.14.0 255.255.255.0 host x.x.x.x (hitcnt=0) 0xfbe0b816

access-list inside_access_out line 9 extended permit tcp any any eq www (hitcnt=10659185) 0xe7714247

access-list inside_access_out line 10 extended permit tcp any any eq https (hitcnt=1505514) 0xec7b1d

access-list inside_access_out line 11 extended permit icmp any any (hitcnt=464352) 0x4416cbd7

access-list inside_access_out line 12 extended permit udp any any (hitcnt=10074659) 0x9c2207a6

access-list inside_access_out line 13 extended permit ip any any (hitcnt=2341790) 0xbc49651

access-group inside_access_out out interface outside

I replaced some IP addresses with x.x.x.x.

As you can see all the lines before the tcp any any www line get a hit count of 0. Any idea why that would be? I know I've initiated www traffic (and many other types of traffic), yet it doesn't seem to register.

Re: ACL Problem

niro — Tue, 19 Feb 2008 15:31:17 GMT

Any ideas why the PIX is doing this?

Re: ACL Problem

acomiskey — Tue, 19 Feb 2008 16:25:38 GMT

I believe this is because since your acl is applied out of the outside interface, your source address is no longer 10.14.2.39, it is whatever you are natting to.

Therefore, your acl would need to be...

access-list inside_access_out line 1 extended permit ip host host x.x.x.x

If you wanted to use the 10. address you could apply the acl into the inside interface

access-group inside_access_out in interface inside

Re: ACL Problem

abinjola — Tue, 19 Feb 2008 16:29:02 GMT

simple..thats because the traffic not matching the ACLs

do this set this capture on Pix which would verify this

acsess-l abc permit ip host 10.x.x.x host x.x.x.x

capture cpo access-l abc packet-length 1518 interface outside

replace the hosts in the above ACL with actual hosts from access-lists where you don't have hit count

Now get me

sh cap cpo

Re: ACL Problem

niro — Tue, 19 Feb 2008 17:07:43 GMT

Ah I think you're right...I'm going to try applying the acl for inbound filtering on the inside interface instead.

Thanks, I'll try that tonight.