cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


390
Views
0
Helpful
1
Replies
Highlighted
Beginner

Access-list statements on Version 7.0(6)

I have an extended ACE configured on a PIX Firewall. The purpose of the Firewall is a choke point coming off of the customer's DMZ into the Production networks.

There are a couple of hosts on networks inside of the Firewall that hosts in the DMZ need access to.

I have configured the ACE based upon sniffer traces which are giving me the destination ports being sought.

For whatever reason, when I do a show access-list command, I do not see the hit counts incrementing for the ports I have opened; even though I know the traffic is making it thru based upon the data captured in the sniffer.

Here is an example statement:

access-list outside_inside line 34 extended permit tcp host 172.16.1.8 eq 445 host 198.100.100.147 (hitcnt=0).

Based upon the app launched on the DMZ box, and the traffic captured in the sniffer, this ACE statement should have a hit.

I have tried launching the applicaiton over and over in an attempt to see the hit count increment, but to no avail.

I would think that maybe I had these statements configured incorrectly, but I dont think that is the case either.

Any suggestions welcome.

Thank You.

1 REPLY 1
Enthusiast

Re: Access-list statements on Version 7.0(6)

can you send me the output from:

show run access-group

show nameif

I'm guessing that access-list outside_inside is applied to your outside interface and there is a different one applied to your DMZ interface.