Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
3
Replies

Ability toTest Firewall Rules on PIX 6.x or 7.x???

autobot130
Level 1
Level 1

‎01-21-2007 06:17 PM - edited ‎03-11-2019 02:22 AM

Does anyone know if there are any methods, procedures, or commands on a PIX firewall or FWSM to display any matches on the specified ACL?

For example is there a command where I can test if host "x" to host "y" via ACL "z" matches any lines on ACL "z"?

The reason I ask is because I have a PIX firewall that has an ACL that contains over 40,000 elements when I do a "show access-list <name>" to check for hits.

There is no way I'm going to browse thru 40,000+ entries of ACL to test to see if I have any hits for a particular source to destination and port # hit.

If my example is confusing I have another way of explaining thats hopefully better.

Example #2: I would like to issue a command to test if host 10.1.1.1 to 10.3.1.1 port TCP 3389 is permitted on ACL "myaclname".

It shows a match on ACL "myaclname" line #25 and displays the ACL which shows "access-list myaclname line 22 permit tcp 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0 eq 3389 (hitcnt=44)"

I'm crossing my fingers hoping to see if this feature is available on PIX 6.x or 7.x or a procedure/method that is equivalent.

Labels:
0 Helpful
3 Replies 3

vijayasankar
Level 4
Level 4

‎01-21-2007 11:23 PM

Hi Danny,

We do have diagnostic commands/packet trace/packet capture options which will easily help us to test what is going on for a specific traffic.

However going through your requirements, it appears that you want to test/check whether any matching rules exists the firewall configuration for a particular type of traffic.

As far as i know, such feature is not available yet.

Would be a very good feature if it is implemented.

-VJ

0 Helpful

autobot130
Level 1
Level 1
In response to vijayasankar

‎01-26-2007 10:07 PM

Actually... I found my answer after a week and having a need to resolve an issue on the network. I stumbled upon the "packet-tracer" command that displays LINE by LINE exactly what the PIX firewall process does!

This is the greatest PIX command ever developed in my opinion! About time!!! PIX 7.0+ and ASA.

Reference Doc: http://cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

0 Helpful

autobot130
Level 1
Level 1
In response to autobot130

‎01-26-2007 10:09 PM

Anyone who does troubleshooting or configures a PIX or ASA firewall, definitly NEEDS this command. Also another interesting thing I ran into with an ASA5540 firewall was that SHUN was enabled and blocking a PC that had a virus on there. The SHUN did not have any timers set so it was on there permanently. I wonder is thats on by default on version 7.2(1)24

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card