Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
0
Helpful
2
Replies

Implicit Rule on PIX 515 wont allow traffic

Pete89
Level 2
Level 2

‎11-30-2010 07:32 AM - edited ‎03-11-2019 12:16 PM

I have a PIX 515e running 8.0.(4) and I am having problems getting the an ACL on the outside interface to work. This is not in ptoduction, so at this point I just want to see if  can get traffic to come in.

access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended permit ip any any
access-list OUTSIDE extended permit tcp any any eq https

access-group OUTSIDE in interface outside

And when I try to hit port 443 on the outside interface I get shut out. Here is the output of the packet tracer:

testfw-hvn-pix515# packet-tracer input outside tcp 10.1.1.1 24552 172.31.1.6 443

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.31.1.6      255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

It says the implicent rule is stopping the traffic. My understanding is the implicent rule is only used when no access list is applied to an interface, but as you can see I have an ACL applied to the outside interface.

Confused,

P

1 person had this problem
Labels:
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎11-30-2010 07:59 AM

Hi,

You want to communicate with your router in https or you want to communicate with a machine inside which is natted to outside address?

If if you want first one then you have to issue http enable outside

if this is second option then you must first do static pat: static(inside,outside) 443 443

Regards.

Don't forget to rate helpful posts.
0 Helpful

Pete89
Level 2
Level 2
In response to cadet alain

‎11-30-2010 08:17 AM

Thanks for you answer.

Here is the setup. My edge router is doing a one to one NAT with the ouside interface of the FW:

router# ip nat inside source static 172.31.1.6 99.99.99.99.99

Where 172.31.1.6 is the outside interface of my firewall.

The idea was when site to site VPN traffic hits the public IP 99.99.99.99 it would sent it to the FW. I thought I would then need to have the FW's outside interface ready to accept that traffic by tweaking the ACL. So thats not the case??

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card