01-27-2006 04:01 PM - edited 02-21-2020 12:40 AM
Hello,
I'm configuring a new pix with 7.0 and having an issue with
access-list inside_access_in extended permit udp any any eq domain
and line 4 with tcp eq www
The traffic pass ok through the pix
when I put:
line 1 permit icmp any any (htcnt = 84573287)
line 2 permit ip any any (htcnt = 128432)
...line 3 permit udp any any eq domain (htcnt=0)
...line 4 permit tcp any any eq www (htcnt=0)
But, If I put:
...line 1 permit icmp any any (htcnt = 84595353)
...line 2 permit udp any any eq domain (htcnt=0)
...line 3 permit tcp any any eq www (htcnt=0)
...line 4 permit ip any any (htcnt=0)
I just have hitcnt in line 1 icmp
and all of the web traffic is down!!!
Do you know, What could be happennig?
Thanks a lot for your help!!!
Erick Flamenco
01-28-2006 01:06 AM
a) In the first arangement basically your lines 3 and 4 are useless as they are never hit due to line 2 and evertyhing is permitted which explains being fine
I am not sure why 2 doesn't work but would recommed giving lesser preference to ICMP than anything else.
01-28-2006 07:44 AM
A question do you have servers on the inside segment ?
Another advice configure logging and see in the firewall logs why the traffic is being denied.
01-28-2006 10:29 PM
I agree that once you entered line two everything was wide open but
I had the same issues the my acl. I can tell you its the syntax but i cant remember the right syntax fix
dont forget to clear xlate and clear your acl counters and enter the ip any any in the last line until you get it right.
adjust the tcp terms in the long run you want to specify scource and destination ips in order to get ROI from you PIX
01-29-2006 03:07 AM
Hi,
Your first version of the acl is a bit risky, granted it will allow your web traffic but its also allowing everything else. I would also restrict your ICMP line to just the types necessary, do you simply want to allow ping access??
With regards to your web traffic problem, can you configure logging and post the lines that show the traffic being dropped??
You may need to change the logging level for a short while to show the details necessary to sort this.
Cheers
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide