Showing results for 
Search instead for 
Did you mean: 

PIX 7.0 access-list problem

Level 1
Level 1


I'm configuring a new pix with 7.0 and having an issue with

access-list inside_access_in extended permit udp any any eq domain

and line 4 with tcp eq www

The traffic pass ok through the pix

when I put:

line 1 permit icmp any any (htcnt = 84573287)

line 2 permit ip any any (htcnt = 128432)

...line 3 permit udp any any eq domain (htcnt=0)

...line 4 permit tcp any any eq www (htcnt=0)

But, If I put:

...line 1 permit icmp any any (htcnt = 84595353)

...line 2 permit udp any any eq domain (htcnt=0)

...line 3 permit tcp any any eq www (htcnt=0)

...line 4 permit ip any any (htcnt=0)

I just have hitcnt in line 1 icmp

and all of the web traffic is down!!!

Do you know, What could be happennig?

Thanks a lot for your help!!!

Erick Flamenco

4 Replies 4

Level 1
Level 1

a) In the first arangement basically your lines 3 and 4 are useless as they are never hit due to line 2 and evertyhing is permitted which explains being fine

I am not sure why 2 doesn't work but would recommed giving lesser preference to ICMP than anything else.

Level 1
Level 1

A question do you have servers on the inside segment ?

Another advice configure logging and see in the firewall logs why the traffic is being denied.

Level 1
Level 1

I agree that once you entered line two everything was wide open but

I had the same issues the my acl. I can tell you its the syntax but i cant remember the right syntax fix

dont forget to clear xlate and clear your acl counters and enter the ip any any in the last line until you get it right.

adjust the tcp terms in the long run you want to specify scource and destination ips in order to get ROI from you PIX

Level 1
Level 1


Your first version of the acl is a bit risky, granted it will allow your web traffic but its also allowing everything else. I would also restrict your ICMP line to just the types necessary, do you simply want to allow ping access??

With regards to your web traffic problem, can you configure logging and post the lines that show the traffic being dropped??

You may need to change the logging level for a short while to show the details necessary to sort this.



Review Cisco Networking for a $25 gift card