PIX access-list behavior question - Page 2

wilson_1234_2 · ‎07-23-2007

I have a PIX 6.3 configured with an access-list inbound on the inside interface.

I am allowing traffic from a particular host to a DMZ machine on port 80.

I can see the keepalive on port 80 hitting the access-list but not where I would expect it.

I have the source hosts allowed in the first two lines and the third line allows any, just to make sure everything is going to work.

I do not see any hits on the line with the source host identified, but I see it on the line that has "any".

I have a capture below and you can see the souce is from the 131 host.

But why doesn't it match the first line in the list?

access-list inside line 9 permit tcp host 6.2.1.131 host 192.168.1.15 eq www

access-list inside line 10 permit tcp host 6.2.1.151 host 192.168.1.15 eq www

access-list inside line 11 permit tcp any host 192.168.1.15 eq www

08:15:36.783498 6.2.1.131.3369 > 192.168.1.15.80: P 3588710642:3588710891

(249) ack 782786734 win 8192

08:15:36.980723 6.2.1.131.3369 > 192.168.1.15.80: . ack 782787014 win 8192

08:15:51.783467 6.2.1.131.3369 > 192.168.1.15.80: P 3588710891:3588711140

(249) ack 782787014 win 8192

08:15:51.980784 6.2.1.131.3369 > 192.168.1.15.80: . ack 782787294 win 8192

access-list inside line 9 permit tcp host 6.2.1.131 host 192.168.1.15 eq www

(hitcnt=0)

access-list inside line 10 permit tcp host 6.2.1.151 host 192.168.1.15 eq www

(hitcnt=0)

access-list inside line 11 permit tcp any host 192.168.1.15 eq www

(hitcnt=13)

mattiaseriksson · ‎07-26-2007

Ok. The outbound was the old way to configure outbound access, before access-lists existed in the PIX OS. You can use them both but would end up with a conflict.

You don't have any crypto-maps applied?

If you could attach the config it would be helpful.

Or:

sh nameif

sh access-group

sh access-list

sh nat