Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
5
Replies

PIX Firewall 525 access list problem

Go to solution
marulandar
Level 1
Level 1

‎01-30-2006 06:44 AM - edited ‎02-21-2020 12:40 AM

Hi.

I have teh following problem. After insert a access-list, in spite of seeing packets related to the list, these do not do " match ", that is to say, it is as if the list was not doing his work.

Which can be the cause of this behavior?

PIX Model 525

IOS 6.3(4)

Thanks.

Ramiro Marulanda Z.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mpalardy
Level 3
Level 3
In response to marulandar

‎01-31-2006 03:22 PM

Are all the syslogs sent correctly to the remote host? In the affirmative I'd say the udp connection is never closed by the PIX. Let's say the connection never hit the timeout in the pix config. So the connection remains open and doesnot increment the hitcount for your access-list. I have a PIX that does the same behaviour.

Also the hitcount increment is based on the connection and not on every packet passing by the PIX.

You may use a debug command to see packet going thru the PIX.

HTH

Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mpalardy
Level 3
Level 3

‎01-30-2006 08:01 AM

What's the syslog related to this behavior?

Also you may add the following statement to your pix config

access-group acl_name in interface your_intf

Mike

0 Helpful

Go to solution
marulandar
Level 1
Level 1
In response to mpalardy

‎01-31-2006 11:59 AM

Ok, thanks for your help. the behavior is the following one:

this is the access list:

access-list 10 permit udp host 10.2.2.29 host 208.135.186.182 eq syslog

access-group 10 in interface inside

The packets are seen entering the interface inside and going out for the outside, but changes are not seen in the hits of the access list.

Regards,

R.@.M.

0 Helpful

Go to solution
mpalardy
Level 3
Level 3
In response to marulandar

‎01-31-2006 03:22 PM

Are all the syslogs sent correctly to the remote host? In the affirmative I'd say the udp connection is never closed by the PIX. Let's say the connection never hit the timeout in the pix config. So the connection remains open and doesnot increment the hitcount for your access-list. I have a PIX that does the same behaviour.

Also the hitcount increment is based on the connection and not on every packet passing by the PIX.

You may use a debug command to see packet going thru the PIX.

HTH

Mike

0 Helpful

Go to solution
mpalardy
Level 3
Level 3
In response to mpalardy

‎02-01-2006 06:09 AM

In my preceeding answer I forgot telling you to use this command. To help you seeing if the connection is up between hosts:

This command "show local..." will resume the "sh conn..." and "sh xlate..." commands

sh local 10.2.2.29 detail

You may also try the "show timeout" command to see what's the timeout configured on the pix for udp connections.

Mike

0 Helpful

Go to solution
marulandar
Level 1
Level 1
In response to mpalardy

‎02-01-2006 08:24 AM

Hi Mike. Your help has been of great utility.

I will carry out his recommendations and I am going to observe the results.

Thanks again, and regards!

R.@.M.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card