Question for all PIX Guru's :)

[swsup97]

Hi All,


I have added 2 IP addresses to an existing object group for access.
Once done the test failed and pinging the device from pix also failed.
Yet the existing other IP's in the object group work as they get a response back and it's on the same network.
So that tells me that the object-group access list does work yet any added IP's to the access group dont work at all.

What could be the problem ?

Regards,
Swsup97

 

[ChrisAC]

Is this network object that you are pinging on the inside or the outside. If it's on the LAN then you should be able to ping it from the pix anyway. If you can't then it suggests that there is a network problem somewhere. If the object is on the outside of the firewall then you would need to allow the icmp replies back to the firewall in the inbound access list.

If you have an access list rule that contains an object group then if you do a 'sh access-list' you will see the access list expanded to include all the IP's in the object group. Do this and ensure that the IP address added to the group appears in the acl.

Most of my rules use object or network groups and when I add IP addresses to those groups the access list is updated accordingly and it works just fine.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[swsup97]

network object is on the outside. It is basically printers connecting to a server on the inside.
What gets me is i do a show access-list and see the IP is addedd to the group and the access-list allows tcp and icmp.
It shows the hitcounts as (0)

If the access list was wrong then surely the other working IP's would not work. I cant understand why in the same group some will work and others not !!

 

[ChrisAC]

If the hitcount is 0 then the traffic is not hitting that rule. If it is being dropped then the logs will show that.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[swsup97]

Hi Chris,

ok say my object group is as follows

object-group network printers-tcl
network-object host 209.120.110.217 ( is working )
network-object host 209.223.119.193 ( is working )
network-object host 209.223.119.195 ( is working )
network-object host 209.223.119.194 ( NOT working )
network-object host 209.120.110.218 ( NOT working )

now my access list for the above group is as follows

access-list acl_inside permit tcp host 196.8.2.6 object-group printers-tcl

access-list acl_inside permit icmp host 196.8.2.6 object-group printers-tcl

there are no hits on the above ...

any suggestions or changes i can make to make the above work?

 

[lambent]

Is there any firewall blocking traffic to and from 209.223.119.194 and/or 209.120.110.218 on the other side?

 

[BuckWeet]

Are they turbo ACLs?

if so, disable the turbo ACL feature, and re-enable it


BuckWeet

 

[swsup97]

Im still trying to find out about a firewall on the other side - could be a routing issue. waiting for someone on the other side to get back to me with regards to checking the default gateway on the printer.

As for the above - no turbo acl's.

 

[pixen]

Have you tried to clear arp and clear xlate? Any NATing going on? Also, any of these devices Windows 2K with multiple IP addresses on a single interface? If you aren't NATing, you might try "sysopt noproxyarp [interface name]", I've seen where the default proxy arp of PIX sometimes gets things confused, esp. in the scenario I mentioned.