Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Troubleshooting PIX access-lists?

Status
Not open for further replies.
dkraut

dkraut

IS-IT--Management
Feb 5, 2003
75
US
What are some good tools/methods for troubleshooting PIX access-list issues? For example, say that we're blocking all outbound smtp after allowing all of our email servers smtp access (as noted in sample below). The email admin stops by one morning and says that he can no longer send smtp to external clients from email server 172.28.12.16 but but the server has tested OK. How can I verify that smtp traffic is or is not showing up at the internal pix interface and passing thru the pix to external clients?

sample access-list >>

access-list net_in permit tcp host 172.28.12.38 any eq smtp
access-list net_in permit tcp host 172.28.12.16 any eq smtp
access-list net_in permit tcp host 172.28.12.12 any eq smtp
access-list net_in permit tcp host 172.28.12.14 any eq smtp
access-list net_in deny tcp any any eq smtp
access-list net_in permit ip any any

Scenario 2.

I allow from outside interface to several internal web servers but one day web admin says that "web server3" is no longer responding to outside requests but is responding to internal requests?

sample access-list =


static (inside,outside) 12.31.208.195 172.28.12.5 netmask 255.255.255.255 0 0
static (inside,outside) 12.31.208.196 172.28.12.6 netmask 255.255.255.255 0 0
static (inside,outside) 12.31.208.197 172.28.12.16 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host 12.31.208.195 eq www
access-list inbound permit tcp any host 12.31.208.196 eq www
access-list inbound permit tcp any host 12.31.208.197 eq smtp


I need a way to quickly troubleshoot these type of issues either via Telnet "CLI" or the PDM.

Thoughts? TIA!
 
Sort by date Sort by votes
To see if traffic is reaching the pix you can use the sho access-list command. Make some traffic and look at the counters to see if they are incrementing. If your access list is host or protocol specific as yours appears to be then it should be fairly easy to verify.

A packet capture on the downstream side will, without a doubt, allow you to verify that traffic has left the pix. Very careful use of the debug packet command will also allow you to watch traffic leave the pix. You'll have to decide if it is appropriate to use in your case. Filtered on a known source IP address accessing a specific web server is probably ok to do, filtering on all SMTP traffic is probably a bad idea.
 
Upvote 0 Downvote
Regarding the access-group command - good observation. I should have included it in my samples above as >>

access-group inbound in interface outside
access-group net_in in interface inside
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
221
xwray
xwray
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
232
gbayi_omo
gbayi_omo
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
272
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
451
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top