Troubleshooting PIX Access-Lists?

Discussion in 'Cisco' started by David K, Jun 30, 2004.

  1. David K

    David K Guest

    What are some good tools/methods for troubleshooting PIX access-list
    issues? For example, say that I'm blocking all outbound smtp for all
    machines with the exception of our authorized email servers (as noted
    in sample below). The email admin stops by one morning and says that
    he can no longer send smtp to external clients from internal email
    server 172.28.12.16 but the server has tested OK. How can I verify
    that smtp traffic is indeed showing up at the internal pix interface
    and passing thru the pix to external clients?

    "sample" access-list >>

    access-list net_in permit tcp host 172.28.12.14 any eq smtp
    access-list net_in permit tcp host 172.28.12.15 any eq smtp
    access-list net_in permit tcp host 172.28.12.16 any eq smtp
    access-list net_in deny tcp any any eq smtp
    access-list net_in permit ip any any

    Scenario 2 -

    I allow www access from outside interface to several internal web
    servers but one day the web admin says that the internal "web server3
    - 172.28.12.5" is no longer responding to www from outside requests
    but is responding to www via internal requests?

    "sample" access-list >>

    static (inside,outside) 15.31.208.195 172.28.12.5 netmask
    255.255.255.255 0 0
    static (inside,outside) 15.31.208.196 172.28.12.6 netmask
    255.255.255.255 0 0
    static (inside,outside) 15.31.208.197 172.28.12.16 netmask
    255.255.255.255 0 0
    access-list inbound permit tcp any host 12.31.208.195 eq www
    access-list inbound permit tcp any host 12.31.208.196 eq www
    access-list inbound permit tcp any host 12.31.208.197 eq smtp


    I need a way to quickly troubleshoot these type of issues either via
    Telnet "CLI" or the PDM.

    Thoughts? TIA!
     
    David K, Jun 30, 2004
    #1
    1. Advertisements

  2. :What are some good tools/methods for troubleshooting PIX access-list
    :issues?

    PIX 6.3, create an ACL to match the traffic of interest, and create
    a 'capture'. That'll allow you to grab the packets themselves.

    Beyond that, you use 'debug' commands to observe the variety of
    behaviour you suspect to be errant.
     
    Walter Roberson, Jun 30, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.