Link to home
Create AccountLog in
Software Firewalls

Software Firewalls

--

Questions

--

Followers

Top Experts

Avatar of linuxunil
linuxunil

(hitcnt=0)
hi experts. . . .


errrrrrrrrrrrrm, all of a sudden my access-lists are not showing hit counts? They were when they looked like this;

access-list acl_inside_out permit tcp any any eq www (hitcnt=3074)
access-list acl_inside_out permit icmp any any (hitcnt=3)
access-list acl_inside_out permit udp any any eq domain (hitcnt=1305)
access-list acl_inside_out permit tcp any host X.X.X.X eq pop3 (hitcnt=174)
access-list acl_inside_out permit tcp any host X.X.X.X eq smtp (hitcnt=6)
access-list acl_inside_out permit tcp any host X.X.X.X eq pop3 (hitcnt=16)

access-list acl_inside_out permit tcp any host X.X.X.X eq smtp (hitcnt=0)

access-list acl_inside_out permit tcp any host X.X.X.X eq pop3 (hitcnt=18)

access-list acl_inside_out permit tcp any host X.X.X.X eq smtp (hitcnt=0)



And then when I added the lines below my whole access-list shows no hits against it? I have tried removing back to just the original inside_out lists and still no hit counts?

access-list acl_inside_out permit udp any host X.X.X.X eq 4190

access-list acl_outside_in permit icmp any any unreachable
access-list acl_outside_in permit icmp any any echo-reply
access-list acl_outside_in permit icmp any any time-exceeded




what have I done wrong? ? ?



linuxunil

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of MikeKaneMikeKane🇺🇸

could be as simple as no one is accessing the internet (didn't look lik eyou had a lot of traffic to begn with)...  May I assume you've tested the connections to get some hit counts?   Did you check Xlate to see if anyone has nat address going outside?  


Avatar of linuxunillinuxunil

ASKER

hi MikeKane


I have 40-60 users accessing the internet for flight bookings so I assume there would be atleast some traffic thats why I cant understand it? How do I check xlate? I have tried to find the command but there is no man file for it? and how do you test a connection? Sorry if thats a lame question but I am a newb to PIX, well firewalls in general!


linuxunil
Avatar of MikeKaneMikeKane🇺🇸

Console into the pix, Enable mode.  

SHOW XLATE  will list all the NAT'ed addresses.   You should see some info here.  

Are you people working fine?  Or are they having connection issues?
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of linuxunillinuxunil

ASKER

hi

there r 47 in use and and 291 most used! There are no connection issues and i have reloaded the PIX just to see if it was that?


linuxunil
Avatar of linuxunillinuxunil

ASKER

hi MikeKane. . .


I have just had a thought! I added the lists after several tests that by pasting to host! Now having thought about it, I wonder if it is because I have used this method instead of writing each line? I mean this would be bizarre but its all that I can think of?



linuxunil
Avatar of MikeKaneMikeKane🇺🇸

It shouldn't make a difference,   show config will  give you the workiing code....
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of linuxunillinuxunil

ASKER

hi MikeKane


what am  i looking for in the run config?



linuxunil
Avatar of linuxunillinuxunil

ASKER

hello MikeKane. . . .



It seems that maybe my theory was correct/partially correct as I have re-written the access-lists individually and all is now working? Maybe I should do a test by clearing the access-lists again and then copying and pasting to host to see if it happens again? If so then a post is order of the day? ? ?


thx for all your help MikeKane. . . The sh xlate cmd was interesting!


linuxunil
Avatar of MikeKaneMikeKane🇺🇸

I've copied and pasted commands to a telnet session on the pix before IIRC.     that's a little odd.    
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

ASKER CERTIFIED SOLUTION
Avatar of Les MooreLes Moore🇺🇸

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of linuxunillinuxunil

ASKER

hi all,


It is interesting to see your comment irmoore because since I have started configuing  firewall(s) I have always used the command:

#clear access-list acl_outside_in
#clear access-list acl_indside_out

before reapplying access-lists and but never disabled the access-group before reapplying! I will use the suggested procedure in future, especially if this is what happens when using the PDM. Perhaps I will try my suggested comment; It seems that maybe my theory was correct/partially correct as I have ............ and your procedure just to see if thats what the problem really was! hmmmmmmmmm interesting.



linuxunil
 
Avatar of Les MooreLes Moore🇺🇸

Are you still working on this? Do you need more help?
Avatar of SamWSamW

lrmoore, you were right about resetting the access group.  I was having similar problems and that fixed it all up.  You're a lifesaver.
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Software Firewalls

Software Firewalls

--

Questions

--

Followers

Top Experts

Software firewalls, also known as host-based firewalls, provide a layer of software on one host that controls network traffic in and out of that single machine. Most operating systems now include firewall software, but many available software firewalls include central distribution, antivirus systems and disaster recovery.