• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

Do I need to restart PIX 506e after making changes to access-lists?

I've been getting "Deny Protocol 50" warnings so I added an access-list to allow the traffic.  I already executed the "access-group INBOUND in interface outside" command but I still get the deny protocol 50 message.  When I type show access-list, the hitcount for that line is 0.  I've had experience in the past where I must restart the PIX before the access-lists take effect.  Is there a way I can do this without having to restart the PIX?

1 Solution
you can try to issue clear xlate, but there is no need to restart your device in order to reapply changes to acls
You should not have to restart the PiX.  If the hitcount is showing 0 then a request to pass on that port has not made it to the PiX.  Perhaps your ISP is blocking some traffic.
ITLighthouseAuthor Commented:
I tried clear xlate, but it didn't make a difference.  This has to do with using Cisco VPN Client behind a Nat'd PIX.  I login to remote server and the connection gets established, but no traffic will pass.  I did the fixup protocol esp-ike thing but I  get deny protocol 50 errors in the log.  So I added the following line -
access-list INBOUND permit tcp any interface outside eq 50

The error in the log doesn't go away and when I "show access-list" the hitcount for that line is 0, so I'm thinking maybe the access-list I added is incorrect or it is not taking effect.
It's protocol #50, not port number.

access-l INBOUND permit esp any interface outside
ITLighthouseAuthor Commented:
Bingo!!!  Thanks.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now