• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

Do I need to restart PIX 506e after making changes to access-lists?

I've been getting "Deny Protocol 50" warnings so I added an access-list to allow the traffic.  I already executed the "access-group INBOUND in interface outside" command but I still get the deny protocol 50 message.  When I type show access-list, the hitcount for that line is 0.  I've had experience in the past where I must restart the PIX before the access-lists take effect.  Is there a way I can do this without having to restart the PIX?

Thanks.
0
ITLighthouse
Asked:
ITLighthouse
1 Solution
 
from_expCommented:
you can try to issue clear xlate, but there is no need to restart your device in order to reapply changes to acls
0
 
KutyiCommented:
You should not have to restart the PiX.  If the hitcount is showing 0 then a request to pass on that port has not made it to the PiX.  Perhaps your ISP is blocking some traffic.
0
 
ITLighthouseAuthor Commented:
I tried clear xlate, but it didn't make a difference.  This has to do with using Cisco VPN Client behind a Nat'd PIX.  I login to remote server and the connection gets established, but no traffic will pass.  I did the fixup protocol esp-ike thing but I  get deny protocol 50 errors in the log.  So I added the following line -
access-list INBOUND permit tcp any interface outside eq 50

The error in the log doesn't go away and when I "show access-list" the hitcount for that line is 0, so I'm thinking maybe the access-list I added is incorrect or it is not taking effect.
0
 
Voltz-dkCommented:
It's protocol #50, not port number.

Try
access-l INBOUND permit esp any interface outside
0
 
ITLighthouseAuthor Commented:
Bingo!!!  Thanks.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now