PIX & access-list

209.255.196.216 eq 443

If you have access-group incoming in interface inside then that is the wrong ACL entry to accept https requests from a specific host. That ACL entry would be appropriate for accepting https requests that originate at 255.138.142.224 255.255.255.224 and which are destined for the IP 209.255.196.216 .

You indicate that 209.255.196.216 is the IP of a router. Does that mean that you want 255.138.142.224 255.255.255.224 to be able to use the web interface of the router itself (i.e., to manage the router)? If so, then have you checked to be sure that the router is still accepting requests? Have you checked that there is still a static for 209.255.196.216? Have you checked the pix logs to see whether the incoming requests are being refused by the PIX?

209.255.196.216 eq 443

Oops sorry, the router IP is 255.138.142.224.

How do I turn on logging?

Thanks for your help

209.255.196.216 eq 443

If the router IP is 255.138.142.224 then why does your netmask also end in 224 -- that would make the router IP the base network IP of the subnet, and the base network IP of any subnet is reserved. (If you look at the math, it turns out that if you have a netmask of

255.255.255.X then any IP that ends with X must be the reserved base IP of the subnet.)

It is true that in PIX ACLs, the masks are really bitmasks rather than netmasks, so the line is not necessarily invalid (just suspicious) -- but even so it contradicts your original statement that you want to accept https requests from a specific -host-. And if you want to accept https from a specific host, then you wouldn't be putting your router IP there ?!

logging on logging timestamp logging buffered notifications logging queue 512

This will send a copy of all messages of priority "notification" or higher to the PIX wrap-around message buffer, which can be displayed by using the command show log

The memory buffer usually can only hold a few seconds worth of information, so you would normally want to enable syslog on a server and then,

logging trap notifications logging host inside SERVERIP

This will send a copy of all messages of priority "notification" or higher to the syslog process on host SERVERIP.

Logging level notification is often enough to solve "Duh, why didn't I think of that!" type of ACL problems, but if you have a difficult ACL problem then you would want to switch to logging trap debugging You probably only want to use debugging level to a syslog server (and not to the onboard memory buffer) because the traffic volume of messages is fairly high at debugging level.

To recap briefly: "logging buffered" controls the level of messages available via "show log", and "logging trap" controls the level of messages sent to the syslog server.

209.255.196.216 eq 443

I fudged the numbers to not reveal the actual IP addresses. The netmask is set so that all the hosts behind the router can access the https on the server.

I think I confused you. Sorry! I meant to say that all the hosts behind the router that qualify to send https request after applying the netmask are unable to access the server. I don't know much about the router set up, except that it is in Phillippines and the engineers there tell me that the machines are configured to be on the same subnet as the router (is there any other way?). BTW, the server is located in the US and the access-list rule did not have any problems until now.

Thanks! I will give it a try. Also let me know how to view the logs. I don't know my way around Pix IOS. Can you recommend a good book? I browsed in B&N without much success. They have all kinds of Cisco books. I prefer something like 'PIX for dummies' --something basic. I bought the 'Firewall for Dummies' which was enough to let me get started.