Hmm intriguing. I'm no PIX guru by a long shot, but did you try putting the
extended portion in the entry (eg.
access-list acl_out extended permit tcp any any eq port#)? Remember that Extended IP Access List may only "assume" it is extended if assigned among the list number range of 100-199. Since you are "defining" a custom access group, you probably need to set the extended parameter or else it may just be assuming it is a Standard IP Access List entry. I'm a little rusty with my Cisco, but that could be it if you are forgetting to explicitly set the
extended parameter.
Addendum: Since you are trying to make an access list entry using ports, it needs to be an extended IP access list entry. A standard access list entry only permits/denies based on IP only - to be able to be more granular and use ports, you must use an extended IP access list. Since you are not using number ranges but a custom access group, I bet you dollars to donuts that is what you are missing.
Were you the one who originally put in those access list entries and only just now had problems, or did you "inherit" it?
By the way, it would be a very good idea to completely backup everything on both firewall and router before you fiddle with the config.
Tip: set
logging synchronous on your vtty so that when you are typing things in the console terminal, output does not cause visual corruption and garble up what you are typing. This is especially useful if you have debugging going. It'll drive you insane trying to see what the heck you are typing and what is being outputted otherwise.
