Firewall Wizards mailing list archives
Re: PIX - acl breaks implicit outbound rule
From: James <jimbob.coffey () gmail com>
Date: Fri, 25 May 2007 21:02:20 +1000
On 5/22/07, Richard Shaw <richard () aggress net> wrote:
Hi There, I'm trying to get successful two way communication over a selected port range between 2 hosts on different interfaces. Interface 1 (100) ------------ Interface 2 (90) host1 (10.0.1.11) ------------ host2 (10.0.5.2) I've already put in a static route so host1 can get down to host2, however I need host2 to be able to open a connection back through on selected ports.
If they are "directly connected" subnets you won't need a static route.
I've been able to get it semi-working by applying the following: static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255
Depending on version of pix code >= 7.0 you can remove the need to nat everything/anything by typing no nat-control. (about time cisco)
access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host 10.0.5.200 eq port-range access-group Interface2toInterface1 in interface Interface2 However, it replaces the implicit outbound rule for Interface2 and breaks all other outbound traffic on the interface. My question is, what can I append to the above access group to put the outbound rule back in?
Because int2 < int1 (security level) you need an acl to permit any access. I don't think there is an implicit rule from low sec to hi sec. -- jac _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX - acl breaks implicit outbound rule Richard Shaw (May 23)
- Re: PIX - acl breaks implicit outbound rule Paul Melson (May 23)
- Re: PIX - acl breaks implicit outbound rule Richard Shaw (May 25)
- Re: PIX - acl breaks implicit outbound rule James (May 25)
- Re: PIX - acl breaks implicit outbound rule Paul Melson (May 23)