Re: PIX - acl breaks implicit outbound rule

[James <jimbob.coffey () gmail com>]

On 5/22/07, Richard Shaw <richard () aggress net> wrote:
> Hi There,
>
> I'm trying to get successful two way communication over a selected port
> range between 2 hosts on different interfaces.
>
> Interface 1 (100) ------------ Interface 2 (90)
>
>  host1 (10.0.1.11) ------------  host2 (10.0.5.2)
>
> I've already put in a static route so host1 can get down to host2, however I
> need host2 to be able to open a connection back through on  selected ports.

If they are "directly connected" subnets you won't need a static route.

> I've been able to get it semi-working by applying the following:
>
> static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255

Depending on version of pix code >= 7.0 you can remove the need to nat
everything/anything by typing no nat-control. (about time cisco)

> access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host
> 10.0.5.200 eq port-range
> access-group Interface2toInterface1 in interface Interface2
>
> However, it replaces the implicit outbound rule for Interface2 and breaks
> all other outbound traffic on the interface.  My question is, what can I
> append to the above access group to put the outbound rule back in?

Because int2 < int1 (security level) you need an acl to permit any access.
I don't think there is an implicit rule from low sec to hi sec.

-- 
jac
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards