Re: [fw-wiz] PIX - acl breaks implicit outbound rule

From: James <jimbob.coffey@xxxxxxxxx>
Date: Fri, 25 May 2007 21:02:20 +1000

On 5/22/07, Richard Shaw <richard@xxxxxxxxxxx> wrote:

Hi There,

I'm trying to get successful two way communication over a selected port
range between 2 hosts on different interfaces.

Interface 1 (100) ------------ Interface 2 (90)

host1 (10.0.1.11) ------------ host2 (10.0.5.2)

I've already put in a static route so host1 can get down to host2, however I
need host2 to be able to open a connection back through on selected ports.

If they are "directly connected" subnets you won't need a static route.

I've been able to get it semi-working by applying the following:

static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255

Depending on version of pix code >= 7.0 you can remove the need to nat
everything/anything by typing no nat-control. (about time cisco)

access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host
10.0.5.200 eq port-range
access-group Interface2toInterface1 in interface Interface2

However, it replaces the implicit outbound rule for Interface2 and breaks
all other outbound traffic on the interface. My question is, what can I
append to the above access group to put the outbound rule back in?

Because int2 < int1 (security level) you need an acl to permit any access.
I don't think there is an implicit rule from low sec to hi sec.

--
jac
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

References:
- [fw-wiz] PIX - acl breaks implicit outbound rule
  - From: Richard Shaw

Prev by Date: Re: [fw-wiz] Securing Wireless with ASA-5510
Next by Date: Re: [fw-wiz] Best way to block incoming connections from open httpproxy servers?
Previous by thread: Re: [fw-wiz] PIX - acl breaks implicit outbound rule
Next by thread: [fw-wiz] Netscreen to Cisco IOS tunneling
Index(es):
- Date
- Thread

Relevant Pages

Re: static routing
... You can't do it manually because the interface doesn't exist until the ... static route for the subnet of the remote site and select the demand dial ... When you make a connction to the server you use the name of the ... The packet goes to the default router ...
(microsoft.public.windows.server.networking)
Re: static routing
... I wasn't talking about the remote branch router. ... connecting to a demand-dial interface, ... server can route to the corporate LAN but machines behind it cannot. ... A static route has been added that matches the subnet of the ...
(microsoft.public.windows.server.networking)
Re: Help with PBR
... Static route statements alone will not accomplish this. ... route the traffic from the remote site to the main site correctly. ... set interface (interface) ...
(comp.dcom.sys.cisco)
Re: How to bind a route to a network adapter and not IP
... if I create a static route pointing to a next hop on one interface, ... the static route is removed from the routing table. ... the static route is reinstalled in the routing table. ... With FreeBSD point 1 above happens, ...
(freebsd-stable)
Re: Return route not added on demand dial router
... demand-dial interface. ... > be in the gateway associated with that static route. ... >> link them to the demand dial interfaces at both ends. ...
(microsoft.public.win2000.ras_routing)