PIX - acl breaks implicit outbound rule

PIX - acl breaks implicit outbound rule
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
PIX - acl breaks implicit outbound rule useofweapons 05-22-2007
Posted by on May 22, 2007, 9:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi There,

I'm trying to get successful two way communication over a selected
port range between 2 hosts on different interfaces.

Interface 1 (100) ------------ Interface 2 (90)

host1 (10.0.1.11) ------------ host2 (10.0.5.2)

I've already put in a static route so host1 can get down to host2,
however I need host2 to be able to open a connection back through on
selected ports.

I've been able to get it semi-working by applying the following:

static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask
255.255.255.255
access-list Interface2toInterface1 extended permit udp host 10.0.5.2
host 10.0.5.200 eq port-range
access-group Interface2toInterface1 in interface Interface2

However, it replaces the implicit outbound rule for Interface2 and
breaks all other outbound traffic on the interface. My question is,
what can I append to the above access group to put the outbound rule
back in?

Any thoughts or suggestions would be super useful

Thanks!


Posted by Walter Roberson on May 22, 2007, 9:57 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>I've been able to get it semi-working by applying the following:

>static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255
>access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host
10.0.5.200 eq port-range
>access-group Interface2toInterface1 in interface Interface2

>However, it replaces the implicit outbound rule for Interface2 and
>breaks all other outbound traffic on the interface. My question is,
>what can I append to the above access group to put the outbound rule
>back in?

Add in a deny to anything else in Interface 1 that might
present a usable IP to Interface 2 (e.g., other statics or
nat 0 access-list), followed by a permit of 10.0.5/24 to any.


>I've already put in a static route so host1 can get down to host2,

You probably don't need that: if you have a regular default route
for hosts on Interface 1 to go out via the PIX, then the default
route will take care of getting the packets to the PIX for
redistribution to host2.

Similar ThreadsPosted
Is There a Virus that Breaks DNS? August 24, 2005, 7:46 am
How to do a Stonesoft rule ? August 10, 2004, 9:41 am
Translation Rule October 15, 2005, 2:31 pm
<< protocol=6 rule=-1 >>? September 3, 2006, 7:28 am
How safe for firewall rule using 127.0.0.0/8 October 25, 2005, 12:00 am
Checkpoint accept rip implied rule. July 20, 2004, 12:24 am
firewall rule to stop ping November 17, 2004, 12:32 pm
Negate Rule Not Working Firewall-1 September 14, 2006, 3:28 am
Some rule to block emule by type ? December 29, 2006, 9:54 am
Snort rule for "TCP Segment Overwrite"? March 20, 2007, 12:37 pm

The site map in XML format XML site map

Contact Us | Privacy Policy