PIX 501 ACL Help

Unanswered Question
Apr 5th, 2007
User Badges:

Here is what I'm trying to accomplish. I want to permit outgoing connections to host x.x.x.x over UDP port 8312, and I want to permit incoming connections from host x.x.x.x over UDP port 8323.


Did I implement this correctly?


access-list 8312_out permit udp any host x.x.x.x eq 8312


access-list 8323_in permit udp host x.x.x.x any eq 8323


access-group 8312_out in interface outside


access-group 8323_in in interface outside


Thanks in advance for your help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 04/05/2007 - 06:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


1) access-list 8312_out is fine. It allows any host to connect to port 8312 on host x.x.x.x

You need to apply this on the inside interface ie.


access-group 8312_out in interface inside


2) access-list 8323_in just needs clarifying. This access-list at present allows host x.x.x.x to talk to any host internally on port 8323.

Is this what you want or do you want to allow the host x.x.x.x with a source port of 8323 to talk to any host on any port inside your network ( hopefully not)


Anyway you have applied this correctly on the right interface.


*** Every access-list has an implicit deny at the end. You need to be aware of this especially on your 8312_out access-list. if you apply as is on the inside interface you have effectivley stopped all outbound traffic except for traffic to host x.x.x.x on 8312 ***


HTH


Jon


Patrick Iseli Thu, 04/05/2007 - 06:55
User Badges:
  • Gold, 750 points or more

No, this is not correct !


You can just have one ACL on the outside interface. The flow from the inside interface to the outside is allowed by default so do not configure an ACL otherwise you need to define all inside to outside traffic rules.


You need also a static NAT or PAT to translate the outside PIX IP to the inside host.


example with PAT:


access-list outside-acl permit udp host x.x.x.x interface outside eq 8323

access-group outside-acl in interface outside


static (inside,outside) udp interface 8323 LOCAL-IP 8323 netmask 255.255.255.255 0 0


clear xlate

wr mem



eample with NAT:


access-list outside-acl permit udp host x.x.x.x host YourPubIP eq 8323

access-group outside-acl in interface outside


static (inside,outside) YourPubIP Your-LocalIP netmask 255.255.255.255 0 0


clear xlate

wr mem


sincerely

Patrick


jstreet555 Thu, 04/05/2007 - 08:19
User Badges:

Patrick,

Thanks for pointing out I only need one ACL. I understand why. Not sure why I made two, actually.


Why exactly do I need a static NAT / PAT to translate the outside address to the inside?


Thank you,

Jonathan

Jon Marshall Thu, 04/05/2007 - 12:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jonathan


Apologies for not pointing out you don't actually have to have an access-list on the inside interface. I assumed you were trying to restrict outbound as well as inbound traffic. My mistake.


You need a static translation to present the inside server address as a public ip address on the outside or connections initiated from the outside will not be able to contact the server.


HTH


Jon

Actions

This Discussion