access-list, build connections - order of ops?

Unanswered Question
Nov 30th, 2007
User Badges:

PIX 525


If I have these configured:

___static (inside,outside) 209.129.192.162 10.40.5.62 netmask 255.255.255.255 0 0


___access-group acl_outside in interface outside


___access-list acl_outside line 5 deny udp any host 209.129.192.162 eq 60381 (hitcnt=1238)


why do I have this in the xlate table:

___UDP out 84.43.150.17:9156 in 10.40.5.62:60381 idle 0:46:27 flags -


Are connections built BEFORE access-lists are checked?


I'd kind of like to know if I've prevented that one host from producing as much as 2/3 of our total organization traffic... I would have thought there would be no connection if I'd done things right.


TIA, Linnea


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 11/30/2007 - 19:58
User Badges:
  • Green, 3000 points or more

Hi,I believe the problem is your acl and the interface you are applying it under. You want to block outbound traffic on port 60831 from being accessed by host 10.40.5.62 is this correct? your current acl is blocking inbound traffic on that udp port, is this what you want to accomplish?


you access list should be your local host not the public NAT address as nat order of operation from in to out looks for acl, local address , nat, routing etc.. so your acl should look like this if you are denying outbound.


This will block source udp port 60381 on 10.40.5.62 to any host oustide on udp port 60381


access-list inside_access_in deny udp host 10.40.5.62 eq 60381 any eq 60381

access-group inside_access_in in interface inside



HTH

Jorge


Actions

This Discussion