access-list, build connections - order of ops?

Unanswered Question
Nov 30th, 2007

PIX 525

If I have these configured:

___static (inside,outside) 209.129.192.162 10.40.5.62 netmask 255.255.255.255 0 0

___access-group acl_outside in interface outside

___access-list acl_outside line 5 deny udp any host 209.129.192.162 eq 60381 (hitcnt=1238)

why do I have this in the xlate table:

___UDP out 84.43.150.17:9156 in 10.40.5.62:60381 idle 0:46:27 flags -

Are connections built BEFORE access-lists are checked?

I'd kind of like to know if I've prevented that one host from producing as much as 2/3 of our total organization traffic... I would have thought there would be no connection if I'd done things right.

TIA, Linnea

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 11/30/2007 - 19:58

Hi,I believe the problem is your acl and the interface you are applying it under. You want to block outbound traffic on port 60831 from being accessed by host 10.40.5.62 is this correct? your current acl is blocking inbound traffic on that udp port, is this what you want to accomplish?

you access list should be your local host not the public NAT address as nat order of operation from in to out looks for acl, local address , nat, routing etc.. so your acl should look like this if you are denying outbound.

This will block source udp port 60381 on 10.40.5.62 to any host oustide on udp port 60381

access-list inside_access_in deny udp host 10.40.5.62 eq 60381 any eq 60381

access-group inside_access_in in interface inside

HTH

Jorge

Actions

This Discussion