access-list, build connections - order of ops?

Unanswered Question
Nov 30th, 2007
User Badges:

PIX 525

If I have these configured:

___static (inside,outside) netmask 0 0

___access-group acl_outside in interface outside

___access-list acl_outside line 5 deny udp any host eq 60381 (hitcnt=1238)

why do I have this in the xlate table:

___UDP out in idle 0:46:27 flags -

Are connections built BEFORE access-lists are checked?

I'd kind of like to know if I've prevented that one host from producing as much as 2/3 of our total organization traffic... I would have thought there would be no connection if I'd done things right.

TIA, Linnea

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Fri, 11/30/2007 - 19:58
User Badges:
  • Green, 3000 points or more

Hi,I believe the problem is your acl and the interface you are applying it under. You want to block outbound traffic on port 60831 from being accessed by host is this correct? your current acl is blocking inbound traffic on that udp port, is this what you want to accomplish?

you access list should be your local host not the public NAT address as nat order of operation from in to out looks for acl, local address , nat, routing etc.. so your acl should look like this if you are denying outbound.

This will block source udp port 60381 on to any host oustide on udp port 60381

access-list inside_access_in deny udp host eq 60381 any eq 60381

access-group inside_access_in in interface inside




This Discussion