Static bypassing ACL inside?

Answered Question
Aug 27th, 2008

Hello

Need to double-check packet traversal in a pix 6.3(5)

I have webserver on the inside with public IP's.

The acl-inside is limiting access from passing the firewall towards the internet.

Webserver has the static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.0

ACL-outside has a permit ip any host 1.1.1.1

Now, to my problem.

I thought you needed to add access for the webserver (1.1.1.1) to respond back?

So acl-inside need the acl rule "permit ip host 1.1.1.1 any"

NOTE, i have a "deny ip any any" at the bottom of my ACL-inside.

need som clarification thanks :)

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 3 months ago

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 08/27/2008 - 08:08

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

Actions

This Discussion