Static bypassing ACL inside?

Answered Question
Aug 27th, 2008
User Badges:

Hello


Need to double-check packet traversal in a pix 6.3(5)


I have webserver on the inside with public IP's.


The acl-inside is limiting access from passing the firewall towards the internet.


Webserver has the static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.0


ACL-outside has a permit ip any host 1.1.1.1


Now, to my problem.


I thought you needed to add access for the webserver (1.1.1.1) to respond back?


So acl-inside need the acl rule "permit ip host 1.1.1.1 any"


NOTE, i have a "deny ip any any" at the bottom of my ACL-inside.


need som clarification thanks :)

Correct Answer by acomiskey about 8 years 8 months ago

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 08/27/2008 - 08:08
User Badges:
  • Green, 3000 points or more

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

azore2007 Wed, 08/27/2008 - 10:26
User Badges:

Thank you Adam


Must be going alzheimers already :)

Actions

This Discussion