Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access-list, build connections - order of ops?

PIX 525

If I have these configured:

___static (inside,outside) 209.129.192.162 10.40.5.62 netmask 255.255.255.255 0 0

___access-group acl_outside in interface outside

___access-list acl_outside line 5 deny udp any host 209.129.192.162 eq 60381 (hitcnt=1238)

why do I have this in the xlate table:

___UDP out 84.43.150.17:9156 in 10.40.5.62:60381 idle 0:46:27 flags -

Are connections built BEFORE access-lists are checked?

I'd kind of like to know if I've prevented that one host from producing as much as 2/3 of our total organization traffic... I would have thought there would be no connection if I'd done things right.

TIA, Linnea

1 REPLY

Re: access-list, build connections - order of ops?

Hi,I believe the problem is your acl and the interface you are applying it under. You want to block outbound traffic on port 60831 from being accessed by host 10.40.5.62 is this correct? your current acl is blocking inbound traffic on that udp port, is this what you want to accomplish?

you access list should be your local host not the public NAT address as nat order of operation from in to out looks for acl, local address , nat, routing etc.. so your acl should look like this if you are denying outbound.

This will block source udp port 60381 on 10.40.5.62 to any host oustide on udp port 60381

access-list inside_access_in deny udp host 10.40.5.62 eq 60381 any eq 60381

access-group inside_access_in in interface inside

HTH

Jorge

96
Views
0
Helpful
1
Replies