04-05-2007 06:28 AM - edited 03-11-2019 02:56 AM
Here is what I'm trying to accomplish. I want to permit outgoing connections to host x.x.x.x over UDP port 8312, and I want to permit incoming connections from host x.x.x.x over UDP port 8323.
Did I implement this correctly?
access-list 8312_out permit udp any host x.x.x.x eq 8312
access-list 8323_in permit udp host x.x.x.x any eq 8323
access-group 8312_out in interface outside
access-group 8323_in in interface outside
Thanks in advance for your help!
04-05-2007 06:48 AM
Hi
1) access-list 8312_out is fine. It allows any host to connect to port 8312 on host x.x.x.x
You need to apply this on the inside interface ie.
access-group 8312_out in interface inside
2) access-list 8323_in just needs clarifying. This access-list at present allows host x.x.x.x to talk to any host internally on port 8323.
Is this what you want or do you want to allow the host x.x.x.x with a source port of 8323 to talk to any host on any port inside your network ( hopefully not)
Anyway you have applied this correctly on the right interface.
*** Every access-list has an implicit deny at the end. You need to be aware of this especially on your 8312_out access-list. if you apply as is on the inside interface you have effectivley stopped all outbound traffic except for traffic to host x.x.x.x on 8312 ***
HTH
Jon
04-05-2007 06:55 AM
No, this is not correct !
You can just have one ACL on the outside interface. The flow from the inside interface to the outside is allowed by default so do not configure an ACL otherwise you need to define all inside to outside traffic rules.
You need also a static NAT or PAT to translate the outside PIX IP to the inside host.
example with PAT:
access-list outside-acl permit udp host x.x.x.x interface outside eq 8323
access-group outside-acl in interface outside
static (inside,outside) udp interface 8323 LOCAL-IP 8323 netmask 255.255.255.255 0 0
clear xlate
wr mem
eample with NAT:
access-list outside-acl permit udp host x.x.x.x host YourPubIP eq 8323
access-group outside-acl in interface outside
static (inside,outside) YourPubIP Your-LocalIP netmask 255.255.255.255 0 0
clear xlate
wr mem
sincerely
Patrick
04-05-2007 08:19 AM
Patrick,
Thanks for pointing out I only need one ACL. I understand why. Not sure why I made two, actually.
Why exactly do I need a static NAT / PAT to translate the outside address to the inside?
Thank you,
Jonathan
04-05-2007 12:04 PM
Jonathan
Apologies for not pointing out you don't actually have to have an access-list on the inside interface. I assumed you were trying to restrict outbound as well as inbound traffic. My mistake.
You need a static translation to present the inside server address as a public ip address on the outside or connections initiated from the outside will not be able to contact the server.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: