Re: PIX 501 ACL Help

jstreet555 · ‎04-05-2007

Here is what I'm trying to accomplish. I want to permit outgoing connections to host x.x.x.x over UDP port 8312, and I want to permit incoming connections from host x.x.x.x over UDP port 8323.

Did I implement this correctly?

access-list 8312_out permit udp any host x.x.x.x eq 8312

access-list 8323_in permit udp host x.x.x.x any eq 8323

access-group 8312_out in interface outside

access-group 8323_in in interface outside

Thanks in advance for your help!

Jon Marshall · ‎04-05-2007

Hi

1) access-list 8312_out is fine. It allows any host to connect to port 8312 on host x.x.x.x

You need to apply this on the inside interface ie.

access-group 8312_out in interface inside

2) access-list 8323_in just needs clarifying. This access-list at present allows host x.x.x.x to talk to any host internally on port 8323.

Is this what you want or do you want to allow the host x.x.x.x with a source port of 8323 to talk to any host on any port inside your network ( hopefully not)

Anyway you have applied this correctly on the right interface.

*** Every access-list has an implicit deny at the end. You need to be aware of this especially on your 8312_out access-list. if you apply as is on the inside interface you have effectivley stopped all outbound traffic except for traffic to host x.x.x.x on 8312 ***

HTH

Jon

Patrick Iseli · ‎04-05-2007

No, this is not correct !

You can just have one ACL on the outside interface. The flow from the inside interface to the outside is allowed by default so do not configure an ACL otherwise you need to define all inside to outside traffic rules.

You need also a static NAT or PAT to translate the outside PIX IP to the inside host.

example with PAT:

access-list outside-acl permit udp host x.x.x.x interface outside eq 8323

access-group outside-acl in interface outside

static (inside,outside) udp interface 8323 LOCAL-IP 8323 netmask 255.255.255.255 0 0

clear xlate

wr mem

eample with NAT:

access-list outside-acl permit udp host x.x.x.x host YourPubIP eq 8323

access-group outside-acl in interface outside

static (inside,outside) YourPubIP Your-LocalIP netmask 255.255.255.255 0 0

clear xlate

wr mem

sincerely

Patrick

jstreet555 · ‎04-05-2007

Patrick,

Thanks for pointing out I only need one ACL. I understand why. Not sure why I made two, actually.

Why exactly do I need a static NAT / PAT to translate the outside address to the inside?

Thank you,

Jonathan

Jon Marshall · ‎04-05-2007

Jonathan

Apologies for not pointing out you don't actually have to have an access-list on the inside interface. I assumed you were trying to restrict outbound as well as inbound traffic. My mistake.

You need a static translation to present the inside server address as a public ip address on the outside or connections initiated from the outside will not be able to contact the server.

HTH

Jon