cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
272
Views
0
Helpful
2
Replies

Static bypassing ACL inside?

azore2007
Level 1
Level 1

Hello

Need to double-check packet traversal in a pix 6.3(5)

I have webserver on the inside with public IP's.

The acl-inside is limiting access from passing the firewall towards the internet.

Webserver has the static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.0

ACL-outside has a permit ip any host 1.1.1.1

Now, to my problem.

I thought you needed to add access for the webserver (1.1.1.1) to respond back?

So acl-inside need the acl rule "permit ip host 1.1.1.1 any"

NOTE, i have a "deny ip any any" at the bottom of my ACL-inside.

need som clarification thanks :)

1 Accepted Solution

Accepted Solutions

acomiskey
Level 10
Level 10

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

View solution in original post

2 Replies 2

acomiskey
Level 10
Level 10

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

Thank you Adam

Must be going alzheimers already :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: