Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static bypassing ACL inside?

Hello

Need to double-check packet traversal in a pix 6.3(5)

I have webserver on the inside with public IP's.

The acl-inside is limiting access from passing the firewall towards the internet.

Webserver has the static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.0

ACL-outside has a permit ip any host 1.1.1.1

Now, to my problem.

I thought you needed to add access for the webserver (1.1.1.1) to respond back?

So acl-inside need the acl rule "permit ip host 1.1.1.1 any"

NOTE, i have a "deny ip any any" at the bottom of my ACL-inside.

need som clarification thanks :)

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Static bypassing ACL inside?

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

2 REPLIES
Green

Re: Static bypassing ACL inside?

You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.

New Member

Re: Static bypassing ACL inside?

Thank you Adam

Must be going alzheimers already :)

100
Views
0
Helpful
2
Replies