Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX ACL blocking traffic?

I have a PIX 515E setup with multiple interfaces. For right now to make things simple lets just look at the outside, inside, and DMZ.

On the inside interface I have a router connecting the inside network directly to another network. The DMZ interface has an ACL that is supposed to allow UDP traffic on specified ports from specified IPs into the inside interface.

access-list DMZ_in extended permit udp (ip) any (port)

So this is supposed to allow any traffic from that IP to any IP on the specified port. Problem is that it works fine except for traffc to at least one IP on the other side of the inside router.

I keep getting large numbers of log messages about traffic being blocked by that rule, but only to one IP on the remote inside network. I know there are two PCs on that network that could be getting this traffic, and am not certain if the other one is just passing through or not.

Would I need to make a specific rule allowing traffic to that network? From what I understand it shouldn't be necessary.

4 REPLIES
New Member

Re: PIX ACL blocking traffic?

In the PIX do you have routes to all the internal networks?

Are you doing NAT into your DMZ and do you have a NAT permit or no nat statement for networks going into that DMZ.

New Member

Re: PIX ACL blocking traffic?

There is a static route to all of the internal networks which are not directly connected. Static PAT is being used on all translations.

No NAT permit of no NAT statements for networks going into the DMZ.

Thanks

New Member

Re: PIX ACL blocking traffic?

If traffic from the DMZ is initiating into the Inside you must have a static NAT rule for the IP's that are on the inside that the DMZ machine must reach.

Re: PIX ACL blocking traffic?

Hi ..

alternatively you can bypass NAT by adding ...

nat (DMZ) 0 NO_NAT

access-list NO_NAT permit ip

You also need to make sure your router behind the PIX has the routes correctly configured. In othere mwords make sure the DMZ hosts are able to reach to the required subnets .. and make sure thiose subnets know the way back to the DMZ hosts too. Because you ahve the router in the middle you need to check the PIX and router's routing table.

I hope it helps .. please rate it if it does !!

122
Views
0
Helpful
4
Replies
CreatePlease to create content