Well the outbound commands didn't work, but the access-list 105 permit statement did the trick. I knew I had to do that on routers, but for some reason I thought the PIX didn't need the permit statement at the end.

Thanks for your help.

Abruso,

Normally, you wold not have to have a permit statement when inside users are initiating sessions to the outside, that is, if your securitylevels are configured correctly (default they are correct).

I have seen some strange behaviour on version 6.2.2 and higher, where the PIX does seem to need the permit statement. But I think this is an error. As you can read on CCO about the ASA it normally should let them through when travveling from inside to outside, because if it sees no matchng rule it would apply the implicit rule. The implicit rule is not alwaays deny any any (as another guy stated in one of the replies), but it is depending on the securitylevels. If travelling from high to low security the implicit rule should be permit an any (if no other rule matches)

Hope this helps in understanding.

Leo

That's what I thought. The security levels are set up correctly on the interfaces. Inside is 100 and Outside is 0. I'm not really sure why the permit statement was needed. Oh well, as long as it works :).

Thanks.

Hi,

Just to clarify the concept on this -

ASA allows traffic from inside to outside by default. But, when you apply the ACL on the inside interface and then behavior is just like router ACL that is there is an explicit deny at the end of the ACL. Thats the reason, permit is doing the job for you. There is no issues with 6.2.2 and above with ACL.

I hope this helps ! Regards,

Mynul

Hi,

I hate to admit, but I have to agree with Mynul. If an ACL is applied, it does indeed adds an implicit "deny any any".

Sorry for providing you with incorrect information.

Only is no ACL is applied the default behaviour is depending on securitylevels, and all traffic from inside to outside would be permitted.

Kind regards,

Leo