PIX - acl breaks implicit outbound rule

PIX - acl breaks implicit outbound rule

am 22.05.2007 15:17:18 von useofweapons

Hi There,

I'm trying to get successful two way communication over a selected
port range between 2 hosts on different interfaces.

Interface 1 (100) ------------ Interface 2 (90)

host1 (10.0.1.11) ------------ host2 (10.0.5.2)

I've already put in a static route so host1 can get down to host2,
however I need host2 to be able to open a connection back through on
selected ports.

I've been able to get it semi-working by applying the following:

static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask
255.255.255.255
access-list Interface2toInterface1 extended permit udp host 10.0.5.2
host 10.0.5.200 eq port-range
access-group Interface2toInterface1 in interface Interface2

However, it replaces the implicit outbound rule for Interface2 and
breaks all other outbound traffic on the interface. My question is,
what can I append to the above access group to put the outbound rule
back in?

Any thoughts or suggestions would be super useful

Thanks!

Re: PIX - acl breaks implicit outbound rule

am 22.05.2007 15:57:35 von roberson

In article <1179839837.998973.141590@y2g2000prf.googlegroups.com>,
wrote:

>I've been able to get it semi-working by applying the following:

>static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255
>access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host 10.0.5.200 eq port-range
>access-group Interface2toInterface1 in interface Interface2

>However, it replaces the implicit outbound rule for Interface2 and
>breaks all other outbound traffic on the interface. My question is,
>what can I append to the above access group to put the outbound rule
>back in?

Add in a deny to anything else in Interface 1 that might
present a usable IP to Interface 2 (e.g., other statics or
nat 0 access-list), followed by a permit of 10.0.5/24 to any.


>I've already put in a static route so host1 can get down to host2,

You probably don't need that: if you have a regular default route
for hosts on Interface 1 to go out via the PIX, then the default
route will take care of getting the packets to the PIX for
redistribution to host2.