PIX - acl breaks implicit outbound rule

- U
- useofweapons
  
  Contact options for registered users
posted
16 years ago

Tue, May 22, 2007 1:17 PM

Hi There,

I'm trying to get successful two way communication over a selected port range between 2 hosts on different interfaces.

Interface 1 (100) ------------ Interface 2 (90)

host1 (10.0.1.11) ------------ host2 (10.0.5.2)

I've already put in a static route so host1 can get down to host2, however I need host2 to be able to open a connection back through on selected ports.

I've been able to get it semi-working by applying the following:

static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask

255.255.255.255 access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host 10.0.5.200 eq port-range access-group Interface2toInterface1 in interface Interface2

However, it replaces the implicit outbound rule for Interface2 and breaks all other outbound traffic on the interface. My question is, what can I append to the above access group to put the outbound rule back in?

Any thoughts or suggestions would be super useful

Thanks!

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Tue, May 22, 2007 1:57 PM

10.0.5.200 eq port-range

Add in a deny to anything else in Interface 1 that might present a usable IP to Interface 2 (e.g., other statics or nat 0 access-list), followed by a permit of 10.0.5/24 to any.

You probably don't need that: if you have a regular default route for hosts on Interface 1 to go out via the PIX, then the default route will take care of getting the packets to the PIX for redistribution to host2.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.