https://community.cisco.com/t5/network-security/static-bypassing-acl-inside/m-p/1062136#M913862 <HTML><HEAD></HEAD><BODY><P>Thank you Adam</P><P></P><P>Must be going alzheimers already <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Wed, 27 Aug 2008 17:26:59 GMT azore2007 2008-08-27T17:26:59Z https://community.cisco.com/t5/network-security/static-bypassing-acl-inside/m-p/1062134#M913853 <P>Hello</P><P></P><P>Need to double-check packet traversal in a pix 6.3(5)</P><P></P><P>I have webserver on the inside with public IP's.</P><P></P><P>The acl-inside is limiting access from passing the firewall towards the internet.</P><P></P><P>Webserver has the static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.0</P><P></P><P>ACL-outside has a permit ip any host 1.1.1.1</P><P></P><P>Now, to my problem.</P><P></P><P>I thought you needed to add access for the webserver (1.1.1.1) to respond back?</P><P></P><P>So acl-inside need the acl rule "permit ip host 1.1.1.1 any"</P><P></P><P>NOTE, i have a "deny ip any any" at the bottom of my ACL-inside.</P><P></P><P>need som clarification thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 11 Mar 2019 13:36:40 GMT https://community.cisco.com/t5/network-security/static-bypassing-acl-inside/m-p/1062134#M913853 azore2007 2019-03-11T13:36:40Z https://community.cisco.com/t5/network-security/static-bypassing-acl-inside/m-p/1062135#M913858 <HTML><HEAD></HEAD><BODY><P>You do not have to allow the return traffic from the webserver in the inside acl. This is the whole point of a stateful firewall. You do however need to allow any traffic that will be initiated from the webserver through the inside interface.</P></BODY></HTML> Wed, 27 Aug 2008 15:08:01 GMT https://community.cisco.com/t5/network-security/static-bypassing-acl-inside/m-p/1062135#M913858 acomiskey 2008-08-27T15:08:01Z https://community.cisco.com/t5/network-security/static-bypassing-acl-inside/m-p/1062136#M913862 <HTML><HEAD></HEAD><BODY><P>Thank you Adam</P><P></P><P>Must be going alzheimers already <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Wed, 27 Aug 2008 17:26:59 GMT https://community.cisco.com/t5/network-security/static-bypassing-acl-inside/m-p/1062136#M913862 azore2007 2008-08-27T17:26:59Z