topic access-list, build connections - order of ops? in Network Security https://community.cisco.com/t5/network-security/access-list-build-connections-order-of-ops/m-p/922028#M959675 <P>PIX 525</P><P></P><P>If I have these configured:</P><P>___static (inside,outside) 209.129.192.162 10.40.5.62 netmask 255.255.255.255 0 0</P><P></P><P>___access-group acl_outside in interface outside</P><P></P><P>___access-list acl_outside line 5 deny udp any host 209.129.192.162 eq 60381 (hitcnt=1238)</P><P></P><P>why do I have this in the xlate table:</P><P>___UDP out 84.43.150.17:9156 in 10.40.5.62:60381 idle 0:46:27 flags -</P><P></P><P>Are connections built BEFORE access-lists are checked?</P><P></P><P>I'd kind of like to know if I've prevented that one host from producing as much as 2/3 of our total organization traffic... I would have thought there would be no connection if I'd done things right.</P><P></P><P>TIA, Linnea</P><P></P> Mon, 11 Mar 2019 11:37:26 GMT linnea.wren 2019-03-11T11:37:26Z access-list, build connections - order of ops? https://community.cisco.com/t5/network-security/access-list-build-connections-order-of-ops/m-p/922028#M959675 <P>PIX 525</P><P></P><P>If I have these configured:</P><P>___static (inside,outside) 209.129.192.162 10.40.5.62 netmask 255.255.255.255 0 0</P><P></P><P>___access-group acl_outside in interface outside</P><P></P><P>___access-list acl_outside line 5 deny udp any host 209.129.192.162 eq 60381 (hitcnt=1238)</P><P></P><P>why do I have this in the xlate table:</P><P>___UDP out 84.43.150.17:9156 in 10.40.5.62:60381 idle 0:46:27 flags -</P><P></P><P>Are connections built BEFORE access-lists are checked?</P><P></P><P>I'd kind of like to know if I've prevented that one host from producing as much as 2/3 of our total organization traffic... I would have thought there would be no connection if I'd done things right.</P><P></P><P>TIA, Linnea</P><P></P> Mon, 11 Mar 2019 11:37:26 GMT https://community.cisco.com/t5/network-security/access-list-build-connections-order-of-ops/m-p/922028#M959675 linnea.wren 2019-03-11T11:37:26Z Re: access-list, build connections - order of ops? https://community.cisco.com/t5/network-security/access-list-build-connections-order-of-ops/m-p/922029#M959676 <HTML><HEAD></HEAD><BODY><P>Hi,I believe the problem is your acl and the interface you are applying it under. You want to block outbound traffic on port 60831 from being accessed by host 10.40.5.62 is this correct? your current acl is blocking inbound traffic on that udp port, is this what you want to accomplish?</P><P></P><P>you access list should be your local host not the public NAT address as nat order of operation from in to out looks for acl, local address , nat, routing etc.. so your acl should look like this if you are denying outbound.</P><P></P><P>This will block source udp port 60381 on 10.40.5.62 to any host oustide on udp port 60381</P><P></P><P>access-list inside_access_in deny udp host 10.40.5.62 eq 60381 any eq 60381</P><P>access-group inside_access_in in interface inside</P><P></P><P></P><P>HTH</P><P>Jorge</P><P></P></BODY></HTML> Sat, 01 Dec 2007 03:58:54 GMT https://community.cisco.com/t5/network-security/access-list-build-connections-order-of-ops/m-p/922029#M959676 JORGE RODRIGUEZ 2007-12-01T03:58:54Z