How can i permit the ident though established command in PIX

xwang2 · ‎10-14-2002

hi All:

Can sb give me a example to permit Ident using established command? Is that command will conflict with the access-list configured before and will make a security hole?

I just want to permit ident in my pix to fix the mail server problem. The mail server is in inside interface and the client is in outside network.

Is that "established" command will only affect the users whch is permit in "Access-list" command or they are different commands and will not affect each other

Thanks

steve.barlow · ‎10-15-2002

In case you missed this link on ident and poor PIX performance: http://www.cisco.com/warp/public/110/2.html

Are you sure it is an ident issue, as it normally is an issue when the server is on the outside and the client is on the inside (the server starts an ident connection to the inside host but the firewall blocks it, outside can't start a connection it). If your server is on the inside and the client is responding to it, it should be allowed in. If you have an internal acl only allowing certain ports out, modify your acl to allow your mail server out on port tcp 113.

What do you see getting blocked and where?

It would also be preferrable to use the service resetinbound command.

Steve

xwang2 · ‎10-15-2002

Thanks Steven:

Is that the ident is intiated by the server ? If that is the server initiate the ident and destination port is 113 to the host. That may be the problem. I may config to permit the wrong port because i though it was client to initiate the ident and destination port to server is 113. I configured both inside and outside ACL

Could you pl give me a detail expamle configuration for PIX?

Shoule i use established command to permit only established connection ? That maybe more secure. How can i do that?

Thanks again