Re: http access via PIX

gcumarasamy · ‎04-28-2002

I am trying to config my PIX 501 OS 6.1(1) to allow only http traffic to go out with the following acl and applied to the inside interface.

access-list acl_in permit tcp x.x.x.x x.x.x.x eq www any

access-group acl_in in interface inside.

Once I apply this acl, I can't seem to get to any websites. Am I doing anything wrong here or missing any acl entries?????

Thanks for your help in advance.

ashokpawar · ‎04-28-2002

have u allowed ur dns queries out of ur inside LAN, if u have a DNS server

outside.(not in inside LAN). if not u can add an entry as below and check if it works.

access-list acl_in permit udp any eq domain any

Regards,

Ashok Pawar H.S.

gcumarasamy · ‎04-29-2002

I am trying to access using the IP address....do I still need the DNS entry in the ACL??

e-see · ‎04-29-2002

Do you have NAT set up and a outside route?

gcumarasamy · ‎04-29-2002

Yes, I do have a NAT/Global setup as follows:

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface.

I don't have any outside route other than the default ststic route that was created during the initial setup.

thanks........

mike · ‎04-30-2002

You need to allow DNS to pass through unless you are using an internal DNS.

mklaphek · ‎04-30-2002

First, I strongly recommend that you sit down and think about what you're trying to accomplish. As was mentioned, DNS will almost certainly be required for most web applications and services. You may want other services as well.

Second, unless I'm missing something, I believe that your access list is incorrect. Try something like:

access-list acl_in permit tcp x.x.x.x x.x.x.x any eq www

The destination port is 80. I believe that you have specified it as the source port.

Hope this helps.