We have a PIX525 running 6.3(4). We are trying to get applications that run on dynamic UDP ports to work with out success. We have added all statements to our outside ACL but they dont seem to have any effect.
This is because the traffic being initiated from the inside will have the destination port as the udp ports above which means traffic returning from the destination host, through the pix to the source host will have the source ports of the udp port numbers above.
Having said that, if the traffic is being initiated from a host on the outside of the pix, and the traffic is trying to traverse the pix from outside to inside, then your access-list is correct (although it might be a good idea to put an explicit deny ip any any log on the end, just to see drops). What you're missing in that regard would be static port forwards which tell the pix where to send the traffic on the inside interface once it has entered the outside interface.
For example, lets assume that an outside host wants to get to udp port 1500 on a server hidden behind the pix (in this exampl 172.16.0.10). The outside host would need to connect to the pix's outside address with destination port 1500. The pix needs to be told where to then send the request on the inside network.
That command tells the pix to translate any udp queries hitting the outside interface on port 1500 to translate the destination address to the device 172.16.0.10 and send it on its way to the inside interface.
Hope that helps, if it does can you please rate the post?
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...
Ready to learn more about SecureX? Our Cisco security expert @Juan Ponce Dominguez reviews the features and benefits of SecureX, as well as a product demo covering:
Customising SecureX dashboards to create a single pane, unified visibility