Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
4
Replies

PIX ACL blocking traffic?

ComputerErik
Level 1
Level 1

‎07-23-2006 06:04 AM - edited ‎02-21-2020 01:03 AM

I have a PIX 515E setup with multiple interfaces. For right now to make things simple lets just look at the outside, inside, and DMZ.

On the inside interface I have a router connecting the inside network directly to another network. The DMZ interface has an ACL that is supposed to allow UDP traffic on specified ports from specified IPs into the inside interface.

access-list DMZ_in extended permit udp (ip) any (port)

So this is supposed to allow any traffic from that IP to any IP on the specified port. Problem is that it works fine except for traffc to at least one IP on the other side of the inside router.

I keep getting large numbers of log messages about traffic being blocked by that rule, but only to one IP on the remote inside network. I know there are two PCs on that network that could be getting this traffic, and am not certain if the other one is just passing through or not.

Would I need to make a specific rule allowing traffic to that network? From what I understand it shouldn't be necessary.

0 Helpful
4 Replies 4

bob.bartlett
Level 1
Level 1

‎07-23-2006 11:37 AM

In the PIX do you have routes to all the internal networks?

Are you doing NAT into your DMZ and do you have a NAT permit or no nat statement for networks going into that DMZ.

0 Helpful

ComputerErik
Level 1
Level 1
In response to bob.bartlett

‎07-23-2006 12:31 PM

There is a static route to all of the internal networks which are not directly connected. Static PAT is being used on all translations.

No NAT permit of no NAT statements for networks going into the DMZ.

Thanks

0 Helpful

bob.bartlett
Level 1
Level 1
In response to ComputerErik

‎07-23-2006 03:45 PM

If traffic from the DMZ is initiating into the Inside you must have a static NAT rule for the IP's that are on the inside that the DMZ machine must reach.

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to bob.bartlett

‎07-23-2006 05:27 PM

Hi ..

alternatively you can bypass NAT by adding ...

nat (DMZ) 0 NO_NAT

access-list NO_NAT permit ip

You also need to make sure your router behind the PIX has the routes correctly configured. In othere mwords make sure the DMZ hosts are able to reach to the required subnets .. and make sure thiose subnets know the way back to the DMZ hosts too. Because you ahve the router in the middle you need to check the PIX and router's routing table.

I hope it helps .. please rate it if it does !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card