Re: Converting "except" entries

iholdings · ‎03-14-2002

Greetings,

I have the following rules (masked here) applied to my PIX to prevent the use of pure AOL clients that have the ability to circumvent AAA. The problem is, PDM does not support "except" entries or more than one outbound command bound to a particular interface. Is there a way to convert these entries to preserve the rules and enable PDM? Thanks.

outbound 1 permit 0.0.0.0 0.0.0.0 0 tcp

outbound 1 except 0.0.0.0 0.0.0.0 5190 tcp

outbound 1 except 0.0.0.0 0.0.0.0 5190 udp

outbound 1 except 0.0.0.0 0.0.0.0 5191 tcp

outbound 1 except 0.0.0.0 0.0.0.0 5191 udp

outbound 1 except 0.0.0.0 0.0.0.0 5192 tcp

outbound 1 except 0.0.0.0 0.0.0.0 5192 udp

outbound 1 except 0.0.0.0 0.0.0.0 5193 tcp

outbound 1 except 0.0.0.0 0.0.0.0 5193 udp

outbound 10 deny x.x.3.8 255.255.255.255 0 tcp

outbound 10 deny x.x.3.0 255.255.255.248 0 tcp

outbound 10 deny x.x.3.8 255.255.255.255 0 tcp

outbound 10 deny x.x.206.9 255.255.255.255 0 tcp

outbound 10 deny x.x.206.5 255.255.255.255 0 tcp

apply (outside) 10 outgoing_src

apply (outside) 1 outgoing_src

apply (inside) 1 outgoing_src

apply (inside) 10 outgoing_src

thomas.chen · ‎03-20-2002

You’ll probably need to use Policy Manager or Command Line. Maybe a future version of PDM will be more robust. Have you checked with Cisco?

thomas.chen · ‎03-20-2002

You’ll probably need to use Policy Manager or Command Line. Maybe a future version of PDM will be more robust. Have you checked with Cisco?