cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

332
Views
3
Helpful
15
Replies
Highlighted
dro Beginner
Beginner

Re: How ACL's in PIX are processed (best fit?)

Hi Leo,

I'm not quite sure what your running into. I just setup an outbound filter for a PIX 501 running 6.2(2) in a lab environment and was able to accomplish everything your looking for (as per your posts) without any trouble.

The PIX was setup with the following access-list:

access-list inside_in permit ip host 10.0.0.2 any

access-list inside_in permit tcp host 10.0.0.3 any eq www

access-list inside_in permit tcp any any eq ftp

access-list inside_in permit tcp any any eq ftp-data

access-list inside_in deny ip any any

Everything worked exactly as expected. 10.0.0.2 could send all types of traffic. 10.0.0.3 was able to surf everywhere and use FTP. All other hosts could only surf via the proxy server (10.0.0.2) and use FTP.

I didn't setup any DNS though, I did the tests using IP Addresses only.

You didn't happen to notice any odd errors in your PIX's logging buffer that might account for the issues your seeing? What version of code are you using?

*EDIT*

I posted this before I read Cody Rowland's post..

Passive FTP definately sounds like the problem to me. Quite alot of FTP servers prefer to use a port >1024 to send FTP data, as it allows them to lower their privileges to prevent possible exploitation in the server.

If this were the case, you would be able to connect to the remote host, but any data communication (listing files, sending/receiving files) would be blocked.

Either way, the logs generated from the access-list should point you in the right direction for whats going on.

Regards,

-Joshua

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here