03-12-2010 09:28 AM - edited 03-06-2019 10:06 AM
Our Pix 525 gig port just went belly up.
While awaiting spare part, I connected our Internet connection directly to a 3750e gig port instead of the PIX.
Everything works great.
I then want to apply the same ACL I used on the firewall to the 3750e's port.
Brief example of ACl:
! lots of ACE's
.
.
.
access-list 103 permit tcp any host 155.x.x.32 eq 80
access-list 103 permit tcp any host 155.x.x.33 eq 80
access-list 103 permit tcp any host 155.x.x.33 eq 4063
access-list 103 permit tcp any host 155.x.x.33 eq 4064
access-list 103 permit tcp any host 155.x.x.40 eq 4063
access-list 103 permit tcp any host 155.x.x.40 eq 4064
access-list 103 permit udp any host 155.x.x.40 eq 31335
access-list 103 deny ip any any
When I apply this to my interface, it works as advertised on the inbound side. However, nobody can get to the Internet via outbound.
see below.
int gi1/0/25
no switchport
ip address xxx.xxx.xxx.98 255.255.255.252
ip access-group 103 in
speed nonegotiate
I create the following ACL and applied that to the above interface as "ip access-group 101 out"
access-list 101 permit ip any any
Any help or guidance would be greatly appreciated.
Thanks,
Tom
03-12-2010 09:34 AM
Tom
The pix is a stateful firewall and your 3750 is not. So when you allow traffic out through the pix from your clients to the internet the return traffic is automatically allowed back in because your firewall is keeping track of the connections.
But on your acl applied to the 3750 the last line is -
access-list 103 deny ip any any
this stops all return traffic from the internet being allowed in to your clients because the 3750 is not stateful. And there really isn't a way to make it stateful. You can -
1) use the "established" keyword for TCP connections which would allow tcp packets back in.
2) use reflexive access-lists which would also cater for ICMP and UDP but i don't think the 3750 will support reflexive acls.
To be honest you probably should just wait for your pix to be replaced because to allow your internal clients internet access would mean compromising the security of your network.
Jon
03-12-2010 10:24 AM
Thanks Jon. Your answer was quite helpful.
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide