|
Posted by chris on April 30, 2006, 4:20 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Howdy,
>
> On a PIX515 6.3
> It is my understnading that Outbound traffic is allowed by default.
>
> This ACL allows outbound traffic, i.e. SMTP to an Internet mail server.
>
> access-list acl_collector permit icmp any any
> access-list acl_collector permit ip any any
> access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
> ssh
> access-group acl_collector in interface collector
>
>
> This ACL DOES NOT allow outbound traffic, i.e. SMTP to the same
> Internet mail server.
>
> access-list acl_collector permit icmp any any
> access-list acl_collector permit ip any any
> access-list acl_collector permit tcp 192.168.10.0 255.255.255.0 any eq
> ssh
> access-group acl_collector in interface collector
>
> What am I missing here? If I have this correct then the "ip any any"
> rule is OK or should it be set to "ip local_interface_subnet any"?
>
> Thanks,
> Dan Foxley
>
Dan,
Those two ACL's look identical to me. What is supposed to be different?
permit icmp any any
permit ip any any
permit tcp 192.168.10.0 255.255.255.0 any eq ssh
acl_collector in interface collector
Anyway, the 'permit ip any any' will allow that SSH traffic so the ssh line
isn't required. And yes, that will allow all IP traffic so why would you put
that acl on the interface anyway?
Chris.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map