|
Posted by PacketU on June 27, 2008, 6:42 pm
If you were Registered and logged in, you could reply and use other advanced thread options
applied when the connection is set up with the three way handshake. After
that the ASA (Adaptive Security Algorithm) connection table will apply as
long as the protocol rules are being followed. I think a clear xlate would
clear this inromation and drop the connection without rebooting anything.
From a windows perspective, you may have also been able to do a net use /d
for each connection listed in a "net use" command until there are none to
the dmz host. Then a subsequent connection would perform a new three way
handshake.
> Ok, so a day later, I finally figured it out... I was using Windows
> Explorer to test connectivity, but apparently, once the SMB connection
> is established on top IP, the ACL will no longer filter it until the
> connection is deleted within Windows or the firewall is rebooted. Is
> there another way to enforce the new ACL without these two methods? I
> tried to reapply the ACL to the interface using "access-group" but
> that didn't work.
>
>
>
>>Trying to block access from "inside" to "dmz1"...
>>
>>interface Ethernet0/1
>> nameif inside
>> security-level 100
>> ip address 192.168.1.1 255.255.255.0
>>!
>>interface Ethernet0/2
>> nameif dmz1
>> security-level 2
>> ip address 192.168.2.1 255.255.255.0
>>!
>>access-list acl_outgoing extended deny ip any 192.168.2.0
>>255.255.255.0
>>access-list acl_outgoing extended permit ip any any
>>!
>>access-group acl_outgoing in interface inside
>>
>>Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??
>
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map