Hello all. I'm looking for some PIX experts to help me with the following strangeness I found while fiddling around with the Pix. For purposes of this discussion, I am using PixOS 5.3, and I got a Pix 530 with 2 interfaces. The inside interface has a network of 192.168.1.0/24, and the outside interface is 50.0.0.0/8. The inside network has a few PC's, the outside network has a server at 50.5.5.5 running WWW, FTP, and telnet. And I always use "clear xlate" after I change anything on the PIX. 1) Question on "Outbound" - is the documentation wrong? I have carefully read the documentation on the Outbound keyword. The link is here for convenience: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com mands.htm#xtocid223341 The documentation states the following: " The outgoing_src and outgoing_dest outbound lists are filtered independently. If any one of the filters contain deny, the outbound packet is denied. When multiple rules are used to filter the same packet, the best matched rule takes effect. The best match is based on the IP address mask and the port range check. More strict IP address masks and smaller port ranges are considered a better match" Now, I am not a genius, but it seems to me that this paragraph states that the PIX will prefer an outbound statement that is a longer match (mask or port number) over a lesser match. Is that correct? But the fact of the matter that this does not work for me. I have discovered that my PIX does not in fact do a longest match at all. For example, I put in the commands: outbound 1 deny 0 0 0 outbound 1 permit 50.5.5.5 255.255.255.255 0 Then I apply it, and I find out that nobody on the inside can access the 50.5.5.5 server, even though it seems like the second outbound statement should override the first statement (because it is a longer match). Now, those who of you who might want to know whether the Pix is working properly or not, or whether I applied the outbound list correctly or not, consider this. I then changed the outbound statements to read this: outbound 1 deny 0 0 0 outbound 1 except 50.5.5.5 255.255.255.255 0 And I see that indeed, everybody on the internal network is indeed denied to everything except the 50.5.5.5 server. So I know the Pix is working, and I am correctly applying the outbound list. My only conclusion that I can make is that either the documentation on the outbound keyword is either seriously wrong (and therefore it is false that the Pix does a longest match) or my Pix is seriously warped. 2) Question on direction of Apply keyword - another error in the documentation?: Once again, referring to the documentation, this time on the Apply keyword. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com mands.htm#xtocid223341 I am interested in whether to use 'outgoing_src' or 'outgoing_dest' with the 'Apply' keyword. For example, in my above example, I always used outgoing_src. I would do something like this: outbound 1 deny 0 0 0 outbound 1 except 50.5.5.5 255.255.255.255 0 apply (inside) 1 outgoing_src This would serve to block all access from the inside network to the outside, except for the 50.5.5.5 server, which is exactly the behavior I wanted. If I replace the apply statement with apply (inside) 1 outgoing_dest then everybody on the internal network can go everywhere, which is not the desired behavior I want. So I believe I understand how this works. If your Outbound list includes addresses of your internal PC's, then use outbound_dest. If it instead contains outside addresses, use outbound_src. I have tested this theory many times on my PIX, and it always follows this pattern. Then I look at the documentation examples, and they seem to have it backwards. For example, they have the following example: "The following example prevents inside host 192.168.1.49 from accessing the World Wide Web (port 80): outbound 11 deny 192.168.1.49 255.255.255.255 80 tcp apply (inside) 11 outgoing_src" I went and tried this and I discovered that it doesn't work at all. I fire up a spare PC that I have, give it the address of 192.168.1.49, and attach it to my inside network. I put in the above commands in the Pix, and I discover that the PC can go anywhere it wants, willy nilly. The above outbound list never gets invoked at all. But I found out that when I change the Apply statement to follow my pattern, instead of what the documentation says to do: apply (inside) 11 outgoing_dest Then the PC is indeed blocked. So what's up with that? What's screwed up, the documentation or my PIX? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=12122&t=12122 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
