Think of it as more of a "more specific match" instead. A rule for
50.0.0.0/8 is less specific than a rule for 50.5.5.5/32. I would put the
deny at the bottom of the list though....
----- Original Message -----
From: "nrf"
To:
Sent: Thursday, July 12, 2001 8:33 AM
Subject: Some questions for PIX experts [7:12122]
> Hello all. I'm looking for some PIX experts to help me with the following
> strangeness I found while fiddling around with the Pix.
>
> For purposes of this discussion, I am using PixOS 5.3, and I got a Pix 530
> with 2 interfaces. The inside interface has a network of 192.168.1.0/24,
> and the outside interface is 50.0.0.0/8. The inside network has a few
PC's,
> the outside network has a server at 50.5.5.5 running WWW, FTP, and telnet.
> And I always use "clear xlate" after I change anything on the PIX.
>
> 1) Question on "Outbound" - is the documentation wrong?
>
> I have carefully read the documentation on the Outbound keyword. The link
> is here for convenience:
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com
> mands.htm#xtocid223341
>
> The documentation states the following: " The outgoing_src and
> outgoing_dest outbound lists are filtered independently. If any one of the
> filters contain deny, the outbound packet is denied. When multiple rules
are
> used to filter the same packet, the best matched rule takes effect. The
> best match is based on the IP address mask and the port range check. More
> strict IP address masks and smaller port ranges are considered a better
> match"
>
> Now, I am not a genius, but it seems to me that this paragraph states that
> the PIX will prefer an outbound statement that is a longer match (mask or
> port number) over a lesser match. Is that correct?
>
> But the fact of the matter that this does not work for me. I have
> discovered that my PIX does not in fact do a longest match at all. For
> example, I put in the commands:
>
> outbound 1 deny 0 0 0
> outbound 1 permit 50.5.5.5 255.255.255.255 0
>
> Then I apply it, and I find out that nobody on the inside can access the
> 50.5.5.5 server, even though it seems like the second outbound statement
> should override the first statement (because it is a longer match).
>
> Now, those who of you who might want to know whether the Pix is working
> properly or not, or whether I applied the outbound list correctly or not,
> consider this. I then changed the outbound statements to read this:
>
> outbound 1 deny 0 0 0
> outbound 1 except 50.5.5.5 255.255.255.255 0
>
> And I see that indeed, everybody on the internal network is indeed denied
to
> everything except the 50.5.5.5 server. So I know the Pix is working, and
I
> am correctly applying the outbound list.
>
> My only conclusion that I can make is that either the documentation on the
> outbound keyword is either seriously wrong (and therefore it is false
that
> the Pix does a longest match) or my Pix is seriously warped.
>
>
> 2) Question on direction of Apply keyword - another error in the
> documentation?:
>
> Once again, referring to the documentation, this time on the Apply
keyword.
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com
> mands.htm#xtocid223341
>
> I am interested in whether to use 'outgoing_src' or 'outgoing_dest' with
the
> 'Apply' keyword.
>
> For example, in my above example, I always used outgoing_src. I would do
> something like this:
> outbound 1 deny 0 0 0
> outbound 1 except 50.5.5.5 255.255.255.255 0
> apply (inside) 1 outgoing_src
>
> This would serve to block all access from the inside network to the
outside,
> except for the 50.5.5.5 server, which is exactly the behavior I wanted.
> If I replace the apply statement with
> apply (inside) 1 outgoing_dest
> then everybody on the internal network can go everywhere, which is not the
> desired behavior I want. So I believe I understand how this works. If
> your Outbound list includes addresses of your internal PC's, then use
> outbound_dest. If it instead contains outside addresses, use
outbound_src.
> I have tested this theory many times on my PIX, and it always follows this
> pattern.
>
> Then I look at the documentation examples, and they seem to have it
> backwards.
>
> For example, they have the following example:
> "The following example prevents inside host 192.168.1.49 from accessing
the
> World Wide Web (port 80):
>
> outbound 11 deny 192.168.1.49 255.255.255.255 80 tcp
>
> apply (inside) 11 outgoing_src"
>
>
> I went and tried this and I discovered that it doesn't work at all. I
fire
> up a spare PC that I have, give it the address of 192.168.1.49, and attach
> it to my inside network. I put in the above commands in the Pix, and I
> discover that the PC can go anywhere it wants, willy nilly. The above
> outbound list never gets invoked at all.
>
> But I found out that when I change the Apply statement to follow my
pattern,
> instead of what the documentation says to do:
>
> apply (inside) 11 outgoing_dest
>
> Then the PC is indeed blocked. So what's up with that? What's screwed
up,
> the documentation or my PIX?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12138&t=12122
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
