PIX rules

Posted on 2004-11-05
Last Modified: 2013-11-16
I have 515E working just fine. Everybody can access the internet. I want to add rules with the "object-group" command. I want to group several IP's in a group name, and then make an access rule refering to it.

As soon as i add a rule refering to any group, nobody can access the Internet.

I made a new group including only 1 IP address, i made a rule allowing that group every otbound traffic, and it didn't work. If i change the group for the IP in the access rule, it works.

Please help!

Question by:llandajuela
    LVL 23

    Accepted Solution

    I'm not aware of any problems with regards to this.  Take a look here:

    LVL 36

    Expert Comment

    Hi llandajuela,
    Bear in mind that by default all outbound traffic is permitted. If you create an access-list then there is an implicite 'deny all' at the end. Therefore if you create an access-list allowing one machine to access the internet and apply it then only that machine will be able to access the internet.
    Therefore when creating an outbound access-list you need to be carefull and specify everything which should be permitted.

    Author Comment

    grblades, thanks, but i understand what you are saying. It was a test, and the problem is that that machine was not able to acces the internet.
    LVL 36

    Expert Comment

    In your test you have only setup a small set of static mappings. Any outgoing connection will use a high numbered port your end and therefore wont match any ports listed in your 'static' command.
    You should be able to use a 'global' and 'nat' command to define a default PAT to use for all other outbound connections.
    LVL 23

    Expert Comment

    by:Tim Holman
    Could you post up the non-working config so we can see what's wrong ?
    LVL 57

    Expert Comment

    by:Pete Long
    just to add some info

    Ive created object groups from command line and seen them not listed in the PDM - dont know if its related :)

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now