asked on

PIX rules

I have 515E working just fine. Everybody can access the internet. I want to add rules with the "object-group" command. I want to group several IP's in a group name, and then make an access rule refering to it.

As soon as i add a rule refering to any group, nobody can access the Internet.

Test:
I made a new group including only 1 IP address, i made a rule allowing that group every otbound traffic, and it didn't work. If i change the group for the IP in the access rule, it works.

Please help!

Thanks

ASKER CERTIFIED SOLUTION

Tim Holman

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

grblades

Hi llandajuela,
Bear in mind that by default all outbound traffic is permitted. If you create an access-list then there is an implicite 'deny all' at the end. Therefore if you create an access-list allowing one machine to access the internet and apply it then only that machine will be able to access the internet.
Therefore when creating an outbound access-list you need to be carefull and specify everything which should be permitted.

llandajuela

ASKER

grblades, thanks, but i understand what you are saying. It was a test, and the problem is that that machine was not able to acces the internet.

grblades

In your test you have only setup a small set of static mappings. Any outgoing connection will use a high numbered port your end and therefore wont match any ports listed in your 'static' command.
You should be able to use a 'global' and 'nat' command to define a default PAT to use for all other outbound connections.

Tim Holman

Could you post up the non-working config so we can see what's wrong ?

Pete Long

just to add some info

Ive created object groups from command line and seen them not listed in the PDM - dont know if its related :)