llandajuela
asked on
PIX rules
I have 515E working just fine. Everybody can access the internet. I want to add rules with the "object-group" command. I want to group several IP's in a group name, and then make an access rule refering to it.
As soon as i add a rule refering to any group, nobody can access the Internet.
Test:
I made a new group including only 1 IP address, i made a rule allowing that group every otbound traffic, and it didn't work. If i change the group for the IP in the access rule, it works.
Please help!
Thanks
As soon as i add a rule refering to any group, nobody can access the Internet.
Test:
I made a new group including only 1 IP address, i made a rule allowing that group every otbound traffic, and it didn't work. If i change the group for the IP in the access rule, it works.
Please help!
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
grblades, thanks, but i understand what you are saying. It was a test, and the problem is that that machine was not able to acces the internet.
In your test you have only setup a small set of static mappings. Any outgoing connection will use a high numbered port your end and therefore wont match any ports listed in your 'static' command.
You should be able to use a 'global' and 'nat' command to define a default PAT to use for all other outbound connections.
You should be able to use a 'global' and 'nat' command to define a default PAT to use for all other outbound connections.
Could you post up the non-working config so we can see what's wrong ?
just to add some info
Ive created object groups from command line and seen them not listed in the PDM - dont know if its related :)
Ive created object groups from command line and seen them not listed in the PDM - dont know if its related :)
Bear in mind that by default all outbound traffic is permitted. If you create an access-list then there is an implicite 'deny all' at the end. Therefore if you create an access-list allowing one machine to access the internet and apply it then only that machine will be able to access the internet.
Therefore when creating an outbound access-list you need to be carefull and specify everything which should be permitted.