PIX rules

I have 515E working just fine. Everybody can access the internet. I want to add rules with the "object-group" command. I want to group several IP's in a group name, and then make an access rule refering to it.

As soon as i add a rule refering to any group, nobody can access the Internet.

Test:
I made a new group including only 1 IP address, i made a rule allowing that group every otbound traffic, and it didn't work. If i change the group for the IP in the access rule, it works.

Please help!

Thanks
llandajuelaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tim HolmanCommented:
I'm not aware of any problems with regards to this.  Take a look here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grbladesCommented:
Hi llandajuela,
Bear in mind that by default all outbound traffic is permitted. If you create an access-list then there is an implicite 'deny all' at the end. Therefore if you create an access-list allowing one machine to access the internet and apply it then only that machine will be able to access the internet.
Therefore when creating an outbound access-list you need to be carefull and specify everything which should be permitted.
0
llandajuelaAuthor Commented:
grblades, thanks, but i understand what you are saying. It was a test, and the problem is that that machine was not able to acces the internet.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

grbladesCommented:
In your test you have only setup a small set of static mappings. Any outgoing connection will use a high numbered port your end and therefore wont match any ports listed in your 'static' command.
You should be able to use a 'global' and 'nat' command to define a default PAT to use for all other outbound connections.
0
Tim HolmanCommented:
Could you post up the non-working config so we can see what's wrong ?
0
Pete LongTechnical ConsultantCommented:
just to add some info

Ive created object groups from command line and seen them not listed in the PDM - dont know if its related :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.