[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX rules

Posted on 2004-11-05
6
Medium Priority
?
234 Views
Last Modified: 2013-11-16
I have 515E working just fine. Everybody can access the internet. I want to add rules with the "object-group" command. I want to group several IP's in a group name, and then make an access rule refering to it.

As soon as i add a rule refering to any group, nobody can access the Internet.

Test:
I made a new group including only 1 IP address, i made a rule allowing that group every otbound traffic, and it didn't work. If i change the group for the IP in the access rule, it works.

Please help!

Thanks
0
Comment
Question by:llandajuela
6 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 750 total points
ID: 12504085
I'm not aware of any problems with regards to this.  Take a look here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

0
 
LVL 36

Expert Comment

by:grblades
ID: 12504764
Hi llandajuela,
Bear in mind that by default all outbound traffic is permitted. If you create an access-list then there is an implicite 'deny all' at the end. Therefore if you create an access-list allowing one machine to access the internet and apply it then only that machine will be able to access the internet.
Therefore when creating an outbound access-list you need to be carefull and specify everything which should be permitted.
0
 

Author Comment

by:llandajuela
ID: 12505005
grblades, thanks, but i understand what you are saying. It was a test, and the problem is that that machine was not able to acces the internet.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
LVL 36

Expert Comment

by:grblades
ID: 12505067
In your test you have only setup a small set of static mappings. Any outgoing connection will use a high numbered port your end and therefore wont match any ports listed in your 'static' command.
You should be able to use a 'global' and 'nat' command to define a default PAT to use for all other outbound connections.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12505071
Could you post up the non-working config so we can see what's wrong ?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 12506127
just to add some info

Ive created object groups from command line and seen them not listed in the PDM - dont know if its related :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question