ACL question on pix

I entered this in my PIX to block FTP (I'm aware FTP uses two ports. Just doing testing)

pix(config)# access-list outbound_policy deny tcp any any eq 21
pix(config)# access-list outbound_policy permit ip any any
pix(config)# access-group outbound_policy in interface inside  <--applied inbound on internal interface of PIX

I then ran a sniffer and tried to do an ftp connection to a remote site.  It didnt work, but here are the logs:
http://www.streetneeds.com/uploads/ot/sn.jpg

It shows my private IP sending a connection request to the remote host. Shouldnt the PIX be blocking this???  I shouldnt be connecting at all since the dest IP in the packet is 21???
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Where was the sniffer? On the client side of the PIX, or the other side?

What the trace shows is an outbound segment attempting to establish the connection (SYN). But there's never an acknowledge (ACK) so the connection never gets established. This would be because the server never got the segment because the PIX blocked it.

Based on the trace, I'm going to guess that the sniffer is on the client side of the PIX. If it were on the other side, you wouldn't see the three SYN's.

-Don
0
dissolvedAuthor Commented:
yep, sniffer is on client side of the pix.

It looks like the SYN is hitting the ftp server.  I have an ACL applied INBOUND on my internal PIX interface. Is this the proper way to apply an ACL (when you're trying to prevent internal users from doing certain things).?

I thought the SYN would never even hit the server due to my ACL. BUt it looks like the SYN is reaching the ftp server, as the FTP server probably tries a SYN/ACK and gets rejected

0
Don JohnstonInstructorCommented:
When you say "internal" PIX interface, do you mean the interface that connects to the client PC's?

Are you filtering the output on the sniffer? I'm wondering if there's some traffic we're not seeing.

If you're filtering coming from the clients inbound the the server shouldn't be receiving the FTP traffic.

-Don
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

dissolvedAuthor Commented:
Yea, I have a pix501. One external one internal (as you probably know).  I am behind the pix.

Here is what I have entered

pix(config)# access-list outbound_policy deny tcp any any eq 21
pix(config)# access-list outbound_policy permit ip any any
pix(config)# access-group outbound_policy in interface inside  

This should prevent any traffic with the dest port of "21", to be blocked at the internal PIX's interface. Right?
0
lrmooreCommented:
FYI .. On a PIX FW, you only option is to apply an acl "in" on any interface
0
dissolvedAuthor Commented:
ok, so when you are trying to prevent your internal clients from doing certain things.....you do it by INBOUND acls on the INBOUND interface of the pix

on the other hand... if you do NOT have a pix and you only have a router....
You apply the acls INBOUND on the INTERNAL interface as well?
0
Don JohnstonInstructorCommented:
Yes and yes.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
thanks guys. Still a little confused as to why the sniffer capture showed SYNs hitting the target host. THen the target host replying with RST. I thought the ACL would prevent the traffic from leaving at all?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.