PIX Setup for Inbound UDP

This should be fairly easy for everyone but I'm looking for best practice and advice.  On occasion, I run into an applicaiton that requires some inbound UDP traffic.  My users connect to the internet through a proxy server in our DMZ.  These UDP connections never work so we are forced to put in static entries in the pix for the workstations accessing the given site.  This static entry allows them to bypass the proxy and access the site directly.  My thought was, why not put a statement in the PIX for the proxy server and then they wont have any issues using the proxy server for any UDP connections.

Something like:

access-list outside permit udp any host <proxy ip address in the dmz> eq any

#1 Is this a bad idea?  I know it will basically allow udp connections from anywhere to bounce off the proxy server but I am getting so many static entries for clients in my firewall thats its getting silly.  And for each one, I have to make a static IP client as well which makes my life hell when we need to change any IP settings for all the clients.  (Aside from making them DHCP with reservations.)

#2  Is that statement is formatted correctly"  I've never written a PIX command where I wanted to allow all ports. Usually they are followed with "eq www" or "eq syslog".  I figured any udp port would be "eq any".  Just wanted to double check myself.

Thanks in advance, I know these are some newbie questions but the networking isn't my primary job. :)
LVL 2
bdh113sAsked:
Who is Participating?
 
gpriceeeCommented:
Yes!
If you don't, you're opening a WIDE door.
You can setup a few ranges and should be okay with that.  At least now you can deal with the ranges of ports and not everyone's ip address.
Also, if your own developers are creating these applications, they can set the ranges within them and make your life easier.
0
 
gpriceeeCommented:
Hello.  udp any will allow any udp connection to your proxy; however, you're opening yourself for attack,
What would be better would be to find out the rang of udp ports and setup the ACL with the range.
0
 
gpriceeeCommented:
Example:
access-list outside permit udp any host <proxy ip address in the dmz> range 3200 3300
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
bdh113sAuthor Commented:
Yeah the problem is that the ranges are different depending on the application.  That is why I was just going to open it for all.  I figured this was a bad idea.  So do most pix administrators just deal with each application  specifically with seperate access lists for each one?
0
 
bdh113sAuthor Commented:
OK, it seems my fears were correct.  Thanks for the confirmation.  I will leave it open for a bit more to make sure there isn't "something" that can be done but otherwise you have answered my question.
0
 
gpriceeeCommented:
OK, sounds good.
0
 
bdh113sAuthor Commented:
Thanks for the info.  It seems my assumptions were correct.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.