bdh113s
asked on
PIX Setup for Inbound UDP
This should be fairly easy for everyone but I'm looking for best practice and advice. On occasion, I run into an applicaiton that requires some inbound UDP traffic. My users connect to the internet through a proxy server in our DMZ. These UDP connections never work so we are forced to put in static entries in the pix for the workstations accessing the given site. This static entry allows them to bypass the proxy and access the site directly. My thought was, why not put a statement in the PIX for the proxy server and then they wont have any issues using the proxy server for any UDP connections.
Something like:
access-list outside permit udp any host <proxy ip address in the dmz> eq any
#1 Is this a bad idea? I know it will basically allow udp connections from anywhere to bounce off the proxy server but I am getting so many static entries for clients in my firewall thats its getting silly. And for each one, I have to make a static IP client as well which makes my life hell when we need to change any IP settings for all the clients. (Aside from making them DHCP with reservations.)
#2 Is that statement is formatted correctly" I've never written a PIX command where I wanted to allow all ports. Usually they are followed with "eq www" or "eq syslog". I figured any udp port would be "eq any". Just wanted to double check myself.
Thanks in advance, I know these are some newbie questions but the networking isn't my primary job. :)
Something like:
access-list outside permit udp any host <proxy ip address in the dmz> eq any
#1 Is this a bad idea? I know it will basically allow udp connections from anywhere to bounce off the proxy server but I am getting so many static entries for clients in my firewall thats its getting silly. And for each one, I have to make a static IP client as well which makes my life hell when we need to change any IP settings for all the clients. (Aside from making them DHCP with reservations.)
#2 Is that statement is formatted correctly" I've never written a PIX command where I wanted to allow all ports. Usually they are followed with "eq www" or "eq syslog". I figured any udp port would be "eq any". Just wanted to double check myself.
Thanks in advance, I know these are some newbie questions but the networking isn't my primary job. :)
Example:
access-list outside permit udp any host <proxy ip address in the dmz> range 3200 3300
access-list outside permit udp any host <proxy ip address in the dmz> range 3200 3300
ASKER
Yeah the problem is that the ranges are different depending on the application. That is why I was just going to open it for all. I figured this was a bad idea. So do most pix administrators just deal with each application specifically with seperate access lists for each one?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, it seems my fears were correct. Thanks for the confirmation. I will leave it open for a bit more to make sure there isn't "something" that can be done but otherwise you have answered my question.
OK, sounds good.
ASKER
Thanks for the info. It seems my assumptions were correct.
What would be better would be to find out the rang of udp ports and setup the ACL with the range.