PIX Setup for Inbound UDP
Posted on 2005-04-07
This should be fairly easy for everyone but I'm looking for best practice and advice. On occasion, I run into an applicaiton that requires some inbound UDP traffic. My users connect to the internet through a proxy server in our DMZ. These UDP connections never work so we are forced to put in static entries in the pix for the workstations accessing the given site. This static entry allows them to bypass the proxy and access the site directly. My thought was, why not put a statement in the PIX for the proxy server and then they wont have any issues using the proxy server for any UDP connections.
access-list outside permit udp any host <proxy ip address in the dmz> eq any
#1 Is this a bad idea? I know it will basically allow udp connections from anywhere to bounce off the proxy server but I am getting so many static entries for clients in my firewall thats its getting silly. And for each one, I have to make a static IP client as well which makes my life hell when we need to change any IP settings for all the clients. (Aside from making them DHCP with reservations.)
#2 Is that statement is formatted correctly" I've never written a PIX command where I wanted to allow all ports. Usually they are followed with "eq www" or "eq syslog". I figured any udp port would be "eq any". Just wanted to double check myself.
Thanks in advance, I know these are some newbie questions but the networking isn't my primary job. :)