[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

Outbound Access Rules Not Taking Effect. Incorrect Configuration?

The configuration I've tried to set on our firewall is not working.  I created two access rules which I thought should deny outbound traffic on both UDP and TCP ports 554.  (real-player)  Since I've set the rules however connections are STILL being made on port 554 to remote hosts.

I've attached a couple screen shots of the access rule configuration screen.

Also, when I view the Running Configuraion I can see the rules I've defined listed as:

access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny tcp any any eq 554
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny udp any any eq 554

What have I done wrong and why are connections still being made to port 554 on remote sites?
rule1.JPG
rule2.JPG
0
mikewurtz
Asked:
mikewurtz
  • 3
  • 2
1 Solution
 
KutyiCommented:
Do you have an access-group line like
access-group inside_access_in in interface inside
0
 
mikewurtzAuthor Commented:
Yes, I found these two lines:

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

Open in new window

0
 
KutyiCommented:
I believe what is happening here is your deny statements come after your permit ip any any statement.  Move your access-list inside_access_in permit ip any any  to the end by typeing the following:

no access-list inside_access_in permit ip any any
access-list inside_access_in permit ip any any

You are implicitly allowing the traffice before you deny it, and therefor the access-list never reaches your deny statements
0
 
mikewurtzAuthor Commented:
That worked!

Now my config lists like this:

access-list inside_access_in remark Block Real Player
access-list inside_access_in deny tcp any any eq 554
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny udp any any eq 554
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any

This is opposite of how I thought the order should go.  I thought you must specify the permit ip any any first and then drill down on specific ports but I guess I'm backwards?
0
 
KutyiCommented:
Glad to help!.....:)  By the way most of us have been there and done that....you are not alone...
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now