Outbound Access Rules Not Taking Effect. Incorrect Configuration?

The configuration I've tried to set on our firewall is not working.  I created two access rules which I thought should deny outbound traffic on both UDP and TCP ports 554.  (real-player)  Since I've set the rules however connections are STILL being made on port 554 to remote hosts.

I've attached a couple screen shots of the access rule configuration screen.

Also, when I view the Running Configuraion I can see the rules I've defined listed as:

access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny tcp any any eq 554
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny udp any any eq 554

What have I done wrong and why are connections still being made to port 554 on remote sites?
rule1.JPG
rule2.JPG
mikewurtzAsked:
Who is Participating?
 
KutyiConnect With a Mentor Commented:
I believe what is happening here is your deny statements come after your permit ip any any statement.  Move your access-list inside_access_in permit ip any any  to the end by typeing the following:

no access-list inside_access_in permit ip any any
access-list inside_access_in permit ip any any

You are implicitly allowing the traffice before you deny it, and therefor the access-list never reaches your deny statements
0
 
KutyiCommented:
Do you have an access-group line like
access-group inside_access_in in interface inside
0
 
mikewurtzAuthor Commented:
Yes, I found these two lines:

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

Open in new window

0
 
mikewurtzAuthor Commented:
That worked!

Now my config lists like this:

access-list inside_access_in remark Block Real Player
access-list inside_access_in deny tcp any any eq 554
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny udp any any eq 554
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any

This is opposite of how I thought the order should go.  I thought you must specify the permit ip any any first and then drill down on specific ports but I guess I'm backwards?
0
 
KutyiCommented:
Glad to help!.....:)  By the way most of us have been there and done that....you are not alone...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.