Outbound Access Rules Not Taking Effect. Incorrect Configuration?

The configuration I've tried to set on our firewall is not working.  I created two access rules which I thought should deny outbound traffic on both UDP and TCP ports 554.  (real-player)  Since I've set the rules however connections are STILL being made on port 554 to remote hosts.

I've attached a couple screen shots of the access rule configuration screen.

Also, when I view the Running Configuraion I can see the rules I've defined listed as:

access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny tcp any any eq 554
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny udp any any eq 554

What have I done wrong and why are connections still being made to port 554 on remote sites?
rule1.JPG
rule2.JPG
mikewurtzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KutyiCommented:
Do you have an access-group line like
access-group inside_access_in in interface inside
0
mikewurtzAuthor Commented:
Yes, I found these two lines:

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

Open in new window

0
KutyiCommented:
I believe what is happening here is your deny statements come after your permit ip any any statement.  Move your access-list inside_access_in permit ip any any  to the end by typeing the following:

no access-list inside_access_in permit ip any any
access-list inside_access_in permit ip any any

You are implicitly allowing the traffice before you deny it, and therefor the access-list never reaches your deny statements
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikewurtzAuthor Commented:
That worked!

Now my config lists like this:

access-list inside_access_in remark Block Real Player
access-list inside_access_in deny tcp any any eq 554
access-list inside_access_in remark Block Real Player
access-list inside_access_in deny udp any any eq 554
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any

This is opposite of how I thought the order should go.  I thought you must specify the permit ip any any first and then drill down on specific ports but I guess I'm backwards?
0
KutyiCommented:
Glad to help!.....:)  By the way most of us have been there and done that....you are not alone...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.