Sanjeev,
I really hope that this is not taken from your PIX config because the
acl_out access-list is effectively completely disabling the PIX adaptive
security algorithm.
This config would allow all TCP and all UDP packets in the outside
interface. In other words, the PIX would not block any inbound TCP or UDP
packets at all. I can think of no reason why anyone would want to do that
except in very limited test lab situations.
Based on the original request, there's no reason for the poster to use
access-lists, the PIX ASA will permit the return packets from the inside
user requests automatically.
Bottom line, this config is downright dangerous and would completely open
the firewall.
-Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 4:17 AM
To: [EMAIL PROTECTED]
Subject: RE: Ports with PIX Firewall [7:12605]
access-list ping_acl permit icmp any any
access-list ping_acl permit tcp any any eq www
access-list ping_acl permit tcp any any
access-list ping_acl permit udp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any
access-list acl_out permit udp any any
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
mtu outside 1500
mtu inside 1500
mtu ndtv 1500
ip address outside 172.110.0.2 255.255.0.0
ip address inside 172.100.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 600
global (outside) 1 202.196.214.40-202.196.214.45 netmask 255.255.255.224
global (outside) 1 202.196.214.46
nat (inside) 1 172.100.0.0 255.255.0.0 0 0
access-group acl_out in interface outside
access-group ping_acl in interface inside
route outside 0.0.0.0 0.0.0.0 172.110.0.1 1
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12661&t=12605
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
