Unanswered Question
Mar 27th, 2007

Let's say my PIX i and my mailserver is We get a high speed connection from Comcast, and they put a hub there, so one plug goes to PIX, the other to my mailserver. All my users are NAT, so they are 192.168.x.y

What firewall rules would I add to allow my local users the ability to connect to the mailserver? (I can't tell if the PIX views this as INBOUND or OUTBOUND)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 03/27/2007 - 12:13


Inbound = traffic entering the pix

Outbound = traffic leaving the pix.

So if your users are behind the inside interface and your mail server is on the outside you could either do an inbound access-list on the inside interface or an outbound access-list on the outside interface. Generally speaking you would block it on the inside interface to stop the traffic having to go through the pix just to be dropped before it leaves the outside interface but there are times when an outbound list is useful

** Edit

example of where you may want an outbound acl in your situation

if the mail server is sitting on a separate DMZ all by itself and you don't want to apply an access-list on the inside interface which might disrupt other traffic you could apply an outbound acl on that DMZ interface. **

Note that you can only do outbound access-lists on a pix from v7.0 onwards.




This Discussion