Implicit rules (PIX)

Unanswered Question
May 22nd, 2007

Hello,

I've a strange problem working with a PIX 525 ASA7.2(2) with 5 interfaces.

2 interfaces have the implicit rule:

1 source:any, dest:any less secure networks, protocol:ip, action:permit.

2 source:any, dest:any, protocol:ip, action:deny.

The others interfaces don't have this "implicit" rules.

In otrder to allow the networks traffic from a more secure networks to an insecure networks I've to put a rule that allow this and negate the others.

Anybody could help me about this problem?

Thank you in advance!

Alfredo Speranza

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

To allow traffic from a higher security zone to a lower security zone without an ACL on the interface, make sure you do the following.

Create a NAT for the outbound traffic using a static or nat/global pair

ex. nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

ex. static (inside,outside) 1.1.1.1 192.168.1.10

If you have an ACL on the inside interface, you will have to allow the traffic you want to go out in addition to the above.

If you are trying to allow traffic in from a less secure zone to a more secure zone, you must create a static and ACL for the desired comms.

ex. static (inside,outside) 1.1.1.1 192.168.1.10

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq smtp

** Please rate if this helps*

Cheers.

Jay

Actions

This Discussion