Is it possible for LAN users to go online without configuring a access List

Unanswered Question
Jan 19th, 2010

Hi

I am using pix firewall.firewall is connected outside interface is connected to ISP;Inside interface is connected to a switch and users are connected to the switch.

Without configuring a access list to allow incoming traffic,is it possible for users to go online.

Please help.

Regards

Arulkumar

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 01/19/2010 - 04:52

arulkumar80 wrote:

Hi

I am using pix firewall.firewall is connected outside interface is connected to ISP;Inside interface is connected to a switch and users are connected to the switch.

Without configuring a access list to allow incoming traffic,is it possible for users to go online.

Please help.

Regards

Arulkumar

Arulkumar

Yes it is because the pix is a stateful firewall and it allows traffic from the inside to the outside without an access-list so the return traffic will be allowed back in.


What you will need to configure though is some form of NAT/PAT. Usually for internet access -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Jon

Mohamed Sobair Tue, 01/19/2010 - 05:47

Hi,

As long As Global (outside) & nat (inside) are configured , (the inside and outside keywords refer to the interface"s  names) , you dont need any access-list , as from Higher Security level to lower Security level , traffic are allowed to pass.

from Lower Security level Access to Higher Security level, An Access-list or Conduit must be used to permit the traffic.

HTH

Mohamed

Actions

This Discussion