Is it possible for LAN users to go online without configuring a access List

Unanswered Question
Jan 19th, 2010
User Badges:

Hi

I am using pix firewall.firewall is connected outside interface is connected to ISP;Inside interface is connected to a switch and users are connected to the switch.

Without configuring a access list to allow incoming traffic,is it possible for users to go online.

Please help.


Regards

Arulkumar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 01/19/2010 - 04:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

arulkumar80 wrote:


Hi

I am using pix firewall.firewall is connected outside interface is connected to ISP;Inside interface is connected to a switch and users are connected to the switch.

Without configuring a access list to allow incoming traffic,is it possible for users to go online.

Please help.


Regards

Arulkumar


Arulkumar


Yes it is because the pix is a stateful firewall and it allows traffic from the inside to the outside without an access-list so the return traffic will be allowed back in.



What you will need to configure though is some form of NAT/PAT. Usually for internet access -


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


Jon

Mohamed Sobair Tue, 01/19/2010 - 05:47
User Badges:
  • Gold, 750 points or more

Hi,


As long As Global (outside) & nat (inside) are configured , (the inside and outside keywords refer to the interface"s  names) , you dont need any access-list , as from Higher Security level to lower Security level , traffic are allowed to pass.


from Lower Security level Access to Higher Security level, An Access-list or Conduit must be used to permit the traffic.



HTH

Mohamed

Actions

This Discussion