Does Disabling Access Lists on the PIX Firewall Block All Traffic?

Unanswered Question
Jul 2nd, 2002
User Badges:
  • Bronze, 100 points or more

If access lists are disabled on the PIX Firewall, does that mean all traffic is blocked?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Tue, 07/02/2002 - 11:17
User Badges:

It depends...



  • If you are going from a higher security level to a lower security level, all connections are allowed as long as there is an xlate. So from the inside of the PIX, if there is no outbound access-list, then all traffic will flow. If you do not want all IP traffic to get out to the other interface then you will need to build outbound access-lists.


  • If you are going from a lower security level to a higher security level, you need to have a conduit or an access-list command to permit the traffic. If not, the traffic will be blocked.





yusuff Wed, 07/03/2002 - 02:26
User Badges:
  • Cisco Employee,

Just to add to the above post, ICMP is an exception. If you ping from inside to outside, and you do not have any ACL/conduit configured, ping will FAIL. ICMP needs to be explicitly allowed for return traffic, all other traffic will be allowed if ACL is not configured though (as per previous post).


Handling ICMP on PIX

http://www.cisco.com/warp/public/110/31.html


HTH

R/Yusuf

Actions

This Discussion