PIX and TCP/IP philiosophy

Unanswered Question
Apr 11th, 2003
User Badges:

By default pix allos unresticted outbound access unlesss something is explicitly denied.

1.Then is it true that: any permit statement applied to traffic coming into the inside interface is redundant, for eg

access-list acl_in permit tcp any any

access-group acl_in in interface inside

I mean haiving it or not having it wont make any differance if I want to give everyone full TCP access to outside. would it?


2.

set 1

access-list acl_in permit ip any any

access-group access-list acl_in in interface inside



set 2

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any

access-group access-list acl_in in interface inside


if I have the 1st set do I need the 2nd set or is it included as all tcp and icmp packets are encapsulated within IP only?


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rj.remien Fri, 04/11/2003 - 12:30
User Badges:

1. That is true

2. You are correct. Also, the "ip" keyword covers tcp,udp, and icmp.


RJ

yizhar Sat, 04/12/2003 - 12:15
User Badges:

HI.


> 1. ... any permit statement applied to traffic coming into the inside interface is redundant ...

No.

Once you apply an ACL to the inside interface, it overrides and disable the implicit outbound rule.

For example, this:


access-list acl_in permit tcp any any

access-group acl_in in interface inside


Will block any UDP and ICMP traffic, while allowing TCP only.


> 2. ...if I have the 1st set do I need the 2nd set

IP encapsulates TCP, UDP, ICMP, and other traffic like VPN protocols: ESP, GRE, etc..


Yizhar


Actions

This Discussion