×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

pix 535 and access-lists

Answered Question
Feb 3rd, 2004
User Badges:

Hello,


We have a Cisco PIX 535. By default, the traffic from a more secure interface to other with a lower security level is permitted, is it?


Ok, I have a doubt, I've had to define an access-list entry to permit a telnet connection from inside to outside. There's no rule denying that traffic but, without that rule the telnet connection can't be stablished.


And my question is: why? Is it not supposed to be permitted by default?


Thanks in advance.



Correct Answer by bfl1 about 13 years 6 months ago

By default higher -> lower is allowed... however, once you add permit statements, there is an implicit deny all at the end. So, if you allow web, ftp, and ssl... then by default, all other traffic is denied and you'll need to be specific with your permits.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Correct Answer
bfl1 Tue, 02/03/2004 - 05:43
User Badges:

By default higher -> lower is allowed... however, once you add permit statements, there is an implicit deny all at the end. So, if you allow web, ftp, and ssl... then by default, all other traffic is denied and you'll need to be specific with your permits.

We have a Cisco PIX 535. By default, the traffic from a more secure interface to other with a lower security level is permitted, is it?



:: Yes, higher to lower is permitted.



Ok, I have a doubt, I've had to define an access-list entry to permit a telnet connection from inside to outside. There is no rule denying that traffic but without that rule, the telnet connection cannot be established.



You need to have a static pointing from inside to outside "the default". By default the PIX will allow you to make any connection from Inside to Outside. However, nothing can initiate from the Outside to the Inside w/o an access-list and static.



And my question is: why? Is it not supposed to be permitted by default?




The PIX was designed to be secure by default while also being convenient and let traffic from inside your network able to access anything on the Outside with the least configuration. Now if you want translations to “initiate” from the Outside to your private network to you need to explicitly make those statements on the PIX to allow them.



Thanks

Jeff




Actions

This Discussion