Let's say my PIX i 220.127.116.11 and my mailserver is 18.104.22.168. We get a high speed connection from Comcast, and they put a hub there, so one plug goes to PIX, the other to my mailserver. All my users are NAT, so they are 192.168.x.y
What firewall rules would I add to allow my local users the ability to connect to the mailserver? (I can't tell if the PIX views this as INBOUND or OUTBOUND)
So if your users are behind the inside interface and your mail server is on the outside you could either do an inbound access-list on the inside interface or an outbound access-list on the outside interface. Generally speaking you would block it on the inside interface to stop the traffic having to go through the pix just to be dropped before it leaves the outside interface but there are times when an outbound list is useful
example of where you may want an outbound acl in your situation
if the mail server is sitting on a separate DMZ all by itself and you don't want to apply an access-list on the inside interface which might disrupt other traffic you could apply an outbound acl on that DMZ interface. **
Note that you can only do outbound access-lists on a pix from v7.0 onwards.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...