Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access list INBOUND or OUTBOUND

Let's say my PIX i 55.66.77.88 and my mailserver is 55.66.77.89. We get a high speed connection from Comcast, and they put a hub there, so one plug goes to PIX, the other to my mailserver. All my users are NAT, so they are 192.168.x.y

What firewall rules would I add to allow my local users the ability to connect to the mailserver? (I can't tell if the PIX views this as INBOUND or OUTBOUND)

1 REPLY
Hall of Fame Super Blue

Re: Access list INBOUND or OUTBOUND

Hi

Inbound = traffic entering the pix

Outbound = traffic leaving the pix.

So if your users are behind the inside interface and your mail server is on the outside you could either do an inbound access-list on the inside interface or an outbound access-list on the outside interface. Generally speaking you would block it on the inside interface to stop the traffic having to go through the pix just to be dropped before it leaves the outside interface but there are times when an outbound list is useful

** Edit

example of where you may want an outbound acl in your situation

if the mail server is sitting on a separate DMZ all by itself and you don't want to apply an access-list on the inside interface which might disrupt other traffic you could apply an outbound acl on that DMZ interface. **

Note that you can only do outbound access-lists on a pix from v7.0 onwards.

HTH

Jon

303
Views
0
Helpful
1
Replies