Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help understanding PIX acl's

I have worked on PIX's for years and still have a hard as hell time understanding ACL's on a pix, specifically the direction to apply and how they are inspected.

If you read the books it always says inbound acl's are used to go from a lower to higher security interface, but then when you talk about a medium security interface (DMZ) the rules change. Can anyone point me to a doc or write a quick tutorial.

Seems like all ACL's are applied in the inbound direction. Does this mean that it is checked for any traffic coming into the interface?


Re: Help understanding PIX acl's


inbound/outbound concepts !!

inbound acl are checked against traffics coming from the wire and hiting the interface of the device on whitch the acl inbound is applied.

outbound acl are checked against traffics coming from elsewhere and crossing the router towards the wire out of the interface on whicth this acl outbound is applied.

for a pix there the concept of the security level of the interface.

interface with high security level can access automaticaly those of lower security.

interfaces with lower security level cannoit access autmaticaly those with higher security level unless there is a conduit configured to allow that.


do rate if it does help

Re: Help understanding PIX acl's

Imagine you are inside the PIX. If you want to control traffic from the inside network to the public network (ie outside), you would apply the access-list in the interface labeled inside. For example, you only want to allow www traffic from the inside to the internet.

access-list inside_access_out permit tcp any any eq 80

Then apply it to the proper interface, in the inbound direction. The inbound direction is the only direction available in ver 6.x and below. Starting with 7.x you can apply an ACL in or out, much like a router.

access-group inside_access_out in interface inside

The rules do not change with medium security interfaces. You still need to permit/deny access. One thing to remember is to go from a lower security interface to a higher one (ie outside to inside, outside to dmz, dmz to inside, maybe even dmz to dmz) you need NAT translations (ie statics).

HTH and please rate.

New Member

Re: Help understanding PIX acl's


For those of us that are slow of learning. If I have a host on the dmz (DMZhost) and I have a host on the inside (insidehost), if I want to have traffic to go from the DMZ to inside, do I apply an acl like so:

access-list dmz_access_inside permit tcp DMZ host insidehost eq 80

access-group dmz_access_inside in interface dmz

is that correct? or would it be

access-group dmz_access_inside out interface dmz

and if I want dmz hosts to access outside then is the acl

access-list dmz_access_out permit ip any

access-group dmz_access_outside in interface dmz

Is this right?

Hall of Fame Super Blue

Re: Help understanding PIX acl's


From DMZ to inside

access-list dmz_access_inside permit tcp host DMZhost host insidehost eq 80

access-group dmz_access_in in interface dmz.

You also need to present the inside server to the DMZ. One way to do this

static (inside,dmz) insidehost insidehost netmask

To go from DMZ to outside.

if you don't have an access-list on your DMZ interface then traffic will be allowed out by default (unless your'e using the FWSM), because on the pix traffic is allowed to flow from a higher to a lower level security interface.

If you do have an access-list you would need to add a line for access such as the one you have added above.

If the outside is the Internet you would need to translate the 10.10.10.x addresses to publically routable addresses.


CreatePlease to create content