I have worked on PIX's for years and still have a hard as hell time understanding ACL's on a pix, specifically the direction to apply and how they are inspected.
If you read the books it always says inbound acl's are used to go from a lower to higher security interface, but then when you talk about a medium security interface (DMZ) the rules change. Can anyone point me to a doc or write a quick tutorial.
Seems like all ACL's are applied in the inbound direction. Does this mean that it is checked for any traffic coming into the interface?
Imagine you are inside the PIX. If you want to control traffic from the inside network to the public network (ie outside), you would apply the access-list in the interface labeled inside. For example, you only want to allow www traffic from the inside to the internet.
access-list inside_access_out permit tcp any any eq 80
Then apply it to the proper interface, in the inbound direction. The inbound direction is the only direction available in ver 6.x and below. Starting with 7.x you can apply an ACL in or out, much like a router.
access-group inside_access_out in interface inside
The rules do not change with medium security interfaces. You still need to permit/deny access. One thing to remember is to go from a lower security interface to a higher one (ie outside to inside, outside to dmz, dmz to inside, maybe even dmz to dmz) you need NAT translations (ie statics).
For those of us that are slow of learning. If I have a host on the dmz (DMZhost) and I have a host on the inside (insidehost), if I want to have traffic to go from the DMZ to inside, do I apply an acl like so:
if you don't have an access-list on your DMZ interface then traffic will be allowed out by default (unless your'e using the FWSM), because on the pix traffic is allowed to flow from a higher to a lower level security interface.
If you do have an access-list you would need to add a line for access such as the one you have added above.
If the outside is the Internet you would need to translate the 10.10.10.x addresses to publically routable addresses.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :