Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Access list

Hi Guys,

I have a question about access list on pix. I have a host on inside say 1.1.1.1 which wants to talk to host 2.2.2.2 in DMZ1. I applied the access-list on the inside interface and it is working. How about if host 2.2.2.2 wants to talk to host 1.1.1.1. Do I need an access list from DMZ1 to inside?

Tks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: PIX Access list

kuldeep.kaur wrote:

Hi Guys,

I have a question about access list on pix. I have a host on inside say 1.1.1.1 which wants to talk to host 2.2.2.2 in DMZ1. I applied the access-list on the inside interface and it is working. How about if host 2.2.2.2 wants to talk to host 1.1.1.1. Do I need an access list from DMZ1 to inside?

Tks

For return traffic from 2.2.2.2 to 1.1.1.1 no you don't.

If 2.2.2.2 starts a new connection then yes you do need an acl and you also need to either

1) have a statc NAT statement eg.  static (inside,dmz) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

2) have a NAT exemption eg.

    access-list NONAT permit ip host 1.1.1.1 host 2.2.2.2

    nat (inside) 0 access-list NONAT

3) If the pix is running v7.x or later you can disable NAT altogether on the firewall eg.  no nat-control

Jon

1 REPLY
Hall of Fame Super Blue

Re: PIX Access list

kuldeep.kaur wrote:

Hi Guys,

I have a question about access list on pix. I have a host on inside say 1.1.1.1 which wants to talk to host 2.2.2.2 in DMZ1. I applied the access-list on the inside interface and it is working. How about if host 2.2.2.2 wants to talk to host 1.1.1.1. Do I need an access list from DMZ1 to inside?

Tks

For return traffic from 2.2.2.2 to 1.1.1.1 no you don't.

If 2.2.2.2 starts a new connection then yes you do need an acl and you also need to either

1) have a statc NAT statement eg.  static (inside,dmz) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

2) have a NAT exemption eg.

    access-list NONAT permit ip host 1.1.1.1 host 2.2.2.2

    nat (inside) 0 access-list NONAT

3) If the pix is running v7.x or later you can disable NAT altogether on the firewall eg.  no nat-control

Jon

279
Views
0
Helpful
1
Replies
CreatePlease to create content