Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

a simple complicated PIX ACL question

Okay this question is kind of a double-shot. One thing you need to know before you read this is that my background is iptables on Linux.

Now, question 1: Let's say I've got a 3-interface firewall, one external interface, one DMZ, and one private LAN. Let's say packet A comes in on the outside interface destine for a box in my DMZ (and we can assume that the proper translations take place). The packet comes in the PIX, hits the ACL(s) on the outside inteface first, right? Then it's translated and goes out the DMZ interface... correct? Does it hit the ACL(s) on the DMZ interface after it's translated before it goes on to the next hop or whatever is after the PIX?

Question 2: Let's take the above setup for example. Let's say I'm on a box in the DMZ. I try to go out to an IP address that will have to be routed out the outside interface. Let's say I'm sending TCP data on port 80 for simplicity. So with that said, the destination port will be 80, and the source port will be something else. When I hit the PIX, I'll be hitting the DMZ interface first, so the ACL(s) get applied there, correct? When a packet hits an interface, how does the PIX know if it should apply an ACL to it or not? For example, I don't want the same ACL(s) applied to data going out to the internet that I do data coming in from the internet going to a box in my DMZ, even though both packets will have a destination port of 80 (in this example).

Does that make sence? Any tips for me to understand this? The way it's done in iptables is it's dependent upon which chain it's in as to what it's function is and when it's applied, not to mention which interface it is applied to which is supplyed during the entries into the tables (such as iptables w/ -i eth0 option for example).

-Chris (ee99ee)

New Member

Re: a simple complicated PIX ACL question

Hi Chris,

When your using ACL's with the access-group command, it only looks at the data that's entering the interface it's applied to.

For example, if data were comming from the internet and is destined for your DMZ, it would only be processed by the ACL that's associated with the external interface.

*EDIT*: I forgot to answer your second question.

The ACL is applied no matter who starts the data exchange. So even if you initiate the connection on the DMZ side, or weither a server on the DMZ is replying to a request from the internet, the ACL will be processed.

Hope that helps,