Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
1
Replies

a simple complicated PIX ACL question

cmiller
Level 1
Level 1

‎04-23-2003 11:41 AM - edited ‎02-20-2020 10:42 PM

Okay this question is kind of a double-shot. One thing you need to know before you read this is that my background is iptables on Linux.

Now, question 1: Let's say I've got a 3-interface firewall, one external interface, one DMZ, and one private LAN. Let's say packet A comes in on the outside interface destine for a box in my DMZ (and we can assume that the proper translations take place). The packet comes in the PIX, hits the ACL(s) on the outside inteface first, right? Then it's translated and goes out the DMZ interface... correct? Does it hit the ACL(s) on the DMZ interface after it's translated before it goes on to the next hop or whatever is after the PIX?

Question 2: Let's take the above setup for example. Let's say I'm on a box in the DMZ. I try to go out to an IP address that will have to be routed out the outside interface. Let's say I'm sending TCP data on port 80 for simplicity. So with that said, the destination port will be 80, and the source port will be something else. When I hit the PIX, I'll be hitting the DMZ interface first, so the ACL(s) get applied there, correct? When a packet hits an interface, how does the PIX know if it should apply an ACL to it or not? For example, I don't want the same ACL(s) applied to data going out to the internet that I do data coming in from the internet going to a box in my DMZ, even though both packets will have a destination port of 80 (in this example).

Does that make sence? Any tips for me to understand this? The way it's done in iptables is it's dependent upon which chain it's in as to what it's function is and when it's applied, not to mention which interface it is applied to which is supplyed during the entries into the tables (such as iptables w/ -i eth0 option for example).

-Chris (ee99ee)

0 Helpful
1 Reply 1

dro
Level 1
Level 1

‎04-23-2003 11:48 AM

Hi Chris,

When your using ACL's with the access-group command, it only looks at the data that's entering the interface it's applied to.

For example, if data were comming from the internet and is destined for your DMZ, it would only be processed by the ACL that's associated with the external interface.

*EDIT*: I forgot to answer your second question.

The ACL is applied no matter who starts the data exchange. So even if you initiate the connection on the DMZ side, or weither a server on the DMZ is replying to a request from the internet, the ACL will be processed.

Hope that helps,

-Joshua

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card