Okay this question is kind of a double-shot. One thing you need to know before you read this is that my background is iptables on Linux.
Now, question 1: Let's say I've got a 3-interface firewall, one external interface, one DMZ, and one private LAN. Let's say packet A comes in on the outside interface destine for a box in my DMZ (and we can assume that the proper translations take place). The packet comes in the PIX, hits the ACL(s) on the outside inteface first, right? Then it's translated and goes out the DMZ interface... correct? Does it hit the ACL(s) on the DMZ interface after it's translated before it goes on to the next hop or whatever is after the PIX?
Question 2: Let's take the above setup for example. Let's say I'm on a box in the DMZ. I try to go out to an IP address that will have to be routed out the outside interface. Let's say I'm sending TCP data on port 80 for simplicity. So with that said, the destination port will be 80, and the source port will be something else. When I hit the PIX, I'll be hitting the DMZ interface first, so the ACL(s) get applied there, correct? When a packet hits an interface, how does the PIX know if it should apply an ACL to it or not? For example, I don't want the same ACL(s) applied to data going out to the internet that I do data coming in from the internet going to a box in my DMZ, even though both packets will have a destination port of 80 (in this example).
Does that make sence? Any tips for me to understand this? The way it's done in iptables is it's dependent upon which chain it's in as to what it's function is and when it's applied, not to mention which interface it is applied to which is supplyed during the entries into the tables (such as iptables w/ -i eth0 option for example).
When your using ACL's with the access-group command, it only looks at the data that's entering the interface it's applied to.
For example, if data were comming from the internet and is destined for your DMZ, it would only be processed by the ACL that's associated with the external interface.
*EDIT*: I forgot to answer your second question.
The ACL is applied no matter who starts the data exchange. So even if you initiate the connection on the DMZ side, or weither a server on the DMZ is replying to a request from the internet, the ACL will be processed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :