Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list with the PIX

I want to control access coming from the inside interface going to the outside as well as 2 DMZ's that I have setup on a PIX. With ASA in place, I already have access to those 3 legs, but I want to lock them down via acl's (such as only www traffic to outside, only telnet traffic to dmz1, etc, etc).

How would something like this work? Would I have to config all the acl's with subnet info? I am thinking this could be a problem in the area of internet traffic, such as an acl like this:

"access-list acl_in permit tcp 10.0.0.0 255.0.0.0 any eq www"

"access-group acl_in in interface inside"

which would be nessecary to lock down internal users to www traffic only, but at the same time, would allow them to initiate www requests on ALL of the DMZ's as well....is there anyway around this? (I'm also doing interface PAT on the outside interface if that helps at all)...

1 REPLY
Cisco Employee

Re: access-list with the PIX

If you set up

"access-list acl_in permit tcp 10.0.0.0 255.0.0.0 any eq www" and "access-group acl_in int inside",

you allow 10.0.0.0 network to access any network for port 80 which includes all the interface network (all DMZ). Make sure the PIX have some kind of nat and Global statement on each interfaces.

92
Views
0
Helpful
1
Replies
CreatePlease login to create content