Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
2
Replies

ACL interface processing...

Go to solution
rvaccare
Level 1
Level 1

‎03-11-2004 11:23 AM - edited ‎02-20-2020 09:24 PM

For this question, allow me to first set up the scenario...

ACL_out applied to outside interface - allows SMTP to all IP addresses.

ACL_dmz applied to dmz interface - allows SMTP to only a few select machines in the DMZ (implicit deny statement at the end of list).

STATIC commands have been configured for all machines in the DMZ.

Would an SMTP packet from the outside be able to go to any machine in the DMZ (disregard whether the host is listening on port 25), or just those specified by the STATIC commands?

Basically, my question is whether once a packet passes an ACL on one interface (e.g., outside interface), is the packet again processed on the next interface (e.g., DMZ or inside interface), or is it that once the packet passes one of the interfaces, it is sent on to its destination regardless of ACLs applied on the interfaces over which the packet travels?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-11-2004 02:34 PM

If the packet passes through the outside interface onto the DMZ, the ACL applied to the DMZ interface has no effect.

When a packet first comes into the outside int, the ACL applied to the outside inteface is checked (along with the static) and if the packet is permitted, the PIX creates a connection entry for it. The return packets on this connection (coming into the DMZ interface) are allowed to proceed without any further ACL checking.

This is exactly the same for say, an inside packet going out to the Internet, you don't have to apply an ACL to the outside interface permitting these back in, cause a connection has been created.

If you want to limit what DMZ hosts/ports people on the outside can get to, then you do this with you (dmz,outside) static's and your ACL applied to the outside interface. The ACL applied on the DMZ interface is really only for connections initiated on the DMZ interface, which is probably not going to be anything.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-11-2004 02:34 PM

If the packet passes through the outside interface onto the DMZ, the ACL applied to the DMZ interface has no effect.

When a packet first comes into the outside int, the ACL applied to the outside inteface is checked (along with the static) and if the packet is permitted, the PIX creates a connection entry for it. The return packets on this connection (coming into the DMZ interface) are allowed to proceed without any further ACL checking.

This is exactly the same for say, an inside packet going out to the Internet, you don't have to apply an ACL to the outside interface permitting these back in, cause a connection has been created.

If you want to limit what DMZ hosts/ports people on the outside can get to, then you do this with you (dmz,outside) static's and your ACL applied to the outside interface. The ACL applied on the DMZ interface is really only for connections initiated on the DMZ interface, which is probably not going to be anything.

0 Helpful

Go to solution
soylo
Level 1
Level 1
In response to gfullage

‎03-30-2004 06:51 AM

I have the following doubt:

especifically sometimes the DNS server wants to communicate with External DNS server and Interna (inside) DNS. In this case How Would it work the ACl in the DMZ?

Thans for your response

Sergio

suntiveros@aprendaredes.com

0 Helpful
Customers Also Viewed These Support Documents