Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL interface processing...

For this question, allow me to first set up the scenario...

ACL_out applied to outside interface - allows SMTP to all IP addresses.

ACL_dmz applied to dmz interface - allows SMTP to only a few select machines in the DMZ (implicit deny statement at the end of list).

STATIC commands have been configured for all machines in the DMZ.

Would an SMTP packet from the outside be able to go to any machine in the DMZ (disregard whether the host is listening on port 25), or just those specified by the STATIC commands?

Basically, my question is whether once a packet passes an ACL on one interface (e.g., outside interface), is the packet again processed on the next interface (e.g., DMZ or inside interface), or is it that once the packet passes one of the interfaces, it is sent on to its destination regardless of ACLs applied on the interfaces over which the packet travels?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACL interface processing...

If the packet passes through the outside interface onto the DMZ, the ACL applied to the DMZ interface has no effect.

When a packet first comes into the outside int, the ACL applied to the outside inteface is checked (along with the static) and if the packet is permitted, the PIX creates a connection entry for it. The return packets on this connection (coming into the DMZ interface) are allowed to proceed without any further ACL checking.

This is exactly the same for say, an inside packet going out to the Internet, you don't have to apply an ACL to the outside interface permitting these back in, cause a connection has been created.

If you want to limit what DMZ hosts/ports people on the outside can get to, then you do this with you (dmz,outside) static's and your ACL applied to the outside interface. The ACL applied on the DMZ interface is really only for connections initiated on the DMZ interface, which is probably not going to be anything.

2 REPLIES
Cisco Employee

Re: ACL interface processing...

If the packet passes through the outside interface onto the DMZ, the ACL applied to the DMZ interface has no effect.

When a packet first comes into the outside int, the ACL applied to the outside inteface is checked (along with the static) and if the packet is permitted, the PIX creates a connection entry for it. The return packets on this connection (coming into the DMZ interface) are allowed to proceed without any further ACL checking.

This is exactly the same for say, an inside packet going out to the Internet, you don't have to apply an ACL to the outside interface permitting these back in, cause a connection has been created.

If you want to limit what DMZ hosts/ports people on the outside can get to, then you do this with you (dmz,outside) static's and your ACL applied to the outside interface. The ACL applied on the DMZ interface is really only for connections initiated on the DMZ interface, which is probably not going to be anything.

New Member

Re: ACL interface processing...

I have the following doubt:

especifically sometimes the DNS server wants to communicate with External DNS server and Interna (inside) DNS. In this case How Would it work the ACl in the DMZ?

Thans for your response

Sergio

suntiveros@aprendaredes.com

154
Views
0
Helpful
2
Replies
CreatePlease to create content