02-19-2004 10:54 PM - edited 03-09-2019 06:29 AM
Hi All,
Just wanted to clarify the following.
Access-list is applied for the outside interface. Do you suggest to have deny ip any any statement at the end of the access-list?
By default even if this statement is not present. PIX should not allow any other traffic unless and until permitted.
So what is the suggested approach ?
If I don't put deny ip any any at the end of outside interface access-list what are the implecations?
Regards,
Sunil
02-20-2004 12:55 PM
Hi,
there is no need to define a deny ip any any at the end
yes true, pix should not allow any other traffic unless and untill permitted
there is no requirement of putting deny ip any any at the end of the outside interface's access-list
Thanks
Nadeem
02-21-2004 02:14 AM
nadeem,
would you require adding deny ip any any in inside interface when blocking outgoing traffic? or does the pix also block it unless and until permitted by default?
thanks!
02-22-2004 05:10 AM
there is an implicit deny ip any any at the end of ANY access list. if you add an acl to the inside interface, that implicit statement will take effect.
I.e, if you want to block your users from telneting outside;
access-list insideout deny tcp any any eq 23
that will block outbound telnet, but the implicit deny any will block *EVERYTHING*. this is what happens when you apply a ACL.
access-list insideout deny tcp any any eq 23
access-list insideout permit ip any any
this will block telnet with the first line, and allow everything else with the second
02-22-2004 05:27 AM
outbound traffic is permitted by default.
if you put deny ip any any, it will block out every thing. So you should permit the required traffic first and then put deny ip any any (although, once you implement an access-list on a interface, there is an implicit deny at the end, so there is no need of adding it at the end)
Thanks
Nadeem
02-22-2004 06:06 PM
Thanks for conirmation Nadeem !
Regards,
Sunil
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: