Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

deny statement

Hi All,

Just wanted to clarify the following.

Access-list is applied for the outside interface. Do you suggest to have deny ip any any statement at the end of the access-list?

By default even if this statement is not present. PIX should not allow any other traffic unless and until permitted.

So what is the suggested approach ?

If I don't put deny ip any any at the end of outside interface access-list what are the implecations?

Regards,

Sunil

5 REPLIES
Cisco Employee

Re: deny statement

Hi,

there is no need to define a deny ip any any at the end

yes true, pix should not allow any other traffic unless and untill permitted

there is no requirement of putting deny ip any any at the end of the outside interface's access-list

Thanks

Nadeem

New Member

Re: deny statement

nadeem,

would you require adding deny ip any any in inside interface when blocking outgoing traffic? or does the pix also block it unless and until permitted by default?

thanks!

Silver

Re: deny statement

there is an implicit deny ip any any at the end of ANY access list. if you add an acl to the inside interface, that implicit statement will take effect.

I.e, if you want to block your users from telneting outside;

access-list insideout deny tcp any any eq 23

that will block outbound telnet, but the implicit deny any will block *EVERYTHING*. this is what happens when you apply a ACL.

access-list insideout deny tcp any any eq 23

access-list insideout permit ip any any

this will block telnet with the first line, and allow everything else with the second

Cisco Employee

Re: deny statement

outbound traffic is permitted by default.

if you put deny ip any any, it will block out every thing. So you should permit the required traffic first and then put deny ip any any (although, once you implement an access-list on a interface, there is an implicit deny at the end, so there is no need of adding it at the end)

Thanks

Nadeem

New Member

Re: deny statement

Thanks for conirmation Nadeem !

Regards,

Sunil

227
Views
0
Helpful
5
Replies
CreatePlease to create content