Since PIX support stateful inspection, you don't need to config such access-list. For example: you have one PIX with two interfaces -- inside(security level=100) and outside (security level=0). If a init IP packet send to the inside interface from your internal network, PIX will check the destination. Here, we assume that its destination is somewhere on Internet. Then, according to the routing table, PIX will send it out at its outside interface. And record down the packet information such as IP addresses (source and destination), port numbers (source and destination), sequence numbers... Then, a stateful table will be generated. When the reply packet come back from Internet, PIX will check its stateful table. If the reply packet information is match, PIX will let this reply packet send out at the inside interface.
PIX will not restrict the packet flow from high security level interface to low security level interface unless there is a access-list applied on that high security level interface.
I think what you need to concern is -- well define the security level of each interface. (By default, inside is 100 and outside is 0) Then, you have to think that what service should be allowed access from low security level interface to high security level interface. Just use the access-list allow it and apply on the low security level interface. The stateful information also will be added to the stateful table whenever the packet come.
Of course this is a BASIC configuration. If you want to know more advance, such as fixup protocol, mailguard,... you have to find them out on the technical document.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :