Access-group statements always apply an ACL to an interface with the command "in interface <interface name>. The Pix docs say that "this filters inbound packets at the given interface". I would like a clear definition of what is inbound. My understading, according to the logic of the access-lists that I have applied, is that inbound is traffic going into the inteface of the Pix from the connected subnet. So for the following interfaces, inbound traffic originates from the following subnet
outside - traffic originating from the Internet
inside - traffic originating from the inside Lan
dmz - traffic originating from the DMZ
I just wanted to verify this because this is contrast with IOS router configs. My understanding is the following:
Outside s0 interface - inbound list applies to incoming traffic from the Internet
Inside e0/0 interface - inbound list applies to traffic coming into the inside subnet vs traffic going towards the inteface as in my Pix example.
Could someone verify this, point me to a link or correct my examples?
The PIX acl is always, in IOS terms, an extended acl. It references a source of the packet and a destination. Traffic source and destination is always considered.
Router acls can be standard, only source of the packet, or extended, source and destination of the packet. They can also be applied in or out (in respect to the interface). ACL inbound means packets arriving at the interface, acl out means packets leaving the interface, whether that is an interface facing the internet or local lan. In/out references the interface, not it's role/function.
Consider source and destination (makes the acl more granular), and whether traffic is leaving or entering (I almost always create them inbound as it saves bandwidth and router processing the packet) the interface when creating acls.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...