Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
2
Replies

Order of Operation for PIX

Go to solution
milanvng
Level 1
Level 1

‎11-05-2003 07:05 AM - edited ‎02-20-2020 11:04 PM

I am planning to migrate from Conduits to ACLs, and I am interested in knowing the order of operation.

Lets suppose I have access-list on the outside interface that allows HTTP & HTTPS packets to the Web server; however, on the DMZ interface I am only allowing SMTP packets.

Do I need to allow packets from the Web server on the DMZ interface?

Does PIX checks the state table before ACLs?

(Please let me know if there are any document that discusses the order of operation.)

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7

‎11-05-2003 07:35 AM

I am a little confused by your example but I think I know what you are looking for.

Yes, the PIX does check for an exstablished connection before check ACL's. Therefore, if the packet was allowed in via the ACL on your outside interface to a DMZ web server, the reply would be automatically allowed. You would need to explicitly permit any traffic via the ACL on the DMZ interface that you wanted to be sourced (initiated, that is not a reponse) from the web server on the DMZ. For instance, opening a web browser on the web server machine itself would need to be allowed.

And, ACL's have a higher priority than conduits so mixing them is not a good idea (just an FYI).

Scott

View solution in original post

0 Helpful
2 Replies 2

Go to solution
scoclayton
Level 7
Level 7

‎11-05-2003 07:35 AM

I am a little confused by your example but I think I know what you are looking for.

Yes, the PIX does check for an exstablished connection before check ACL's. Therefore, if the packet was allowed in via the ACL on your outside interface to a DMZ web server, the reply would be automatically allowed. You would need to explicitly permit any traffic via the ACL on the DMZ interface that you wanted to be sourced (initiated, that is not a reponse) from the web server on the DMZ. For instance, opening a web browser on the web server machine itself would need to be allowed.

And, ACL's have a higher priority than conduits so mixing them is not a good idea (just an FYI).

Scott

0 Helpful

Go to solution
milanvng
Level 1
Level 1
In response to scoclayton

‎11-05-2003 07:45 AM

Thanks Scott.

That was the exact answer I am looking for.

I do not want any traffic going out from my Web server, but I want clients to be able to connect via HTTP and HTTPS.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card