Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
226
Views
0
Helpful
1
Replies

PIX access list question

jkrawczyk
Level 1
Level 1

‎02-15-2006 12:54 PM - edited ‎02-21-2020 12:42 AM

Greetings;

If you are allowing traffic into your DMZ interface (security 20) from your outside interface (security 0) and your ingress access is controlled by an access list applied to your outside interface, would you need to place an access list to your DMZ for traffic going to your outside interface?

I currently do this and I'm wondering if this is a not-so-good idea.

Also, When you apply the access-group OUTSIDE-IN in interface outside, what dies "in" really mean?

Hostile traffic fromthe internet and traffic from with your private network hitting the outside interface could all be deemed as coming "in"to the outside interface. Can someone offer words of wisdom please?

Kind Regards

Jeff

0 Helpful
1 Reply 1

Patrick Iseli
Level 7
Level 7

‎02-15-2006 01:20 PM

Jeff,

No you do not need to add an ACL on the DMZ interface to allow replys from the connections comming from the outside world. The replys are allowed allways.

But when you do not have an access-list on the DMZ interface the DMZ hosts cannot connect to the internet for example with a browser, which is in security perspective a good thing.

The statement IN in the access-group means incomming, which means from the Internet (outside interface) into the DMZ or inside interface.

In FWSM or PIX OS 7.0 you can now use ACL in both directions which was not possible in the PIX OS 6.x CODE.

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card