Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX access list question

Greetings;

If you are allowing traffic into your DMZ interface (security 20) from your outside interface (security 0) and your ingress access is controlled by an access list applied to your outside interface, would you need to place an access list to your DMZ for traffic going to your outside interface?

I currently do this and I'm wondering if this is a not-so-good idea.

Also, When you apply the access-group OUTSIDE-IN in interface outside, what dies "in" really mean?

Hostile traffic fromthe internet and traffic from with your private network hitting the outside interface could all be deemed as coming "in"to the outside interface. Can someone offer words of wisdom please?

Kind Regards

Jeff

1 REPLY

Re: PIX access list question

Jeff,

No you do not need to add an ACL on the DMZ interface to allow replys from the connections comming from the outside world. The replys are allowed allways.

But when you do not have an access-list on the DMZ interface the DMZ hosts cannot connect to the internet for example with a browser, which is in security perspective a good thing.

The statement IN in the access-group means incomming, which means from the Internet (outside interface) into the DMZ or inside interface.

In FWSM or PIX OS 7.0 you can now use ACL in both directions which was not possible in the PIX OS 6.x CODE.

sincerely

Patrick

104
Views
0
Helpful
1
Replies
CreatePlease to create content