Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX ALIAS AND ACCESS-LIST

PIX Current setup:-

Inside :- 10.32.0.0 /16

DMZ :- 10.112.3.0 /24

alias (inside) 54.10.10.62 10.112.3.62 255.255.255.255

access-list acl_in permit tcp host 10.32.0.242 host 54.10.10.62 eq ftp

access-list acl_in permit tcp host 10.32.0.242 host 10.112.3.62 eq ftp

Which entry in the access-list will be used..? Will the access-list get checked before the dnat function of the alias or after..?

Thanks,

3 REPLIES
New Member

Re: PIX ALIAS AND ACCESS-LIST

access-list check is the first thing to be performed and must permit the packet as it arrives at the pix.

New Member

Re: PIX ALIAS AND ACCESS-LIST

access-list check is the first thing to be performed and must permit the packet as it arrives at the pix.

New Member

Re: PIX ALIAS AND ACCESS-LIST

So is the answer both ACLs need to be applied or just the first one?

The reason I ask is I've been told that the "foreign address" (the second address in the 'alias' command) is not reachable from the interface it is applied to. But if this is not true, then theoretically traffic could arrive on the inside interface destined for either address and one would be d-NATed and the other wouldn't, right? And then we'd have to filter for both.

113
Views
0
Helpful
3
Replies
CreatePlease to create content