cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
0
Helpful
2
Replies

PIX and TCP/IP philiosophy

vikrantarora
Level 1
Level 1

By default pix allos unresticted outbound access unlesss something is explicitly denied.

1.Then is it true that: any permit statement applied to traffic coming into the inside interface is redundant, for eg

access-list acl_in permit tcp any any

access-group acl_in in interface inside

I mean haiving it or not having it wont make any differance if I want to give everyone full TCP access to outside. would it?

2.

set 1

access-list acl_in permit ip any any

access-group access-list acl_in in interface inside

set 2

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any

access-group access-list acl_in in interface inside

if I have the 1st set do I need the 2nd set or is it included as all tcp and icmp packets are encapsulated within IP only?

Thanks

2 Replies 2

rj.remien
Level 1
Level 1

1. That is true

2. You are correct. Also, the "ip" keyword covers tcp,udp, and icmp.

RJ

yizhar
Level 1
Level 1

HI.

> 1. ... any permit statement applied to traffic coming into the inside interface is redundant ...

No.

Once you apply an ACL to the inside interface, it overrides and disable the implicit outbound rule.

For example, this:

access-list acl_in permit tcp any any

access-group acl_in in interface inside

Will block any UDP and ICMP traffic, while allowing TCP only.

> 2. ...if I have the 1st set do I need the 2nd set

IP encapsulates TCP, UDP, ICMP, and other traffic like VPN protocols: ESP, GRE, etc..

Yizhar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: