04-11-2003 12:13 PM - edited 02-20-2020 10:41 PM
By default pix allos unresticted outbound access unlesss something is explicitly denied.
1.Then is it true that: any permit statement applied to traffic coming into the inside interface is redundant, for eg
access-list acl_in permit tcp any any
access-group acl_in in interface inside
I mean haiving it or not having it wont make any differance if I want to give everyone full TCP access to outside. would it?
2.
set 1
access-list acl_in permit ip any any
access-group access-list acl_in in interface inside
set 2
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any
access-group access-list acl_in in interface inside
if I have the 1st set do I need the 2nd set or is it included as all tcp and icmp packets are encapsulated within IP only?
Thanks
04-11-2003 12:30 PM
1. That is true
2. You are correct. Also, the "ip" keyword covers tcp,udp, and icmp.
RJ
04-12-2003 12:15 PM
HI.
> 1. ... any permit statement applied to traffic coming into the inside interface is redundant ...
No.
Once you apply an ACL to the inside interface, it overrides and disable the implicit outbound rule.
For example, this:
access-list acl_in permit tcp any any
access-group acl_in in interface inside
Will block any UDP and ICMP traffic, while allowing TCP only.
> 2. ...if I have the 1st set do I need the 2nd set
IP encapsulates TCP, UDP, ICMP, and other traffic like VPN protocols: ESP, GRE, etc..
Yizhar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: