Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX and TCP/IP philiosophy

By default pix allos unresticted outbound access unlesss something is explicitly denied.

1.Then is it true that: any permit statement applied to traffic coming into the inside interface is redundant, for eg

access-list acl_in permit tcp any any

access-group acl_in in interface inside

I mean haiving it or not having it wont make any differance if I want to give everyone full TCP access to outside. would it?

2.

set 1

access-list acl_in permit ip any any

access-group access-list acl_in in interface inside

set 2

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any

access-group access-list acl_in in interface inside

if I have the 1st set do I need the 2nd set or is it included as all tcp and icmp packets are encapsulated within IP only?

Thanks

2 REPLIES
New Member

Re: PIX and TCP/IP philiosophy

1. That is true

2. You are correct. Also, the "ip" keyword covers tcp,udp, and icmp.

RJ

New Member

Re: PIX and TCP/IP philiosophy

HI.

> 1. ... any permit statement applied to traffic coming into the inside interface is redundant ...

No.

Once you apply an ACL to the inside interface, it overrides and disable the implicit outbound rule.

For example, this:

access-list acl_in permit tcp any any

access-group acl_in in interface inside

Will block any UDP and ICMP traffic, while allowing TCP only.

> 2. ...if I have the 1st set do I need the 2nd set

IP encapsulates TCP, UDP, ICMP, and other traffic like VPN protocols: ESP, GRE, etc..

Yizhar

91
Views
0
Helpful
2
Replies
CreatePlease to create content