Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix no longer permitting traffic from higher to lower priority

In release 6.3.3, does the pix no longer implicitly permit traffic from a higher priority interface to a lower priority interface other than the respective inside and outside interfaces? Or, is this a caveat in the code itself? For some reason, I am now required to configure an access list for device on a perimeter interface or DMZ for any external traffic the device initiates to Internet host.

3 REPLIES
New Member

Re: Pix no longer permitting traffic from higher to lower priori

In order pass traffic from a lower security level interface to a higher security level interface (outside to inside or dmz, or dmz to inside) you must create a static address translation and an access list. In order to travel the other direction (inside or dmz to outside) you must use a nat and global command.

Dan

New Member

Re: Pix no longer permitting traffic from higher to lower priori

Dan,

Thanks for your reply. I presently have a TAC case open. The traffic in question is outbound traffic from the DMZ to the outside interface. The server has a corresponding public static nat statement, but is unable to transmit traffic. In troubleshooting, I have found if I configure and access list, then traffic is permitted. However, I thought an access-list was not required as the traffic is implicitly permitted from a higher to lower priority interface. I have researched it and found this link, which the information in the subtobic "Allowing Outbound Access" confirms my thoughts. So, could this be a caveat in the code?

http://cisco.com/warp/public/707/28.html#intro

New Member

Re: Pix no longer permitting traffic from higher to lower priori

Can you post your config?

104
Views
0
Helpful
3
Replies
CreatePlease to create content