Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Outbound Constraints

I'm in the process of converting from conduits to ACL and need some clarification on constraining outbound traffic. The situation is that inside zone hosts (highest security) are banned from certain DMZs (lower security).

I have been using outbound deny & apply to enforce these constraints.

Questions:

1) Are these statements still current and recommended in an ACL environment?

2) The access-group documentation/syntax uses an "in" parameter but has no mention of whether there is an "out" parameter. Is there one?

TIA

1 REPLY
Cisco Employee

Re: PIX Outbound Constraints

1) you can still use outbound statements, but they are not recommended.

2) No, there is not "out" parameter. Reason being, traffic coming "in" one interface has to go "out" another interface. So, better to block the traffic coming in, than going out.

In your case, you would apply an access-list inbound on the Inside interface. It would have "deny" statements for hosts going from the inside to the DMZ servers you don't want them to reach, and then a "permit ip any any" at the end for everything else.

Also, the Output Interpreter tool on CCO will soon have a conduit/outbound -> ACL converter. Stay tuned.

Hope that helps,

David.

89
Views
0
Helpful
1
Replies
CreatePlease login to create content