Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
1
Replies

PIX Outbound Constraints

cyee
Level 1
Level 1

‎06-05-2002 01:45 PM - edited ‎02-20-2020 10:05 PM

I'm in the process of converting from conduits to ACL and need some clarification on constraining outbound traffic. The situation is that inside zone hosts (highest security) are banned from certain DMZs (lower security).

I have been using outbound deny & apply to enforce these constraints.

Questions:

1) Are these statements still current and recommended in an ACL environment?

2) The access-group documentation/syntax uses an "in" parameter but has no mention of whether there is an "out" parameter. Is there one?

TIA

0 Helpful
1 Reply 1

David White
Cisco Employee
Cisco Employee

‎06-05-2002 01:58 PM

1) you can still use outbound statements, but they are not recommended.

2) No, there is not "out" parameter. Reason being, traffic coming "in" one interface has to go "out" another interface. So, better to block the traffic coming in, than going out.

In your case, you would apply an access-list inbound on the Inside interface. It would have "deny" statements for hosts going from the inside to the DMZ servers you don't want them to reach, and then a "permit ip any any" at the end for everything else.

Also, the Output Interpreter tool on CCO will soon have a conduit/outbound -> ACL converter. Stay tuned.

Hope that helps,

David.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card