Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
1
Replies

PIX Security Flaw?? No Access-lists applied when routing out same interface

diavosh
Level 1
Level 1

‎07-23-2002 06:05 AM - edited ‎02-20-2020 10:10 PM

I have a router sending multiple subnets into the DMZ interface of my PIX (10.1.x.0/24), and a static route on the DMZ interface (10.1.0.0/16) sending all replies back.

This works fine, but any access-lists applied to the DMZ interface are ignored if the route is out of the same interface - for example an access list to deny 10.1.1.0/24 access to 10.1.2.0/24 has no effect.

Does the PIX only check access-lists AFTER routing? Surely this is a bit a security hole - or am I missing something obvious?

BTW I cannot set anything on the router (outsourced) any config needs to be on the PIX.

Thanks for any relevant pointers!

0 Helpful
1 Reply 1

Not applicable

‎07-23-2002 11:12 AM

from what I understand Pix unlike routers only examines traffic as it comes in to the interface. So if you are routing traffic inand out of the same interface then it would apply that acl. Thats the reason why you can only do access-group in .

To summarize Pix does not work very well as a router

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card