I have a router sending multiple subnets into the DMZ interface of my PIX (10.1.x.0/24), and a static route on the DMZ interface (10.1.0.0/16) sending all replies back.
This works fine, but any access-lists applied to the DMZ interface are ignored if the route is out of the same interface - for example an access list to deny 10.1.1.0/24 access to 10.1.2.0/24 has no effect.
Does the PIX only check access-lists AFTER routing? Surely this is a bit a security hole - or am I missing something obvious?
BTW I cannot set anything on the router (outsourced) any config needs to be on the PIX.
Thanks for any relevant pointers!