Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Security Flaw?? No Access-lists applied when routing out same interface

I have a router sending multiple subnets into the DMZ interface of my PIX (10.1.x.0/24), and a static route on the DMZ interface (10.1.0.0/16) sending all replies back.

This works fine, but any access-lists applied to the DMZ interface are ignored if the route is out of the same interface - for example an access list to deny 10.1.1.0/24 access to 10.1.2.0/24 has no effect.

Does the PIX only check access-lists AFTER routing? Surely this is a bit a security hole - or am I missing something obvious?

BTW I cannot set anything on the router (outsourced) any config needs to be on the PIX.

Thanks for any relevant pointers!

1 REPLY
Anonymous
N/A

Re: PIX Security Flaw?? No Access-lists applied when routing out

from what I understand Pix unlike routers only examines traffic as it comes in to the interface. So if you are routing traffic inand out of the same interface then it would apply that acl. Thats the reason why you can only do access-group in .

To summarize Pix does not work very well as a router

77
Views
0
Helpful
1
Replies