PIX Security Flaw?? No Access-lists applied when routing out same interface
I have a router sending multiple subnets into the DMZ interface of my PIX (10.1.x.0/24), and a static route on the DMZ interface (10.1.0.0/16) sending all replies back.
This works fine, but any access-lists applied to the DMZ interface are ignored if the route is out of the same interface - for example an access list to deny 10.1.1.0/24 access to 10.1.2.0/24 has no effect.
Does the PIX only check access-lists AFTER routing? Surely this is a bit a security hole - or am I missing something obvious?
BTW I cannot set anything on the router (outsourced) any config needs to be on the PIX.
Re: PIX Security Flaw?? No Access-lists applied when routing out
from what I understand Pix unlike routers only examines traffic as it comes in to the interface. So if you are routing traffic inand out of the same interface then it would apply that acl. Thats the reason why you can only do access-group in .
To summarize Pix does not work very well as a router
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...