Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

static entries, acls, and best practices

Hey everyone,

I need your input on a few things. I am in the process of learning the pix IOS. I am also in the process of swapping out a watchguard filewall for a PIX515E and a VPN 3005.

With the watch, there were policies that were put into place. I would equate them to ACL's. I want to know what would be the best way to tackle something like this. For example. I want to deny all outbound traffic except for ports that I want to go through. HTTP, HTTPS, etc also, I want to limit traffic inbound to certain host, as well as limiting certain hosts on the inside to specific port.

DNS for example

, I have two DNS servers on site. I only want DNS traffic inbound to those ip addresses.

SMTP for example.

I want all inbound traffic to only allowed to one host on our network. Outbound I have two SMTP servers that send email.

Can only 1 ACL be bound to the inside interface at one time? Would the outbound command be usefull in the situation. also, I have seen the static command. How would that apply.

Thank you for your time and patience with me.




Re: static entries, acls, and best practices

Statics should be used to expose internal hosts to the Internet such as your SMTP and DNS servers. It provides static NAT rather than dynamic NAT. nat/global statements provide dynamic NAT and these hosts won't always be available for access on the outside unless they have already initiated an outbound session.

Only a single access-list can be bound to an interface. You should create one for the inside interface to specify exactly what traffic you want to allow to leave your network. HTTP/HTTPS, DNS, etc.

Build another ACL for the traffic you want to allow in the network from outside. This is obivoulsy be limited to those services that need to be accessed from the Internet. DNS, SMTP, etc.

Traffic that is permitted into the network from the outside by an ACL will always be allowed to go back out even if your inside ACL has a "deny ip any any". So don't worry about providing entries in your inside ACL to allow return traffic for DNS requests, incoming mail, etc.

Conduit/outbound are "legacy" commands that have been replaced by the ACLs. It's not recommended to use ACLs and conduit/outbounds simultaneusly. If you do, ACLs will take precedence of conduit/outbound entries.

CreatePlease to create content