Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

The access-list permit ORIGIN to ANY (internet) problem X DMZs

I wan to to control my outbound traffic in my WEB-DMZ to restrict only a group

of servers to open outbount connections, but if I use a access-list to permit

a group of server to go out ANY im oppenig also a role to permit this traffic

to go to my others interfaces of PIX.

I dont want to use deny access-list because its not good to maintain.

Ive mapped a "internet group of networks" and Ive applied the group. this action workaround the problem, but its very CPU intensive and a very uggly solution

Who have a better idea?

1 REPLY
Cisco Employee

Re: The access-list permit ORIGIN to ANY (internet) problem X DM

The only way you could do this is what I think you have already done, deny all traffic first coming from these DMZ servers going to anything on your internal networks, then permit all other traffic. It shouldn't be very CPU intensive, the PIX can easily handle hundreds of ACL's.

Alternatively, in 6.2 you can create object-groups and then define that in an ACL, so it'll at least clean up your config a bit. Create a network object-group for all your inside networks and then you just have one "deny" line in your ACL.

See http://www.cisco.com/warp/public/707/pix_obj_grp.html

95
Views
4
Helpful
1
Replies