Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
4
Helpful
1
Replies

The access-list permit ORIGIN to ANY (internet) problem X DMZs

bs0000554
Level 1
Level 1

‎10-04-2002 02:45 PM - edited ‎02-20-2020 09:19 PM

I wan to to control my outbound traffic in my WEB-DMZ to restrict only a group

of servers to open outbount connections, but if I use a access-list to permit

a group of server to go out ANY im oppenig also a role to permit this traffic

to go to my others interfaces of PIX.

I dont want to use deny access-list because its not good to maintain.

Ive mapped a "internet group of networks" and Ive applied the group. this action workaround the problem, but its very CPU intensive and a very uggly solution

Who have a better idea?

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎10-07-2002 10:42 PM

The only way you could do this is what I think you have already done, deny all traffic first coming from these DMZ servers going to anything on your internal networks, then permit all other traffic. It shouldn't be very CPU intensive, the PIX can easily handle hundreds of ACL's.

Alternatively, in 6.2 you can create object-groups and then define that in an ACL, so it'll at least clean up your config a bit. Create a network object-group for all your inside networks and then you just have one "deny" line in your ACL.

See http://www.cisco.com/warp/public/707/pix_obj_grp.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents