PIX 7.0 ACL inside/outside help - Firewalls

This is a discussion on PIX 7.0 ACL inside/outside help - Firewalls ; Hi all, I've got a question regarding applying access-lists to inside or outside interface. Can someone please explain if the following set of statements is valid ? access-list acloutside extended permit ip any any access-group acloutside in interface outside does ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: PIX 7.0 ACL inside/outside help

  1. PIX 7.0 ACL inside/outside help

    Hi all,

    I've got a question regarding applying access-lists to inside or
    outside interface. Can someone please explain if the following set of
    statements is valid ?

    access-list acloutside extended permit ip any any
    access-group acloutside in interface outside

    does those statements mean all outside traffic are allowed to flow into
    inside interface and hence make the network vulnerable ?

    Should it be instead

    access-group acloutside in interface inside ?

    Thank you


  2. Re: PIX 7.0 ACL inside/outside help

    In article <1166784931.484614.241790@48g2000cwx.googlegroups.c om>,
    wrote:

    >I've got a question regarding applying access-lists to inside or
    >outside interface.


    I recommend comp.dcom.sys.cisco for PIX related questions; there are
    more PIX people there.

    >Can someone please explain if the following set of
    >statements is valid ?


    >access-list acloutside extended permit ip any any
    >access-group acloutside in interface outside


    That appears to be valid for some usages, yes.

    >does those statements mean all outside traffic are allowed to flow into
    >inside interface and hence make the network vulnerable ?


    Not exactly.

    >Should it be instead
    >access-group acloutside in interface inside ?


    Probably not, in that allowing all traffic from the inside to
    elsewhere is the default when there is no access-group applied
    to the inside interface. Applying to the inside would be
    redundant -- but if it helps make the intent clearer, then
    go ahead and configure it that way.

    Applying to the outside interface does not -exactly- allow
    all outside traffic to flow into the inside interface:

    A) At best it would permit new connections to be initiated to
    the inside, which is different than "all traffic" in that
    the PIX would continue to do stateful filtering and all
    applicable "inspects". For example if someone were to send
    unsolicited ACK packets hoping to probe the internal topology,
    the PIX stateful filter would drop the packets.

    B) New connections would only be permitted to the inside
    for hosts for which translations exist. Those translations
    might be via "static" or via "nat 0 access-list" (or in
    some restricted cases, if an existing nat/global translation
    existed triggered by outgoing traffic.) The access-group
    is one line of defence, and the translations are a second
    line of defence.

+ Reply to Thread