Re: Fw: [fw-wiz] cisco pix does not log traffic targetted to itself?

From: Kevin Steves (stevesk@pobox.com)
Date: 01/14/03


From: Kevin Steves <stevesk@pobox.com>
To: Mark.Boltz@stonesoft.com
Date: Tue Jan 14 09:18:22 2003

On Sun, Jan 12, 2003 at 10:42:51AM -0500, Mark.Boltz@stonesoft.com wrote:
> >i have never liked the ASA/security level approach that PIX uses--i
> >would rather not have implied policies. i'm told you can assign
>
> Kevin, I'm not sure I understand. Do you mean you don't want implied
> policies in a general sense? In this particular case, we're talking a final
> "deny all" rule, which is because the generally accepted stance of security
> products should be to deny that which is not expressly permitted. Curious
> as to which you meant...

yes, there is an implied default deny for access lists. but in the
absense of an interface access-group, the default is permit for high
to low origin security level traffic.