RE: [fw-wiz] PIX question

Hi Brian

You answered your own question at the end. When using ACL's instead of
conduits, there is an implicit deny any any on all interfaces. You have to
add an explicit access-list DMZ2-in permit tcp access host mailserver any eq
25 to get email flowing out.

On our firewall, we have a single DMZ with mail and web servers and had to
team deny inside network rules with permit internet rules to overcome the
default deny any any. With PIX 7, we have in and out ACL's on each
interface, not just in ACL's and we're restructuring based on that.


Bruce Smith

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Loe
Sent: Friday, March 10, 2006 11:42 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] PIX question

So, you have an internet-out ACL which ends with an any any on the inside
You have an internet-in ACL on the outside interface.
You have a DMZ2-in ACL on the dmz2 interface.

The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside
interface is 0.

You have an smtp box on dmz2. You have rules in dmz2-in allowing the smtp
box to talk to boxes on the internal network. The smtp box can NOT talk to
anything on the internet - gets denied by dmz2-in ACL. Add an any any rule
for that host in dmz2-in and it works.

Question: Why would the inbound ACL on dmz2 prevent it from sending traffic
to the outside interface with a lower security setting? Does an ACL applied
to a dmz interface have an implied deny all - even for lower security
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • 1801 VPN multiple clients
    ... interface FastEthernet0 ... duplex auto ... switchport trunk allowed vlan 1,2,1002-1005 ... deny ip x.x.x.x any ...
  • Easy VPN - client doesnt get config from server
    ... The client end can ping my public interface and I can ping ... crypto map dynmap client authentication list localuser ... access-list 100 deny ip host any ...
  • Cisco 3640 NM-4E Westell ADSL Modem & Ambit Cable Modem/Router Half 1/2 Speed
    ... Below the configuration are my SH Interface and SH IP Interface ... deny tcp any any eq 135 ... IP fast switching on the same interface is disabled ... input packets with dribble condition detected ...
  • Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding
    ... leave the port forwarding to you. ... interface vr0 ... deny egress from internal hosts ... or} keep-state add forward ip from to any keep-state add forward ip from to any keep-state add forward ip from to any keep-state add forward ip from to any keep-state add allow ip from me to any keep-state ...
  • Re: Access list question
    ... The default statement at the end of any ACL is deny any any. ... So if no ACL is present and it is specified on the interface then all ... In this case are the "access-group 105" commands ignored if ...