RE: [fw-wiz] PIX question

Hi Brian

You answered your own question at the end. When using ACL's instead of
conduits, there is an implicit deny any any on all interfaces. You have to
add an explicit access-list DMZ2-in permit tcp access host mailserver any eq
25 to get email flowing out.

On our firewall, we have a single DMZ with mail and web servers and had to
team deny inside network rules with permit internet rules to overcome the
default deny any any. With PIX 7, we have in and out ACL's on each
interface, not just in ACL's and we're restructuring based on that.


Bruce Smith

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Loe
Sent: Friday, March 10, 2006 11:42 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] PIX question

So, you have an internet-out ACL which ends with an any any on the inside
You have an internet-in ACL on the outside interface.
You have a DMZ2-in ACL on the dmz2 interface.

The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside
interface is 0.

You have an smtp box on dmz2. You have rules in dmz2-in allowing the smtp
box to talk to boxes on the internal network. The smtp box can NOT talk to
anything on the internet - gets denied by dmz2-in ACL. Add an any any rule
for that host in dmz2-in and it works.

Question: Why would the inbound ACL on dmz2 prevent it from sending traffic
to the outside interface with a lower security setting? Does an ACL applied
to a dmz interface have an implied deny all - even for lower security
firewall-wizards mailing list

firewall-wizards mailing list