Re: [fw-wiz] PIX question

On 3/10/06, Brian Loe <knobdy@xxxxxxxxx> wrote:
So, you have an internet-out ACL which ends with an any any on the
inside interface.
You have an internet-in ACL on the outside interface.
You have a DMZ2-in ACL on the dmz2 interface.

The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside
interface is 0.

You have an smtp box on dmz2. You have rules in dmz2-in allowing the
smtp box to talk to boxes on the internal network. The smtp box can
NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add
an any any rule for that host in dmz2-in and it works.

Question: Why would the inbound ACL on dmz2 prevent it from sending
traffic to the outside interface with a lower security setting? Does
an ACL applied to a dmz interface have an implied deny all - even for
lower security interfaces?

yes it does. Once you put an ACL on an interface then you create
a (sensible) default "deny all" on that interface - regardless of
security levels.
the (unfortunate) default "permit" from high-to-low only happens if you
have no ACLs on the interface or if you're still using the (old, brain-dead)
"conduit" and "outbound" commands.

the security level still matters for your choice of address translation
commands: "static" for low-to-high traffic, and "global"+"nat" for
high-to-low traffic.

firewall-wizards mailing list

Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
******* Making your firewalls really safe *******
firewall-wizards mailing list

Relevant Pages

  • Re: Pix 515 VLAN NAT0 issues
    ... that ACL will be exempt from NAT. ... the packet at the time the PIX receives the packet. ... ACL applied to an inside interface would have the internal IPs as ... accepted as having a translation and satisfying the security policies. ...
  • Re: PIX 525 and swapping interface definitions
    ... If the ACL is used in a crypto map or static or nat ... then the extra ACL line referencing the old interface ... access-lists were absolutely mutually exclusive by design, ...
  • Re: Questions on "sysopt connection permit-ipsec"
    ... :interface enabled for IPSEC, say the outside interface: ... :even if the outside interface ACL does not explicitly allow for it. ... :access-list ipsectraffic permit tcp host any ... When an IPSec packet is received and successfully decoded, ...
  • RE: [fw-wiz] PIX question
    ... Does an ACL applied to a dmz interface have ... an implied deny all - even for lower security interfaces? ... Only when no ACL is set, an implicit allow any any to lower ...
  • RE: [fw-wiz] PIX Config Problem
    ... All is correct with exception of ACL 100 destination ... host IP, should be the outside interface IP. ... I use the 501 w/ DSL config as well and use "interface" option in my ... I'm testing the new 6.3.1 code and have found the following in the ACL ...