Re: [fw-wiz] PIX question

Brian Loe wrote on 11/03/2006 08:42:18 AM:

You have an smtp box on dmz2. You have rules in dmz2-in allowing the
smtp box to talk to boxes on the internal network. The smtp box can
NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add
an any any rule for that host in dmz2-in and it works.

Question: Why would the inbound ACL on dmz2 prevent it from sending
traffic to the outside interface with a lower security setting? Does
an ACL applied to a dmz interface have an implied deny all - even for
lower security interfaces?

No, as soon as you apply an access-list to any interface it takes
precedence over the security levels.

Take the access-list away and yes it will pass to a lower level.

This e-mail and any files transmitted with it may contain
confidential information and is intended solely for use by
the individual to whom it is addressed. If you received
this e-mail in error, please notify the sender, do not
disclose its contents to others and delete it from your


firewall-wizards mailing list