PIX 7.0 ACL inside/outside help

PIX 7.0 ACL inside/outside help

am 22.12.2006 11:55:31 von mehak327

Hi all,

I've got a question regarding applying access-lists to inside or
outside interface. Can someone please explain if the following set of
statements is valid ?

access-list acloutside extended permit ip any any
access-group acloutside in interface outside

does those statements mean all outside traffic are allowed to flow into
inside interface and hence make the network vulnerable ?

Should it be instead

access-group acloutside in interface inside ?

Thank you

Re: PIX 7.0 ACL inside/outside help

am 27.12.2006 08:04:16 von rlogin

In article <1166784931.484614.241790@48g2000cwx.googlegroups.com>,
wrote:

>I've got a question regarding applying access-lists to inside or
>outside interface.

I recommend comp.dcom.sys.cisco for PIX related questions; there are
more PIX people there.

>Can someone please explain if the following set of
>statements is valid ?

>access-list acloutside extended permit ip any any
>access-group acloutside in interface outside

That appears to be valid for some usages, yes.

>does those statements mean all outside traffic are allowed to flow into
>inside interface and hence make the network vulnerable ?

Not exactly.

>Should it be instead
>access-group acloutside in interface inside ?

Probably not, in that allowing all traffic from the inside to
elsewhere is the default when there is no access-group applied
to the inside interface. Applying to the inside would be
redundant -- but if it helps make the intent clearer, then
go ahead and configure it that way.

Applying to the outside interface does not -exactly- allow
all outside traffic to flow into the inside interface:

A) At best it would permit new connections to be initiated to
the inside, which is different than "all traffic" in that
the PIX would continue to do stateful filtering and all
applicable "inspects". For example if someone were to send
unsolicited ACK packets hoping to probe the internal topology,
the PIX stateful filter would drop the packets.

B) New connections would only be permitted to the inside
for hosts for which translations exist. Those translations
might be via "static" or via "nat 0 access-list" (or in
some restricted cases, if an existing nat/global translation
existed triggered by outgoing traffic.) The access-group
is one line of defence, and the translations are a second
line of defence.