Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX question

From: david_harris () arnotts com
Date: Wed, 15 Mar 2006 09:30:01 +1100





Brian Loe wrote on 11/03/2006 08:42:18 AM:



You have an smtp box on dmz2. You have rules in dmz2-in allowing the
smtp box to talk to boxes on the internal network. The smtp box can
NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add
an any any rule for that host in dmz2-in and it works.

Question: Why would the inbound ACL on dmz2 prevent it from sending
traffic to the outside interface with a lower security setting? Does
an ACL applied to a dmz interface have an implied deny all - even for
lower security interfaces?


No, as soon as you apply an access-list to any interface it takes
precedence over the security levels.

Take the access-list away and yes it will pass to a lower level.


**********************************************************************
This e-mail and any files transmitted with it may contain 
confidential information and is intended solely for use by 
the individual to whom it is addressed.  If you received
this e-mail in error, please notify the sender, do not 
disclose its contents to others and delete it from your 
system.

**********************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: