Re: PIX access-list help

["Paul Melson" <pmelson () gmail com>]

On Dec 21, 2007 11:02 AM, Brian Blater <brb.lists () gmail com> wrote:
> So, my main question, is there an access list command I can have that
> basically says "allow all communication from the dmz to the internet"
> and one that says "allow communication from the inside to the dmz"? I
> know I can add "access-list dmz permit ip host 192.168.1.1 any" and
> that solves the problem of getting to the internet, but then it opens
> all communication to the inside from this host and I don't want to do
> that. Since this is version 6.3(3) I can't use an out access-list
> which I think might solve the problem. I have enough memory to run
> version 7.x on this PIX, but I'm trying to tackle one problem at a
> time and I'm a little hesitant about doing the 7.x upgrade just yet.

The short answer to your question is that PIX access-lists are read,
per-interface, top-to-bottom:

access-list dmz_in deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list dmz_in permit ip 192.168.1.0 255.255.255.0 any
access-group dmz_in in interface dmz

If your internal network is 10.0.0.0/8 and your DMZ is 192.168.1.0/24,
this will prevent traffic from the DMZ to the inside, but allow
everything else.

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards