Firewall Wizards mailing list archives
Re: PIX access-list help
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 25 Dec 2007 00:25:52 -0500
On Dec 21, 2007 11:02 AM, Brian Blater <brb.lists () gmail com> wrote:
So, my main question, is there an access list command I can have that basically says "allow all communication from the dmz to the internet" and one that says "allow communication from the inside to the dmz"? I know I can add "access-list dmz permit ip host 192.168.1.1 any" and that solves the problem of getting to the internet, but then it opens all communication to the inside from this host and I don't want to do that. Since this is version 6.3(3) I can't use an out access-list which I think might solve the problem. I have enough memory to run version 7.x on this PIX, but I'm trying to tackle one problem at a time and I'm a little hesitant about doing the 7.x upgrade just yet.
The short answer to your question is that PIX access-lists are read, per-interface, top-to-bottom: access-list dmz_in deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list dmz_in permit ip 192.168.1.0 255.255.255.0 any access-group dmz_in in interface dmz If your internal network is 10.0.0.0/8 and your DMZ is 192.168.1.0/24, this will prevent traffic from the DMZ to the inside, but allow everything else. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX access-list help Brian Blater (Dec 24)
- Re: PIX access-list help Fetch, Brandon (Dec 26)
- Re: PIX access-list help Fetch, Brandon (Dec 26)
- Re: PIX access-list help Farrukh Haroon (Dec 26)
- Re: PIX access-list help kevin horvath (Dec 26)
- Re: PIX access-list help Paul Melson (Dec 26)
- Re: PIX access-list help Brian Blater (Dec 26)
- Re: PIX access-list help Avishai Wool (Dec 26)