Firewall Wizards mailing list archives
PIX question
From: "Brian Loe" <knobdy () gmail com>
Date: Fri, 10 Mar 2006 15:42:18 -0600
So, you have an internet-out ACL which ends with an any any on the inside interface. You have an internet-in ACL on the outside interface. You have a DMZ2-in ACL on the dmz2 interface. The inside interface is 100, dmz2 is 10 (as is dmz1) and the outside interface is 0. You have an smtp box on dmz2. You have rules in dmz2-in allowing the smtp box to talk to boxes on the internal network. The smtp box can NOT talk to anything on the internet - gets denied by dmz2-in ACL. Add an any any rule for that host in dmz2-in and it works. Question: Why would the inbound ACL on dmz2 prevent it from sending traffic to the outside interface with a lower security setting? Does an ACL applied to a dmz interface have an implied deny all - even for lower security interfaces? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX question Brian Loe (Mar 13)
- RE: PIX question Bruce Smith (Mar 14)
- Re: PIX question Avishai Wool (Mar 14)
- Re: PIX question david_harris (Mar 15)
- <Possible follow-ups>
- RE: PIX question Martijn Berlage (Mar 14)