Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: firewall-wizards Digest, Vol 16, Issue 2

From: "Tedeski, William" <William.Tedeski () acs-inc com>
Date: Thu, 2 Aug 2007 11:36:07 -0500 


Am I correct in my understanding that if I want two-way traffic, traffic 
is not blocked to a lower trust level, so I need only write a rule to pass
the traffic between the endpoints from the external interface to the
internal interface, and the reply traffic is taken care of ??  Or do I
have to write a reverse rule, from the internal interface to the external
as well ???



On a PIX/ASA/FWSM

You are correct in that if there is no access-list on the higher security
level interface connections to the lower security level interface will be
permitted, provided that a matching STATIC or GLOBAL/NAT exist. As soon as
you add an access-list to the higher security interface, you then need to
explicitly permit the connections

Also reply traffic will be permitted with out the need to defining a
access-list entry.

In addition protocols like FTP the data channel will be permitted when a
control channel connection exists with out the need for an access-list
entry.

Bill Tedeski
ACS Inc.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: