Firewall Wizards mailing list archives
Re: firewall-wizards Digest, Vol 16, Issue 2
From: "Tedeski, William" <William.Tedeski () acs-inc com>
Date: Thu, 2 Aug 2007 11:36:07 -0500
Am I correct in my understanding that if I want two-way traffic, traffic is not blocked to a lower trust level, so I need only write a rule to pass the traffic between the endpoints from the external interface to the internal interface, and the reply traffic is taken care of ?? Or do I have to write a reverse rule, from the internal interface to the external as well ???
On a PIX/ASA/FWSM You are correct in that if there is no access-list on the higher security level interface connections to the lower security level interface will be permitted, provided that a matching STATIC or GLOBAL/NAT exist. As soon as you add an access-list to the higher security interface, you then need to explicitly permit the connections Also reply traffic will be permitted with out the need to defining a access-list entry. In addition protocols like FTP the data channel will be permitted when a control channel connection exists with out the need for an access-list entry. Bill Tedeski ACS Inc.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 16, Issue 2 Tedeski, William (Aug 21)
- <Possible follow-ups>
- Re: firewall-wizards Digest, Vol 16, Issue 2 Tedeski, William (Aug 21)