Hi all,
I've got a question regarding applying access-lists to inside or outside interface. Can someone please explain if the following set of statements is valid ?
access-list acloutside extended permit ip any any access-group acloutside in interface outside
does those statements mean all outside traffic are allowed to flow into inside interface and hence make the network vulnerable ?
Should it be instead
access-group acloutside in interface inside ?
Thank you
I recommend comp.dcom.sys.cisco for PIX related questions; there are more PIX people there.
That appears to be valid for some usages, yes.
Not exactly.
Probably not, in that allowing all traffic from the inside to elsewhere is the default when there is no access-group applied to the inside interface. Applying to the inside would be redundant -- but if it helps make the intent clearer, then go ahead and configure it that way.
Applying to the outside interface does not -exactly- allow all outside traffic to flow into the inside interface:
A) At best it would permit new connections to be initiated to the inside, which is different than "all traffic" in that the PIX would continue to do stateful filtering and all applicable "inspects". For example if someone were to send unsolicited ACK packets hoping to probe the internal topology, the PIX stateful filter would drop the packets.
B) New connections would only be permitted to the inside for hosts for which translations exist. Those translations might be via "static" or via "nat 0 access-list" (or in some restricted cases, if an existing nat/global translation existed triggered by outgoing traffic.) The access-group is one line of defence, and the translations are a second line of defence.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.