Access List

Can someone translate this access-list line for me in plain english? Thanks

interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ1 security50 ip address DMZ1 access-group dmz_out in interface DMZ1

access-list dmz_out permit tcp host host range 12100

Reply to
Loading thread data ...

The access-group line would have to occur -after- the access-list line, or else access-group will complain that the access-list does not exist and will drop the access-list statement.

The ACL permits one host in the DMZ, numbered, to send certain TCP packets to the one host (where-ever that is).

If is reached through the outside interface, then proceed to the next paragraph; if is the target of a 'static' created on the inside interface, or if is in the source range of a "permit" statement of an ACL named in a "nat (inside) 0 access-list" line, then will be permitted to establish a new connection into the inside interface -- but if is in the address range of the inside interface and there is no 'static' or nat 0 access-list applicable, then the connections towards the higher-security inside interface would be refused. (These static and nat 0 access-list concerns do not apply for traffic going to a lower-security interface.)

The permitted destination TCP ports are 12100, 12101, 12102, 12103,

12104, 12105, 12106, 12107, 12108, and 12109.

When a connection is initiated from towards one of those ports at, and the security level stuff is acceptable, then the PIX will automatically create a temporary opening in the access controls of the destination interface; this temporary opening will permit the reply traffic. The temporary opening will be very specific, permitting the one destination port at to send tcp traffic back towards whatever the one source port was on

The source IP address that the destination will see in place of will depend upon whether the packet is going to a lower security interface (outside) or a higher security interface (inside), and will depend on which static and nat and global statements have been configured.

Reply to
Walter Roberson

Thanks Walter. Your description helped me understand the other access-lists, groups and static commands that we have defined in the firewall.


Reply to
dexteroc Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.