i do not understand example

hell,

in pix 6.0 configutarion guide i found this:

" In the next example, dmz1 interface users are restricted from web browsing on other interfaces, but one host at 192.168.1.2 has web access. Put the port you want to restrict users from after the destination address. The following example shows these commands: access-list acl_dmz1 deny tcp any any eq www access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www access-group acl_dmz1 in interface dmz1 "

i do not understand why in second access-list is 'deny' if the discription tells that user from 192.168.1.2 has web access? i thought that there shuld be 'permit'!

Reply to
voytas
Loading thread data ...

You are right, and also the order should be reversed:

access-list acl_dmz1 permit tcp host 192.168.1.2 any eq www access-list acl_dmz1 deny tcp any any eq www access-group acl_dmz1 in interface dmz1

except that you should likely also permit outgoing dns queries.

Reply to
Walter Roberson

this error is in 'Step 14-Add Outbound Access Lists' second example in 'Restricting Users from Starting Connections' in guide at cisco site!

formatting link
they should fix it. for begginers it is more confusing!

Walter Roberson napisal(a):

Reply to
voytas

Yes it's completly wrong - you can tell Cisco by filling out the Feedback Form at the bottom of the page. I did this recently and they mailed me back a few weeks later to say that they had corrected the document.

James

voytas wrote:

formatting link

Reply to
James

ok, i used that form and i am waiting.

Reply to
voytas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.