Hi all,
I've got a question regarding applying access-lists to inside or outside interface. Can someone please explain if the following set of statements is valid ?
access-list acloutside extended permit ip any any access-group acloutside in interface outside
does those statements mean all outside traffic are allowed to flow into inside interface and hence make the network vulnerable ?
Should it be instead
access-group acloutside in interface inside ?
Thank you
Yes, if you set the missing static or security-level commands, too.
Depends on your need. Traffic has to pass the incoming access-list, match the xlate table and then pass the outgoing access-list in order to pass through. Alternativly the traffic has to match the connections table.
Lutz,
thank you for ur quick reply. I've got the standard security level commands in place outside interface set to security-level 0 and inside interface set to security-level 100
I've got a static command but its for DMZ interface static(dmz, outside) 1xx.xxx.157.0 1xx.xxx.157.0 netmask
255.255.255.224I've also got global (outside) 1 interface nat(inside) 0 access-list 101
access-list 101 extended permit ip 192.168.80.0 255.255.255.0
192.168.120.0 255.255.255.0With all those in place am I ok to use
access-list acloutside extended permit ip any any access-group acloutside in interface outside
Thanks aga> > access-list acloutside extended permit ip any any
Yes. This setup allows all new connections to the DMZ and none to the inside.
Lutz,
Thank you. Though I'm still confused if you can just explain the difference of using
access-list acloutside extended permit ip any any access-group acloutside in interface outside
vs.
access-list acloutside extended permit ip any any access-group acloutside in interface INSIDE
And if either one of them is more preferred setup
Lutz D> > I've got a static command but its for DMZ interface
The difference is simple: The first handles incoming, the second handles outgoing traffic.
If you refer to access-group acl out interface inside the difference is that incoming traffic has to pass the outside incoming access-list, the xlate-table, and the incoming outgoing access-list.
Lutz,
"access-group acloutside in interface outside" - since this handles incoming traffic then doesnt "access-list acloutside extended permit ip any any" statement put the internal network in danger ? since it would allow all outside traffic ?
Lutz D> > Thank you. Though I'm still confused if you can just explain the
Please do not multipost. A few moments ago I answered this in the firewalls newsgroup, before discovering that you had already posted and had responses here. Wasted my time :(
It would allow all traffic, but this traffic will fail to pass the xlate table.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.