Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > high-to-low security traffic flow

Reply
Thread Tools

high-to-low security traffic flow

 
 
PL
Guest
Posts: n/a
 
      05-26-2006
Consider this statement from a PIX white paper found online:

A packet is entering an interface and PIX evaluates the security level
for the source and destination interfaces. A low-to-high is allowed
only if there is an access-list/conduit that allows the connection and
a high-to-low is allowed by default unless a specific
access-list/outbound denies it.

This was also my understanding. Now the problem...
I have inside (sec100), outside (sec0) and two DMZ interfaces, but
we're only working with one DMZ (sec10) today. If I don't apply an
ACL to the dmz1 interface, traffic is allowed to outside and denied to
inside, this makes sense.

However, as soon as I apply an ACL to the dmz1 interface that allows
one host on the dmz to access another host on the inside, I lose flow
between dmz1 and outside unless I specifically allow it. This makes
less sense to me if the statement quoted above is correct.

What am I missing?

PL
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-27-2006
In article <(E-Mail Removed)>,
PL <(E-Mail Removed)> wrote:
>Consider this statement from a PIX white paper found online:


>A packet is entering an interface and PIX evaluates the security level
>for the source and destination interfaces. A low-to-high is allowed
>only if there is an access-list/conduit that allows the connection and
>a high-to-low is allowed by default unless a specific
>access-list/outbound denies it.


That statement is incorrect. As soon as you apply an access-group
to an interface, the default behaviour does not apply for traffic
coming from that interface.
 
Reply With Quote
 
 
 
 
PL
Guest
Posts: n/a
 
      05-30-2006
Thank you.


On Sat, 27 May 2006 01:24:52 GMT, http://www.velocityreviews.com/forums/(E-Mail Removed) (Walter
Roberson) wrote:

>In article <(E-Mail Removed)>,
>PL <(E-Mail Removed)> wrote:
>>Consider this statement from a PIX white paper found online:

>
>>A packet is entering an interface and PIX evaluates the security level
>>for the source and destination interfaces. A low-to-high is allowed
>>only if there is an access-list/conduit that allows the connection and
>>a high-to-low is allowed by default unless a specific
>>access-list/outbound denies it.

>
>That statement is incorrect. As soon as you apply an access-group
>to an interface, the default behaviour does not apply for traffic
>coming from that interface.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Query:difference between node flow and filter flow in java's I/O,system? Jack Dowson Java 0 05-07-2007 03:35 PM
Traffic Does Not Flow After the Tunnel Is Established in pix to pix vpn iam23m Cisco 0 10-27-2006 01:50 AM
Flow control and multicast or broadcast traffic Rahan Cisco 0 08-07-2006 04:14 PM
Flow Control and traffic optimization Rahan Cisco 0 08-04-2006 04:04 PM
Flow-Based traffic shaping / policing with MS Terminal Server Josh Cisco 0 05-28-2004 01:57 AM



Advertisments