high-to-low security traffic flow

Discussion in 'Cisco' started by PL, May 27, 2006.

  1. PL

    PL Guest

    Consider this statement from a PIX white paper found online:

    A packet is entering an interface and PIX evaluates the security level
    for the source and destination interfaces. A low-to-high is allowed
    only if there is an access-list/conduit that allows the connection and
    a high-to-low is allowed by default unless a specific
    access-list/outbound denies it.

    This was also my understanding. Now the problem...
    I have inside (sec100), outside (sec0) and two DMZ interfaces, but
    we're only working with one DMZ (sec10) today. If I don't apply an
    ACL to the dmz1 interface, traffic is allowed to outside and denied to
    inside, this makes sense.

    However, as soon as I apply an ACL to the dmz1 interface that allows
    one host on the dmz to access another host on the inside, I lose flow
    between dmz1 and outside unless I specifically allow it. This makes
    less sense to me if the statement quoted above is correct.

    What am I missing?

    PL
     
    PL, May 27, 2006
    #1
    1. Advertising

  2. In article <>,
    PL <> wrote:
    >Consider this statement from a PIX white paper found online:


    >A packet is entering an interface and PIX evaluates the security level
    >for the source and destination interfaces. A low-to-high is allowed
    >only if there is an access-list/conduit that allows the connection and
    >a high-to-low is allowed by default unless a specific
    >access-list/outbound denies it.


    That statement is incorrect. As soon as you apply an access-group
    to an interface, the default behaviour does not apply for traffic
    coming from that interface.
     
    Walter Roberson, May 27, 2006
    #2
    1. Advertising

  3. PL

    PL Guest

    Thank you.


    On Sat, 27 May 2006 01:24:52 GMT, (Walter
    Roberson) wrote:

    >In article <>,
    >PL <> wrote:
    >>Consider this statement from a PIX white paper found online:

    >
    >>A packet is entering an interface and PIX evaluates the security level
    >>for the source and destination interfaces. A low-to-high is allowed
    >>only if there is an access-list/conduit that allows the connection and
    >>a high-to-low is allowed by default unless a specific
    >>access-list/outbound denies it.

    >
    >That statement is incorrect. As soon as you apply an access-group
    >to an interface, the default behaviour does not apply for traffic
    >coming from that interface.
     
    PL, May 30, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Josh
    Replies:
    0
    Views:
    586
  2. Mark Williams
    Replies:
    2
    Views:
    819
    clubfoot
    Apr 25, 2006
  3. Rahan
    Replies:
    0
    Views:
    752
    Rahan
    Aug 4, 2006
  4. Rahan
    Replies:
    0
    Views:
    809
    Rahan
    Aug 7, 2006
  5. iam23m
    Replies:
    0
    Views:
    680
    iam23m
    Oct 27, 2006
Loading...

Share This Page