PIX ACL Discussion

Discussion in 'Cisco' started by falken7@gmail.com, Jan 24, 2005.

  1. Guest

    Hello,

    I have a question regarding PIX ACL designs. I want to build my access
    lists as tight as possible allowing exactly what I permit. I
    understand the PIX can manage many protocols (IP, GRE, ESP, etc). My
    question concerns the deny statements at the end of the ACL. Should I
    place deny statements for each protocol as listed in this example:

    access-list acl_outside remark Permit ONLY WWW and SMTP traffic
    access-list acl_outside permit tcp any host 10.0.0.1 eq www
    access-list acl_outside permit tcp any host 10.0.0.2 eq smtp
    access-list acl_outside deny <protocol> any any (repeat for all PIX
    support protocols?)

    I know the IOS ACL's have an implicit deny statement. I wasnt sure
    what the proper method would be for the PIX concerning deny statements.
    Any thoughts?

    Thanks
    Falken
    , Jan 24, 2005
    #1
    1. Advertising

  2. Falken - The PIX ACLs also have an implicit deny at the end, so the two
    permits are enough. However, if you want to watch hitcounts on denials
    for some reason, then put the explicit deny in. Replace <protocol>
    with "ip" and that's all you need - see below.

    access-list acl_outside remark Permit ONLY WWW and SMTP traffic
    access-list acl_outside permit tcp any host 10.0.0.1 eq www
    access-list acl_outside permit tcp any host 10.0.0.2 eq smtp
    access-list acl_outside deny ip any any
    The Green Manalishi, Jan 24, 2005
    #2
    1. Advertising

  3. In article <>,
    <> wrote:
    :I have a question regarding PIX ACL designs.

    :I know the IOS ACL's have an implicit deny statement.

    PIX has implicit deny as well, on all access-lists.

    There are only two permit-by-default behaviours that I can
    think of for the PIX:

    1) If you do not have an access-group applied to an interface,
    but you do have suitable nat/global or static statements, then
    traffic will be permitted to all lower-security interfaces. If,
    though, you have even a one-line ACL (even just a 'remark')
    applied via an access-group then the behaviour changes to denying
    everything that is not permitted.

    2) By default, all icmp address to the PIX itself is permitted.
    You should use appropriate 'icmp' commands to restrict the ICMP
    permitted to the PIX itself. Note that access-lists and ACLs have
    no effect on traffic -to- the PIX itself.
    --
    Oh, yeah, an African swallow maybe, but not a European swallow.
    That's my point.
    Walter Roberson, Jan 25, 2005
    #3
  4. Guest

    Thanks guys - this explanation helps. I assumed the PIX had an
    implicit deny but wanted to make sure.
    , Jan 25, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill F

    pix tunnel related acl

    Bill F, Oct 24, 2003, in forum: Cisco
    Replies:
    2
    Views:
    395
    Bill F
    Oct 24, 2003
  2. Paul Hutchings

    Removing ACL remark on a PIX?

    Paul Hutchings, Nov 11, 2003, in forum: Cisco
    Replies:
    5
    Views:
    4,801
    Hugo Drax
    Nov 11, 2003
  3. Christian Schneider

    PIX-to-PIX VPN-Config with ACL

    Christian Schneider, Nov 25, 2003, in forum: Cisco
    Replies:
    2
    Views:
    453
    A. Yarrington
    Nov 25, 2003
  4. Shad T
    Replies:
    0
    Views:
    578
    Shad T
    Jun 29, 2004
  5. Vimokh
    Replies:
    3
    Views:
    5,606
    Vimokh
    Sep 6, 2006
Loading...

Share This Page