PIX 515 Inbound/Outbound access list confusion

Discussion in 'Cisco' started by vincehgov, Mar 8, 2006.

  1. vincehgov

    vincehgov Guest

    I'm trying to setup my company firewall to allow connections that is
    described as:

    OUTSIDE IPs are: A and B
    These are NATed to the INSIDE and the DMZ

    The firewall should operate as followed:
    OUTSIDE to DMZ allow SMTP
    DMZ to INSIDE allow LDAP and SMTP

    All traffic going from INSIDE to DMZ, INSIDE to OUTSIDE, and DMZ to
    OUTSIDE is permitted.

    After reading the Cisco ASA and PIX Firewall Handbook, I created 6
    access lists; an Inbound and an Outbound for each interface. As I
    understand it, the Inbound access list for the DMZ interface controls
    connections originating from the DMZ to the INSIDE as well as
    connections originating from OUTSIDE to the DMZ, which is very
    confusing. This didn't work, despite the logic being correct. Every
    behavior was correct except that I couldn't access OUTSIDE from DMZ on
    any port. The security levels listed from lowest to highest are

    Then, I decided to only have 2 access lists. One would permit SMTP and
    HTTPS from A to the INSIDE address and it would also permit SMTP from B
    to the DMZ address. That one was applied to the OUTSIDE interface on
    the Inbound traffic. The other access list would Allow LDAP and SMTP
    from the DMZ to the INSIDE and at the same time take on the role of the
    outbound access list and allow HTTP, HTTPS, SMTP, and DOMAIN from the
    DMZ to the OUTSIDE. This access list was applied to the DMZ interface
    on the Inbound traffic.

    My question is: How is it possible for the Inbound access list on the
    DMZ interface to affect the Outbound traffic? If I took the lines that
    explicitly allow outbound traffic from the DMZ to the OUTSIDE off the
    DMZ access list, outbound requests break.

    Any help or insight would be very appreciated.

    vincehgov, Mar 8, 2006
    1. Advertisements

  2. Sounds like you are using the PDM to configure it. What I have found
    out that it is usually good idea to look at the running configuration
    when trying to explain why certain things don't work the way I would
    expect them.

    My suggestion would be to post your running config and I'm sure someone
    will reply back with an explaination.


    shahidsheikh....com, Mar 8, 2006
    1. Advertisements

  3. vincehgov

    vincehgov Guest

    Shahid, thanks for the reply. I'm not using the PDM. I'm accessing
    the pix via CLI. I'll post my config when I get back to my office.
    However, the thing I'm most curious about is this. Can an ACL applied
    to the inbound traffic of an interface affect the outbound connections
    of that interface? If I create an outboand ACL allowing my DMZ to
    access the internet and apply that to the outbound traffic of the DMZ
    interface, it does nothing. However, if I put the same lines into the
    inbound ACL and apply the inbound ACL to the inbound traffic of the DMZ
    interface, the DMZ is able to access the internet. Strange behaviour I

    vincehgov, Mar 8, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.