PIX firewall rule architecture

Discussion in 'Cisco' started by sam, Mar 8, 2005.

  1. sam

    sam Guest

    Hi,

    I would like block everything first, then gradually pass in services
    that I m interested in.
    eg.
    Deny in all
    Pass out all
    Pass in from any to any 25

    The above rules only pass in smtp traffic and allow all outbound traffic.

    I read an article mentioned that Cisco PIX cannot do so.

    sam.
     
    sam, Mar 8, 2005
    #1
    1. Advertisements

  2. sam

    Brian Guest

    Well, you didn't actually ask a question, but from your example, you
    only have one problem. The PIX reads the rules in order, so it would
    get to the deny in all, and never see the "Pass in from any to any 25."
    Other than that, there's certainly no reason to believe you would have
    a problem. If you put a PIX with no access list at all on your
    network, then you will be allowing everything out, and denying
    everything that comes in. Then you can start to add access lists to
    allow in what you want.
     
    Brian, Mar 8, 2005
    #2
    1. Advertisements

  3. :I would like block everything first, then gradually pass in services
    :that I m interested in.
    :eg.
    :Deny in all
    :pass out all
    :pass in from any to any 25

    :I read an article mentioned that Cisco PIX cannot do so.

    If you put in the explicit deny first, then NO, the PIX will not
    work the way you want. As the other poster mentioned, PIX rules
    are evaluated from the top, so if your first thing is deny
    then deny is the result you will get.

    On the other hand, for access from a lower security to a higher
    (e.g., outside to inside), or any time there is an access list
    in place, the default is to deny unless you permit, so the equivilent
    to the above in the PIX is:

    access-list out2in permit tcp any any smtp

    access-group out2in in interface outside

    Hitting th eend of the out2in access list is equivilent to
    "deny everything I haven't permitted", and is thus the funcationality
    you want.
     
    Walter Roberson, Mar 8, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.