List Info

Thread: ACLs in a PIX 520, version 6.3(5)
ACLs in a PIX 520, version 6.3(5)
user name
 2006-05-10 18:04:09 
It depends what your security levels are for each interface.
 A device on a 
higher security interface can contact a lower security
interface without the 
need for an ACL or static NAT.  However, when a device
residing on a lower 
security interface wants to contact a device on a higher
security interface, 
you will need an ACL to permit this.  For example:

You will need an ACL that permits traffic from the DMZ to
the inside LAN:
access-list dmz_acl permit ip host 10.60.1.90 host 10.9.0.11
eq 11111

But you should not need an ACL to permit traffic from inside
to contact the 
DMZ.  This assumes you have normal security set up on your
interfaces:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security80

Hope this helps!
Aaron

----- Original Message ----- 
From: "Tony" <ttrevinogermania-ins.com>
To: <PIX_Firewall@yahoogroups.com>
Sent: Wednesday, May 10, 2006 9:28 AM
Subject: [PIX_Firewall] ACLs in a PIX 520, version 6.3(5)


Good morning all, I'm adding some acl permit statements
into our dmz
and was wondering, do I need to add 2 statements to allow
communication? In other words, I need to allow an internal
machine to
contact a machine in the dmz, so I'm going to add this
statement:

access-list dmz_acl permit ip host 10.9.0.11 host 10.60.1.90
eq 11111.

So this would allow acces from 10.9.0.11 to 10.60.1.90, but
do I need
to add this statement as well:

access-list dmz_acl permit ip host 10.60.1.90 host 10.9.0.11
eq 11111?

I was told with this older version of software that the PIX
needed both
statements to allow proper communication? 10.9.0.11 is
always going to
initiate the request from the machine in the dmz,
10.60.1.90.
Thanks in advance for the help, T










Yahoo! Groups Links







____________________________________________________________
__________
This email has been scanned by the MessageLabs Email
Security System.
For more information please visit http://www.messagela
bs.com/email
____________________________________________________________
__________





------------------------ Yahoo! Groups Sponsor
--------------------~--> 
You can search right from your browser? It's easy and it's
free.  See how.
http://us.click.yahoo.com/_7bhrC/NGxNAA/yQLSAA/kgFolB/TM

------------------------------------------------------------
--------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://gr
oups.yahoo.com/group/PIX_Firewall/

<*> To unsubscribe from this group, send an email to:
    PIX_Firewall-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.c
om/info/terms/
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )