PIX and ACL on inside interface

jamey — Fri, 21 Feb 2020 07:35:42 GMT

Quick PIX question guys.

Say you have the normal inside (Sec100) and outside (Sec0) interfaces. You have an ACL on the outside interface that allows access to an internal mail server or whatever. Now, you also want to restrict what outbound traffic the users on the inside interface can initiate outbound so you create an ACL:

access-list inside_in permit tcp <internal IPs> any eq www

access-list inside_in permit tcp <internal IPs> any eq https

...

access-list inside_in permit tcp <internal IPs> any eq ftp

access-list inside_in permit tcp <internal IPs> any eq ftp-data

access-list inside_in deny any any

access-group inside_in in interface inside

What about passive FTP? Even if you have the fixup protocol configured for 21 on the PIX, that doesn't do much for inbound passive FTP data connections from the internal users does it or will the PIX be smart enough to know to allow the client-initiated passive FTP data connections out to the Internet?

TIA

Re: PIX and ACL on inside interface

nkhawaja — Fri, 27 Aug 2004 01:44:25 GMT

if the client is on inside and you are permitting ftp through your ACL, fixup should open up outbound datachannel.

Same for inside FTP server if you have ACL that says permit tcp eq 21, fixup should open inbound data channel

Thanks

Nadeem

topic Re: PIX and ACL on inside interface in Network Security

PIX and ACL on inside interface

Re: PIX and ACL on inside interface