topic Re: Pix no longer permitting traffic from higher to lower priori in Network Security

Pix no longer permitting traffic from higher to lower priority

brad.hammond — Fri, 21 Feb 2020 07:04:57 GMT

In release 6.3.3, does the pix no longer implicitly permit traffic from a higher priority interface to a lower priority interface other than the respective inside and outside interfaces? Or, is this a caveat in the code itself? For some reason, I am now required to configure an access list for device on a perimeter interface or DMZ for any external traffic the device initiates to Internet host.

Re: Pix no longer permitting traffic from higher to lower priori

daniel.kline — Wed, 05 Nov 2003 21:50:07 GMT

In order pass traffic from a lower security level interface to a higher security level interface (outside to inside or dmz, or dmz to inside) you must create a static address translation and an access list. In order to travel the other direction (inside or dmz to outside) you must use a nat and global command.

Dan

Re: Pix no longer permitting traffic from higher to lower priori

brad.hammond — Wed, 05 Nov 2003 22:13:52 GMT

Dan,

Thanks for your reply. I presently have a TAC case open. The traffic in question is outbound traffic from the DMZ to the outside interface. The server has a corresponding public static nat statement, but is unable to transmit traffic. In troubleshooting, I have found if I configure and access list, then traffic is permitted. However, I thought an access-list was not required as the traffic is implicitly permitted from a higher to lower priority interface. I have researched it and found this link, which the information in the subtobic "Allowing Outbound Access" confirms my thoughts. So, could this be a caveat in the code?

http://cisco.com/warp/public/707/28.html#intro

Re: Pix no longer permitting traffic from higher to lower priori

bfl1 — Thu, 06 Nov 2003 00:21:54 GMT

Can you post your config?