topic Re: PIX ALIAS AND ACCESS-LIST in Network Security

PIX ALIAS AND ACCESS-LIST

v.kalingara — Fri, 21 Feb 2020 06:12:23 GMT

PIX Current setup:-

Inside :- 10.32.0.0 /16

DMZ :- 10.112.3.0 /24

alias (inside) 54.10.10.62 10.112.3.62 255.255.255.255

access-list acl_in permit tcp host 10.32.0.242 host 54.10.10.62 eq ftp

access-list acl_in permit tcp host 10.32.0.242 host 10.112.3.62 eq ftp

Which entry in the access-list will be used..? Will the access-list get checked before the dnat function of the alias or after..?

Thanks,

Re: PIX ALIAS AND ACCESS-LIST

pgolding — Thu, 15 Aug 2002 05:01:18 GMT

access-list check is the first thing to be performed and must permit the packet as it arrives at the pix.

Re: PIX ALIAS AND ACCESS-LIST

pgolding — Thu, 15 Aug 2002 05:02:16 GMT

access-list check is the first thing to be performed and must permit the packet as it arrives at the pix.

Re: PIX ALIAS AND ACCESS-LIST

mkato — Thu, 22 Aug 2002 00:21:09 GMT

So is the answer both ACLs need to be applied or just the first one?

The reason I ask is I've been told that the "foreign address" (the second address in the 'alias' command) is not reachable from the interface it is applied to. But if this is not true, then theoretically traffic could arrive on the inside interface destined for either address and one would be d-NATed and the other wouldn't, right? And then we'd have to filter for both.