Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1425
Views
0
Helpful
1
Replies

access-list with the PIX

j.sakofsky
Level 1
Level 1

‎11-15-2001 02:24 PM - edited ‎02-20-2020 09:54 PM

I want to control access coming from the inside interface going to the outside as well as 2 DMZ's that I have setup on a PIX. With ASA in place, I already have access to those 3 legs, but I want to lock them down via acl's (such as only www traffic to outside, only telnet traffic to dmz1, etc, etc).

How would something like this work? Would I have to config all the acl's with subnet info? I am thinking this could be a problem in the area of internet traffic, such as an acl like this:

"access-list acl_in permit tcp 10.0.0.0 255.0.0.0 any eq www"

"access-group acl_in in interface inside"

which would be nessecary to lock down internal users to www traffic only, but at the same time, would allow them to initiate www requests on ALL of the DMZ's as well....is there anyway around this? (I'm also doing interface PAT on the outside interface if that helps at all)...

0 Helpful
1 Reply 1

mkaneko
Cisco Employee
Cisco Employee

‎11-16-2001 03:46 PM

If you set up

"access-list acl_in permit tcp 10.0.0.0 255.0.0.0 any eq www" and "access-group acl_in int inside",

you allow 10.0.0.0 network to access any network for port 80 which includes all the interface network (all DMZ). Make sure the PIX have some kind of nat and Global statement on each interfaces.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card