Solved: Re: ACL Equivalent of PIX Implicit Outbound Rule

jealvarez · ‎09-16-2004

On a DMZ interface what would be an access list equivalent to the implicit outbound rule? Would it be something like

access-list acl_dmz1 permit ip any any

access-group acl_dmz1 in interface dmz1

I would like to add a restriction to the interface but still keep the rest of the implicit behavior there.

gfullage · ‎09-16-2004

Correctamundo! In fact this is the default so you don't need these commands in anyway.

If you want to add an exception to this, be aware that there is always an implicit "deny everything" at the end of an access-list, so adding something like:

access-list acl_dmz1 deny ip host 10.1.1.1 any

will actually stop ALL traffic out the DMZ interface, because of the implicit "deny everything else" after this line. If you truly just want to stop one dmz host from accessing the outside you have to add the following:

access-list acl_dmz1 deny ip host 10.1.1.1 any

access-list acl_dmz1 permit ip any any

View solution in original post

gfullage · ‎09-16-2004

Correctamundo! In fact this is the default so you don't need these commands in anyway.

If you want to add an exception to this, be aware that there is always an implicit "deny everything" at the end of an access-list, so adding something like:

access-list acl_dmz1 deny ip host 10.1.1.1 any

will actually stop ALL traffic out the DMZ interface, because of the implicit "deny everything else" after this line. If you truly just want to stop one dmz host from accessing the outside you have to add the following:

access-list acl_dmz1 deny ip host 10.1.1.1 any

access-list acl_dmz1 permit ip any any

jealvarez · ‎09-17-2004

Thanks for your prompt response.