cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1293
Views
0
Helpful
4
Replies

Inbound direction on Pix interfaces

r-remien
Level 1
Level 1

Access-group statements always apply an ACL to an interface with the command "in interface <interface name>. The Pix docs say that "this filters inbound packets at the given interface". I would like a clear definition of what is inbound. My understading, according to the logic of the access-lists that I have applied, is that inbound is traffic going into the inteface of the Pix from the connected subnet. So for the following interfaces, inbound traffic originates from the following subnet

outside - traffic originating from the Internet

inside - traffic originating from the inside Lan

dmz - traffic originating from the DMZ

I just wanted to verify this because this is contrast with IOS router configs. My understanding is the following:

Outside s0 interface - inbound list applies to incoming traffic from the Internet

Inside e0/0 interface - inbound list applies to traffic coming into the inside subnet vs traffic going towards the inteface as in my Pix example.

Could someone verify this, point me to a link or correct my examples?

Thanks,

RJ

1 Accepted Solution

Accepted Solutions

1. Yes, filter traffic entering the interface

2. Traffic can be originated anywhere, ie many hops/subnets away or directly connected before it hits the interface, but it's travelling towards the interface. Same logic on pix and router.

3. Yes, filter traffic leaving the interface

4. Yes, traffic heading away from the router to the connected subnet or a destination many hops away (PIX doesn't have outbound acls any more)

Steve

View solution in original post

4 Replies 4

steve.barlow
Level 7
Level 7

The PIX acl is always, in IOS terms, an extended acl. It references a source of the packet and a destination. Traffic source and destination is always considered.

Router acls can be standard, only source of the packet, or extended, source and destination of the packet. They can also be applied in or out (in respect to the interface). ACL inbound means packets arriving at the interface, acl out means packets leaving the interface, whether that is an interface facing the internet or local lan. In/out references the interface, not it's role/function.

Consider source and destination (makes the acl more granular), and whether traffic is leaving or entering (I almost always create them inbound as it saves bandwidth and router processing the packet) the interface when creating acls.

Hope it helps

Steve

So to clarify:

1. Inbound ACLs filter traffic entering the interface.

2. So, traffic is originated from the connected subnet/Internet heading toward the router/Pix. (Same logic for both router and Pix)

3. Outbound ACLS filter traffic leaving the interface.

4. So, traffic is leaving the router interface and is "heading" toward the connetecd subnet/Internet (Applies to routers only)

Are these valid statements?

Thanks,

RJ

1. Yes, filter traffic entering the interface

2. Traffic can be originated anywhere, ie many hops/subnets away or directly connected before it hits the interface, but it's travelling towards the interface. Same logic on pix and router.

3. Yes, filter traffic leaving the interface

4. Yes, traffic heading away from the router to the connected subnet or a destination many hops away (PIX doesn't have outbound acls any more)

Steve

Thanks for your posts. I really appreciate how you continue to post if the issue has not been resolved with the first response.

Thanks,

RJ

Review Cisco Networking for a $25 gift card