02-03-2004 04:38 AM - edited 02-20-2020 11:13 PM
Hello,
We have a Cisco PIX 535. By default, the traffic from a more secure interface to other with a lower security level is permitted, is it?
Ok, I have a doubt, I've had to define an access-list entry to permit a telnet connection from inside to outside. There's no rule denying that traffic but, without that rule the telnet connection can't be stablished.
And my question is: why? Is it not supposed to be permitted by default?
Thanks in advance.
Solved! Go to Solution.
02-03-2004 05:43 AM
By default higher -> lower is allowed... however, once you add permit statements, there is an implicit deny all at the end. So, if you allow web, ftp, and ssl... then by default, all other traffic is denied and you'll need to be specific with your permits.
02-03-2004 05:43 AM
By default higher -> lower is allowed... however, once you add permit statements, there is an implicit deny all at the end. So, if you allow web, ftp, and ssl... then by default, all other traffic is denied and you'll need to be specific with your permits.
02-03-2004 06:09 AM
We have a Cisco PIX 535. By default, the traffic from a more secure interface to other with a lower security level is permitted, is it?
:: Yes, higher to lower is permitted.
Ok, I have a doubt, I've had to define an access-list entry to permit a telnet connection from inside to outside. There is no rule denying that traffic but without that rule, the telnet connection cannot be established.
You need to have a static pointing from inside to outside "the default". By default the PIX will allow you to make any connection from Inside to Outside. However, nothing can initiate from the Outside to the Inside w/o an access-list and static.
And my question is: why? Is it not supposed to be permitted by default?
The PIX was designed to be secure by default while also being convenient and let traffic from inside your network able to access anything on the Outside with the least configuration. Now if you want translations to initiate from the Outside to your private network to you need to explicitly make those statements on the PIX to allow them.
Thanks
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide