Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
2
Replies

pix 535 and access-lists

Go to solution
ccrespoh
Level 1
Level 1

‎02-03-2004 04:38 AM - edited ‎02-20-2020 11:13 PM

Hello,

We have a Cisco PIX 535. By default, the traffic from a more secure interface to other with a lower security level is permitted, is it?

Ok, I have a doubt, I've had to define an access-list entry to permit a telnet connection from inside to outside. There's no rule denying that traffic but, without that rule the telnet connection can't be stablished.

And my question is: why? Is it not supposed to be permitted by default?

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bfl1
Level 1
Level 1

‎02-03-2004 05:43 AM

By default higher -> lower is allowed... however, once you add permit statements, there is an implicit deny all at the end. So, if you allow web, ftp, and ssl... then by default, all other traffic is denied and you'll need to be specific with your permits.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
bfl1
Level 1
Level 1

‎02-03-2004 05:43 AM

By default higher -> lower is allowed... however, once you add permit statements, there is an implicit deny all at the end. So, if you allow web, ftp, and ssl... then by default, all other traffic is denied and you'll need to be specific with your permits.

0 Helpful

Go to solution
rgrcommo
Level 1
Level 1

‎02-03-2004 06:09 AM

We have a Cisco PIX 535. By default, the traffic from a more secure interface to other with a lower security level is permitted, is it?

:: Yes, higher to lower is permitted.

Ok, I have a doubt, I've had to define an access-list entry to permit a telnet connection from inside to outside. There is no rule denying that traffic but without that rule, the telnet connection cannot be established.

You need to have a static pointing from inside to outside "the default". By default the PIX will allow you to make any connection from Inside to Outside. However, nothing can initiate from the Outside to the Inside w/o an access-list and static.

And my question is: why? Is it not supposed to be permitted by default?

The PIX was designed to be secure by default while also being convenient and let traffic from inside your network able to access anything on the Outside with the least configuration. Now if you want translations to “initiate” from the Outside to your private network to you need to explicitly make those statements on the PIX to allow them.

Thanks

Jeff

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card