Re: PIX ALIAS AND ACCESS-LIST

v.kalingara · ‎08-14-2002

PIX Current setup:-

Inside :- 10.32.0.0 /16

DMZ :- 10.112.3.0 /24

alias (inside) 54.10.10.62 10.112.3.62 255.255.255.255

access-list acl_in permit tcp host 10.32.0.242 host 54.10.10.62 eq ftp

access-list acl_in permit tcp host 10.32.0.242 host 10.112.3.62 eq ftp

Which entry in the access-list will be used..? Will the access-list get checked before the dnat function of the alias or after..?

Thanks,

pgolding · ‎08-14-2002

access-list check is the first thing to be performed and must permit the packet as it arrives at the pix.

pgolding · ‎08-14-2002

access-list check is the first thing to be performed and must permit the packet as it arrives at the pix.

mkato · ‎08-21-2002

So is the answer both ACLs need to be applied or just the first one?

The reason I ask is I've been told that the "foreign address" (the second address in the 'alias' command) is not reachable from the interface it is applied to. But if this is not true, then theoretically traffic could arrive on the inside interface destined for either address and one would be d-NATed and the other wouldn't, right? And then we'd have to filter for both.