Quick PIX question guys.
Say you have the normal inside (Sec100) and outside (Sec0) interfaces. You have an ACL on the outside interface that allows access to an internal mail server or whatever. Now, you also want to restrict what outbound traffic the users on the inside interface can initiate outbound so you create an ACL:
access-list inside_in permit tcp <internal IPs> any eq www
access-list inside_in permit tcp <internal IPs> any eq https
...
access-list inside_in permit tcp <internal IPs> any eq ftp
access-list inside_in permit tcp <internal IPs> any eq ftp-data
access-list inside_in deny any any
access-group inside_in in interface inside
What about passive FTP? Even if you have the fixup protocol configured for 21 on the PIX, that doesn't do much for inbound passive FTP data connections from the internal users does it or will the PIX be smart enough to know to allow the client-initiated passive FTP data connections out to the Internet?
TIA