Pix no longer permitting traffic from higher to lower priority

brad.hammond · ‎11-05-2003

In release 6.3.3, does the pix no longer implicitly permit traffic from a higher priority interface to a lower priority interface other than the respective inside and outside interfaces? Or, is this a caveat in the code itself? For some reason, I am now required to configure an access list for device on a perimeter interface or DMZ for any external traffic the device initiates to Internet host.

daniel.kline · ‎11-05-2003

In order pass traffic from a lower security level interface to a higher security level interface (outside to inside or dmz, or dmz to inside) you must create a static address translation and an access list. In order to travel the other direction (inside or dmz to outside) you must use a nat and global command.

Dan

brad.hammond · ‎11-05-2003

Dan,

Thanks for your reply. I presently have a TAC case open. The traffic in question is outbound traffic from the DMZ to the outside interface. The server has a corresponding public static nat statement, but is unable to transmit traffic. In troubleshooting, I have found if I configure and access list, then traffic is permitted. However, I thought an access-list was not required as the traffic is implicitly permitted from a higher to lower priority interface. I have researched it and found this link, which the information in the subtobic "Allowing Outbound Access" confirms my thoughts. So, could this be a caveat in the code?

http://cisco.com/warp/public/707/28.html#intro

bfl1 · ‎11-05-2003

Can you post your config?