Re: PIX Security Flaw?? No Access-lists applied when routing out

diavosh · ‎07-23-2002

I have a router sending multiple subnets into the DMZ interface of my PIX (10.1.x.0/24), and a static route on the DMZ interface (10.1.0.0/16) sending all replies back.

This works fine, but any access-lists applied to the DMZ interface are ignored if the route is out of the same interface - for example an access list to deny 10.1.1.0/24 access to 10.1.2.0/24 has no effect.

Does the PIX only check access-lists AFTER routing? Surely this is a bit a security hole - or am I missing something obvious?

BTW I cannot set anything on the router (outsourced) any config needs to be on the PIX.

Thanks for any relevant pointers!

Report Inappropriate Content · ‎07-23-2002

from what I understand Pix unlike routers only examines traffic as it comes in to the interface. So if you are routing traffic inand out of the same interface then it would apply that acl. Thats the reason why you can only do access-group in .

To summarize Pix does not work very well as a router

PIX Security Flaw?? No Access-lists applied when routing out same interface

Port-Security - Configuração Básica

Re: Access Control Lists (ACL) Explained

Cisco Secure Access - Complete List of DLP Supported File Types

show access-listsのmatch数

Access list and prefix list in the route-map