03-11-2004 11:23 AM - edited 02-20-2020 09:24 PM
For this question, allow me to first set up the scenario...
ACL_out applied to outside interface - allows SMTP to all IP addresses.
ACL_dmz applied to dmz interface - allows SMTP to only a few select machines in the DMZ (implicit deny statement at the end of list).
STATIC commands have been configured for all machines in the DMZ.
Would an SMTP packet from the outside be able to go to any machine in the DMZ (disregard whether the host is listening on port 25), or just those specified by the STATIC commands?
Basically, my question is whether once a packet passes an ACL on one interface (e.g., outside interface), is the packet again processed on the next interface (e.g., DMZ or inside interface), or is it that once the packet passes one of the interfaces, it is sent on to its destination regardless of ACLs applied on the interfaces over which the packet travels?
Thanks.
Solved! Go to Solution.
03-11-2004 02:34 PM
If the packet passes through the outside interface onto the DMZ, the ACL applied to the DMZ interface has no effect.
When a packet first comes into the outside int, the ACL applied to the outside inteface is checked (along with the static) and if the packet is permitted, the PIX creates a connection entry for it. The return packets on this connection (coming into the DMZ interface) are allowed to proceed without any further ACL checking.
This is exactly the same for say, an inside packet going out to the Internet, you don't have to apply an ACL to the outside interface permitting these back in, cause a connection has been created.
If you want to limit what DMZ hosts/ports people on the outside can get to, then you do this with you (dmz,outside) static's and your ACL applied to the outside interface. The ACL applied on the DMZ interface is really only for connections initiated on the DMZ interface, which is probably not going to be anything.
03-11-2004 02:34 PM
If the packet passes through the outside interface onto the DMZ, the ACL applied to the DMZ interface has no effect.
When a packet first comes into the outside int, the ACL applied to the outside inteface is checked (along with the static) and if the packet is permitted, the PIX creates a connection entry for it. The return packets on this connection (coming into the DMZ interface) are allowed to proceed without any further ACL checking.
This is exactly the same for say, an inside packet going out to the Internet, you don't have to apply an ACL to the outside interface permitting these back in, cause a connection has been created.
If you want to limit what DMZ hosts/ports people on the outside can get to, then you do this with you (dmz,outside) static's and your ACL applied to the outside interface. The ACL applied on the DMZ interface is really only for connections initiated on the DMZ interface, which is probably not going to be anything.
03-30-2004 06:51 AM
I have the following doubt:
especifically sometimes the DNS server wants to communicate with External DNS server and Interna (inside) DNS. In this case How Would it work the ACl in the DMZ?
Thans for your response
Sergio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide