Re: deny statement

sunilyk · ‎02-19-2004

Hi All,

Just wanted to clarify the following.

Access-list is applied for the outside interface. Do you suggest to have deny ip any any statement at the end of the access-list?

By default even if this statement is not present. PIX should not allow any other traffic unless and until permitted.

So what is the suggested approach ?

If I don't put deny ip any any at the end of outside interface access-list what are the implecations?

Regards,

Sunil

nkhawaja · ‎02-20-2004

Hi,

there is no need to define a deny ip any any at the end

yes true, pix should not allow any other traffic unless and untill permitted

there is no requirement of putting deny ip any any at the end of the outside interface's access-list

Thanks

Nadeem

support · ‎02-21-2004

nadeem,

would you require adding deny ip any any in inside interface when blocking outgoing traffic? or does the pix also block it unless and until permitted by default?

thanks!

mostiguy · ‎02-22-2004

there is an implicit deny ip any any at the end of ANY access list. if you add an acl to the inside interface, that implicit statement will take effect.

I.e, if you want to block your users from telneting outside;

access-list insideout deny tcp any any eq 23

that will block outbound telnet, but the implicit deny any will block *EVERYTHING*. this is what happens when you apply a ACL.

access-list insideout deny tcp any any eq 23

access-list insideout permit ip any any

this will block telnet with the first line, and allow everything else with the second

nkhawaja · ‎02-22-2004

outbound traffic is permitted by default.

if you put deny ip any any, it will block out every thing. So you should permit the required traffic first and then put deny ip any any (although, once you implement an access-list on a interface, there is an implicit deny at the end, so there is no need of adding it at the end)

Thanks

Nadeem

sunilyk · ‎02-22-2004

Thanks for conirmation Nadeem !

Regards,

Sunil