Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
1
Replies

PIX and ACL on inside interface

jamey
Level 4
Level 4

‎08-25-2004 03:05 PM - edited ‎02-20-2020 11:35 PM

Quick PIX question guys.

Say you have the normal inside (Sec100) and outside (Sec0) interfaces. You have an ACL on the outside interface that allows access to an internal mail server or whatever. Now, you also want to restrict what outbound traffic the users on the inside interface can initiate outbound so you create an ACL:

access-list inside_in permit tcp <internal IPs> any eq www

access-list inside_in permit tcp <internal IPs> any eq https

...

access-list inside_in permit tcp <internal IPs> any eq ftp

access-list inside_in permit tcp <internal IPs> any eq ftp-data

access-list inside_in deny any any

access-group inside_in in interface inside

What about passive FTP? Even if you have the fixup protocol configured for 21 on the PIX, that doesn't do much for inbound passive FTP data connections from the internal users does it or will the PIX be smart enough to know to allow the client-initiated passive FTP data connections out to the Internet?

TIA

0 Helpful
1 Reply 1

nkhawaja
Cisco Employee
Cisco Employee

‎08-26-2004 06:44 PM

if the client is on inside and you are permitting ftp through your ACL, fixup should open up outbound datachannel.

Same for inside FTP server if you have ACL that says permit tcp eq 21, fixup should open inbound data channel

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card