Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
5
Helpful
2
Replies

Security Levels and Access Lists

Go to solution
andrew.burns
Level 1
Level 1

‎05-15-2003 08:17 AM - edited ‎03-09-2019 03:18 AM

I have DMZ1 (security50) which needs access to DMZ2 (security20). However, for this access to work I need to modify the access-list which controls access from DMZ1 to Inside (security 100). My understanding was that you only needed access-list statements for access from low-to-high not high-to-low.

Have I simply misunderstood this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhoda
Level 5
Level 5

‎05-15-2003 09:04 AM

Andrew,

In general what you are saying is true. This is how the PIX is designed. But, once you apply the acl on the higher security interface whether its inside or dmz, that default behavior no longer there. In that case, you need to exclusively allow the traffic from higher to lower. So, this is the flexibility we as security engineer have to control our traffic from our strictly secured LAN. Although, we know that inside is always secured, but an acl can be applied to control which traffic is allowed to the outside or dmz. Your case is an classic exmple of why you need an acl from higher to lower security interface.

I hope this helps ! Thanks,

Mynul

View solution in original post

2 Replies 2

Go to solution
mhoda
Level 5
Level 5

‎05-15-2003 09:04 AM

Andrew,

In general what you are saying is true. This is how the PIX is designed. But, once you apply the acl on the higher security interface whether its inside or dmz, that default behavior no longer there. In that case, you need to exclusively allow the traffic from higher to lower. So, this is the flexibility we as security engineer have to control our traffic from our strictly secured LAN. Although, we know that inside is always secured, but an acl can be applied to control which traffic is allowed to the outside or dmz. Your case is an classic exmple of why you need an acl from higher to lower security interface.

I hope this helps ! Thanks,

Mynul

Go to solution
andrew.burns
Level 1
Level 1
In response to mhoda

‎05-16-2003 12:07 AM

Thanks for the reply - I suspected as much (i.e. that the default behaviour changes after applying an access-list) but it doesn't appear to be documented anywhere. It's nice to know that it's by design!

Andrew.

0 Helpful
Customers Also Viewed These Support Documents