PIX and Router Security Questions

The PIX (Pre 7.0 series code anyways) only supports access-lists on inbound traffic to an interface. However, if you want to filter what internal hosts can access on the outside then all you do is place an access-list on the inside interface and that serves the same purpose of using ingress/egress filtering.

For example: If I only wanted my internal hosts to be able to access websites on the Internet I would use the following access-lists.

access-list inside-outbound permit udp any any eq 53
access-list inside-outbound permit tcp any any eq www
access-list inside-outbound permit tcp any any eq https
access-group inside-outbound in interface inside

That access-list would allow DNS inquiries to external DNS servers (you wouldn't need to allow internal clients external dns access if you have a internal dns server though), allow http (port 80), https (port 443) traffic to the internet, and deny everything else from the internal network outbound.

Now if you had a DMZ interface, VPN tunnel(s) or had a large network and you needed certain hosts to have more/less access to external resources then that access-list would obviously get more complicated.

Thanks you guys for all the reply. The actual checking sequence as i found out from the cisco website is that
www.cisco.com/en/US/tech/tk648/tk361/tec...186a0080133ddd.shtml

Also, ACL on PIX is uni-directional.

[code:1]Also, ACL on PIX is uni-directional.[/code:1]

Thought it was, its similar to a router and can assign a single access-list in and also a single access-list out, at the same time.

[code:1]Also, ACL on PIX is uni-directional.[/code:1]

Thought it was, its similar to a router and can assign a single access-list in and also a single access-list out, at the same time.

Atleast on the pre 7.0 code you can not specify an outbound access-list on an interface, only inbound. However, you can filter outbound traffic by placing ingress access-lists on your inside interface.

For Example: If you want to only allow your internal network to only have http access you could do:

access-list inside_out permit tcp any any eq 80
access-group inside_out in interface inside


You can't specify something like "access-group inside_out out" like you can on a router. The PIX won't let you. Basically each interface can only have a single access-list attached to it and can only filter ingress.

If you want to play around with it I'll setup a test network at my house and give you remote telent access to a console port on a pix.

On version 7 of the code, you can apply an access-list to an interface for both in & out. I always thought that you could also do this in version 6 of the Pix Code. I will do some digging on that.