titan6400
asked on
PIX 6.3: ACLs and Security Levels
I'm reworking my PIX configuration to get rid of conduits in favor of ACLs.
My question is regarding how ACLs and the security levels of the various interfaces interact.
Since every access-list ends with an implicit deny all statement, does this override the fact that higher security interfaces can usually get to lower security interfaces?
For example, if I apply an ACL to my DMZ interface (seclevel 50) permitting access to a server behind my inside interface, will the implicit deny at the end of the ACL prevent things in the DMZ from accessing the Internet (i.e., networks on the outside, seclevel 0 interface?)
My question is regarding how ACLs and the security levels of the various interfaces interact.
Since every access-list ends with an implicit deny all statement, does this override the fact that higher security interfaces can usually get to lower security interfaces?
For example, if I apply an ACL to my DMZ interface (seclevel 50) permitting access to a server behind my inside interface, will the implicit deny at the end of the ACL prevent things in the DMZ from accessing the Internet (i.e., networks on the outside, seclevel 0 interface?)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
btw, you'll also need
static (dmz,inside) <dmz host ip> <dmz host ip> netmask 255.255.255.255
of course I prefer
static (inside, dmz) <inside subnet> <inside subnet> netmask <inside subnet mask>
static (dmz, inside) <dmz subnet> <dmz subnet> netmask <dmz subnet mask>
but that is mostly because i'm lazy and it covers the entire subnet right away instead of doing a lot of static entries to cover individual hosts