PIX and Router Security Questions

hi all

Here i have 2 things need to confirm for understanding and so the questions are as following:

1. Does NAT trigger first or inbound ACL at external interface trigger first when inbound traffic comming into a router or pix?



2. Does a Pix interface support directional ACL (eg, a ACL for the inbound direction and a ACL for the outbound direction) ?

Thanks you!!!!

1. Does NAT trigger first or inbound ACL at external interface trigger first when inbound traffic comming into a router or pix?

As per my understanding, First ACL will be triggered and then NAT on this.

2. Does a Pix interface support directional ACL (eg, a ACL for the inbound direction and a ACL for the outbound direction) ?

Yes it will support

Dove is right!

Hi,

As far as i understand the question,

The access-list has to be checked first before anything else.

Pix allows only one access-list per interface, unlike a router. That access-list can be configured to handle bi-directional traffic.

this is all "in my humble opinion and knowledge"

please correct me if iam wrong

Can you not assign access-lists to both in & out directions on a single interface ?

yes we can ... but in a PIX we have to configure/design the access-list in such a way that it contains both inbound and outbound statements;

we can't get the;

access-group TEST_LIST in interface outside in

like we get in a router.

we can only use;

access-group TEST_LIST in interface outside

if wrong, please update me