Skip to main content

PIX and Router Security Questions

More
17 years 6 months ago #21424 by ccnx
hi all

Here i have 2 things need to confirm for understanding and so the questions are as following:

1. Does NAT trigger first or inbound ACL at external interface trigger first when inbound traffic comming into a router or pix?



2. Does a Pix interface support directional ACL (eg, a ACL for the inbound direction and a ACL for the outbound direction) ?

Thanks you!!!! :)
More
17 years 6 months ago #21440 by Dove

1. Does NAT trigger first or inbound ACL at external interface trigger first when inbound traffic comming into a router or pix?


As per my understanding, First ACL will be triggered and then NAT on this.

2. Does a Pix interface support directional ACL (eg, a ACL for the inbound direction and a ACL for the outbound direction) ?

Yes it will support


Dove
More
17 years 6 months ago #21505 by lavage
Dove is right!
More
17 years 6 months ago #21532 by anti-hack
Hi,

As far as i understand the question,

The access-list has to be checked first before anything else.

Pix allows only one access-list per interface, unlike a router. That access-list can be configured to handle bi-directional traffic.

this is all "in my humble opinion and knowledge"

please correct me if iam wrong
More
17 years 6 months ago #21536 by Smurf
Can you not assign access-lists to both in & out directions on a single interface ?

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 6 months ago #21592 by anti-hack
yes we can ... but in a PIX we have to configure/design the access-list in such a way that it contains both inbound and outbound statements;

we can't get the;

access-group TEST_LIST in interface outside in

like we get in a router.

we can only use;

access-group TEST_LIST in interface outside

if wrong, please update me
Time to create page: 0.191 seconds