Hi Darryl,
IOS access lists are not related to PIX Outbound lists; the two are very different.
There is not an implied 'deny all'. Processing is 'best match', whereas IOS is 'first
match'. This means the entire list is always evaluated on the PIX.
At 07:14 PM 04/06/2000 +1000, Luff, Darryl wrote:
>Hi all, I haven't looked at PIX's before. I'm trying to interpret an
>existing configuration. With 'outbound' access lists, is there an implied
>'deny all' as per normal IOS access lists? The cisco docs say:
>
>- If there are no 'outbound' access lists, all outbound traffic is allowed
>- If there is an access list, the rule that is the best match is used
>
>What happens if there is no match?
>
>eg. If I have:
>outbound 1 deny 10.10.0.0 255.255.0.0 0 0
>outbound 1 permit 10.10.1.1 255.255.255.255 80 tcp
>apply (inside) 1 outgoing_dest
>
>And then try to connect out to 202.2.2.2, does the connection go through or
>not?
>
>In the docs Cisco recommend you put a 'deny all' rule first, so it seems
>that there is no implied one?
That is correct, there is no implicity deny in the PIX outbound lists.
>Thanks in advance.
>
>Darryl Luff
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
ID: 0xB72CAF1F, DH/DSS 2048/1024
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
