Hi all, these are the answers I believe to my recent PIX questions, in case anyone is interested. Many thanks to all those who replied. 1. "The docs say that outgoing connections are allowed by default, does this mean you don't need global/nat lines to enable outgoing connections unless you need the nat?" No, you need some sort of translation defined: global/nat = dynamic translation pat = dynamic translation to a single address nat 0 = no translation static = static translation One or more of the above, and then by default connections are permitted outbound. 2. "If you add a static entry, with no conduit, does the static mapping get used for outgoing connections? Or is 'static' purely for incoming stuff?" * Conduit is for incoming connections. I think that a static without a conduit will allow outbound connections for the specified internal host as being from the specified outside address. I haven't tried a static without a conduit so I don't know if that's exactly what happens, but it seems reasonable. * It gets used for outgoing connections. Static is merely a static translation, and carries no implicit direction. 3. "With 'outbound' access lists, is there an implied 'deny all' as per normal IOS access lists? What happens if there is no match with any rule?" There is not an implied 'deny all'. Processing is 'best match', whereas IOS is 'first match'. This means the entire list is always evaluated on the PIX. If there is no match the traffic is passed. Two examples: First: outbound 10 deny 192.168.0.0 255.255.0.0 0 0 outbound 10 except 192.168.1.2 255.255.255.255 0 0 apply (inside) 10 outgoing_dest This fragment would: - Deny connections from ANY to 192.168.x.x on any port - Allow connections from 192.168.1.2 to ANY - Allow connections from ANY to anything NOT in the 192.168.x.x range Second: outbound 10 deny 192.168.0.0 255.255.0.0 0 0 outbound 10 permit 192.168.200.1 255.255.255.252 0 0 apply (inside) 10 outgoing_dest And this one would: - deny connections from ANY to 192.168.x.x - allow connections from ANY to 192.168.200.1 - allow connections from ANY to anything NOT in the 192.168.x.x range - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
