Bill, In reference to your other questions
> 2) Conceptual questions on PIX (i am learning pix in a lab > environment) > a)will a higher-security interface always be able to initiate > connections > to a lower-security interface without configuration of an > access-list,etc ? > So, with a pix consisting of 8 interfaces, will e7(dmz with > security70) be > able to initiate a connection to e5(dmz with security50) but > not the other > way around? The thing to rememeber about PIX's is that to go from a higher to lower security level interface you require NAT (whether it is dynamic or static), and to go from lower to a higher level security interface you need a static translation and a conduit or access-list allowing the traffic. So e7 will be able to communicate with e5 if there is NAT, but for hosts on e5 to communicate with e7 you will need a static and conduits/ACL's. > > b)access-list 101 permit tcp any host 175.1.1.254 > access-list 101 deny tcp any host 175.1.1.254 eq www > What is the effect of the above access list in regards to www > traffic? Remember that ACL's work in a sequential way. So in regards to yours..... All TCP traffic will be allowed to pass through with any source IP address to 175.1.1.254 specifically, the second line is denying any www (port 80) - however, your previous statement has allowed this traffic already so this 'policy' will never be matched. So, web traffic to 175.1.1.254 will be allowed. If its not behaving the way you think it should, remember there is an implicit deny ip any any at the end of any access-list, and that you need a static translation to go from lower to a higher level security interface. > > c)access-list 1 deny tcp host 10.0.1.2 > This access-list is applied to interface e1(ip:10.0.1.1) and > thus i expect > that 10.0.1.2 cannot initiate any communications. However it > could reach > internet websites. When I used the same command but with a 'eq > www' at the > end, the access-list worked and denied the host access to the > web. Why is > that? I was under the impression that my access-list would > simply deny all > traffic which would normally be the case on a router, but this > seems to be > working differently on a pix. Not too sure on this one and no time to investigate... perhaps someone else can answer..... Adios, Brian Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63245&t=63226 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
