P before D (permit before deny).. Unless otherwise specified by the
manual. The old rule used to state "Unless implicitly permitted, it is
denied".. Mileage may vary depending on what the manual states.. :)
/m
"Luff, Darryl" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
04/06/00 02:14 AM
To: [EMAIL PROTECTED]
cc:
Subject: PIX outbound rules
Hi all, I haven't looked at PIX's before. I'm trying to interpret an
existing configuration. With 'outbound' access lists, is there an implied
'deny all' as per normal IOS access lists? The cisco docs say:
- If there are no 'outbound' access lists, all outbound traffic is allowed
- If there is an access list, the rule that is the best match is used
What happens if there is no match?
eg. If I have:
outbound 1 deny 10.10.0.0 255.255.0.0 0 0
outbound 1 permit 10.10.1.1 255.255.255.255 80 tcp
apply (inside) 1 outgoing_dest
And then try to connect out to 202.2.2.2, does the connection go through
or
not?
In the docs Cisco recommend you put a 'deny all' rule first, so it seems
that there is no implied one?
Thanks in advance.
Darryl Luff
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
