Configure ACLs and Content Filters
PIX Security Appliance ACLs

The configuration of every PIX Security appliance defaults to an inside interface with a security level of 100 and an outside interface with a security level of 0. Nothing is more secure than the internal network, and nothing less secure than the external network. By default, once address translation is configured, all communications are permitted in an outbound direction, from a more secure to a less secure level. By default, all communications are prohibited in an inbound direction, from a less secure to a more secure level.

ACLs are used to allow traffic arriving at a PIX Security Appliance to flow from a lower security network to a higher security network.  ACLs are configured on the PIX Security Appliance in almost the exact same manner as they are for Cisco routers. This means that a network administrator who is already familiar with how to the configure ACLs on routers can now apply that knowledge to the PIX Security Appliance as well.

The Adaptive Security Algorithm (ASA) check applies to every packet of a communication. ACLs are only evaluated once per connection. ACLs can work in both directions. Once an ACL is configured, it is activated with the access-group command. If no ACL is attached to an interface, the following default ASA policy applies:

  • Outbound permitted by default unless explicitly denied
  • Inbound denied by default unless explicitly permitted

ACL Usage Guidelines
The access-list command is used to permit or deny traffic. When configuring ACLs on the PIX Security Appliance to permit and deny traffic, there are certain basic principles and guidelines that a network administrator should follow :

  • Higher to lower security:
    • The ACL is used to restrict outbound traffic.
    • The source address argument of the access-list command is the actual address of the host or network.
  • Lower to higher:
    • The ACL is used to restrict inbound traffic.
    • The destination address argument of the access-list command is the translated global IP address.
NOTE:

ACLs are always checked before translation is performed on the PIX Security Appliance.


Web Links