The configuration of every PIX Security appliance defaults to an
inside interface with a security level of 100 and an outside interface with a
security level of 0. Nothing is more secure than the internal network, and
nothing less secure than the external network. By default, once address
translation is configured, all communications are permitted in an outbound
direction, from a more secure to a less secure level. By default, all
communications are prohibited in an inbound direction, from a less secure to a
more secure level.
ACLs are used to allow traffic arriving at a PIX
Security Appliance to flow from a lower security network to a higher security
network.
ACLs are
configured on the PIX Security Appliance in almost the exact same manner as
they are for Cisco routers. This means that a network administrator who is
already familiar with how to the configure ACLs on routers can now apply that
knowledge to the PIX Security Appliance as well.
The Adaptive Security Algorithm (ASA) check applies to every packet of a
communication. ACLs are only evaluated once per connection. ACLs can work in
both directions. Once an ACL is configured, it is activated with the
access-group command. If no ACL is attached to an
interface, the following default ASA policy applies:
- Outbound permitted by default unless explicitly denied
- Inbound denied by default unless explicitly permitted
ACL Usage Guidelines
The access-list
command is used to permit or deny traffic. When configuring ACLs on the PIX
Security Appliance to permit and deny traffic, there are certain basic
principles and guidelines that a network administrator should follow
:
- Higher to lower security:
- The ACL is used to restrict outbound traffic.
- The source address argument of the access-list command
is the actual address of the host or network.
- Lower to higher:
- The ACL is used to restrict inbound traffic.
- The destination address argument of the access-list
command is the translated global IP address.
 |
NOTE:
ACLs are always checked before translation is performed on the PIX
Security Appliance.
|