Cisco PIX 520 - PIX Firewall 520 Online Help Manual page 114

Print
Preparing to set up access rules
Before you can designate access and translation rules for your network in the Access Rules tab, you must first
define each host or server for which a rule will apply in the Hosts/Networks tab.
Important Notes
It is important to remember that you cannot define any access rules until static or dynamic NAT has been
configured for the hosts or networks on which you want to permit or deny traffic.
You cannot use unavailable commands until your rule meets certain conditions, such as defining hosts or
networks. Unavailable commands appear dimmed on the Rules menu. For example,
After will be available only after a rule is highlighted.
copied or cut.
Access rules are listed in sequential order and are applied in the order in which they appear on the Access
Rules tab, and there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not
explicitly permitted by an access rule, it will be denied.
On the outside interface, all hosts are visible to hosts on all other interfaces. Hosts on a medium security
interface are, by default, visible to hosts on higher security interfaces, and not visible to hosts on lower
security interfaces unless the appropriate NAT rules have been created.
More Information About Access Rules
Access rules are categorized into two modes—Access Control List mode, which is the default, and Conduit and
Outbound List mode.
If your PIX Firewall currently has a working configuration using either conduit commands, outbound
commands, or access lists, PDM will continue to use your current model. If the PIX Firewall is currently using
conduit commands to control traffic, PDM will add more conduit commands to your configuration as you add
rules. Similarly, if your PIX Firewall is currently configured using access-list commands, the PDM will add more
access-list commands to your configuration as you add rules. If you have a PIX Firewall with no previous
configuration, PDM will add access-list commands to the command-line interface by default. PDM does not
support a mixed configuration with outbound commands or conduit commands and access-list commands.
Conduit and Outbound List mode—A
Algorithm by permitting connections from one network interface to access hosts on another. An outbound
list controls Internet use by specifying the following:
Whether inside users can create outbound connections.
Whether inside users can access specific outside servers.
What services are available to inside users for outbound connections and for accessing outside
servers.
The outbound list can be based on the source IP address, the destination IP address, and the destination port
or protocol as specified by the access rules.
Access Control List mode—Access Control List (ACL) mode lets you specify whether your PIX Firewall
Paste will be available only when a rule has been
conduit is an exception to the PIX Firewall Adaptive Security
Insert Before or Insert