Cisco PIX 520 - PIX Firewall 520 Online Help Manual page 116

global pool allows hosts on high security interfaces to initiate connections with hosts on lower security
interfaces. The PIX Firewall will map the inside host's address to an address that the PIX Firewall has
selected from the pool. Once a host has created an outbound connection, the PIX Firewall will maintain a
structure in memory that contains the information describing this address mapping. This structure is called
an xlate and will remain in memory for a period of time. During this time, hosts on the lower security
interfaces will be able to initiate connections to the inside host using the translated address from the pool.
This is why this information appears in the address column.
Interface—Specifies the interface on which an access rule is conifigured and enforced. An interface
column may contain the following:
The name of an interface on your PIX Firewall, such as "inside," which means this rule is applied to
traffic that the PIX Firewall receives from interface "inside."
The name of an interface, plus the keyword outbound enclosed in parentheses, such as
"dmz(outbound)," which means the rule is applied to traffic that the PIX Firewall receives from
interface "dmz" and is destined to a lower security interface. For example, traffic from "dmz" to
"outside."
The name of an interface, plus the keyword inbound enclosed in parentheses, such as
"dmz(inbound)," which means the rule is applied to traffic that the PIX Firewall receives from
interface "dmz" and is destined to a higher security interface. For example, traffic from "dmz" to
"inside." This is only possible for users with a previously configured PIX Firewall that uses a
conduit command for access control. This is irrelevant for users configuring a new PIX Firewall or
with a PIX Firewall that uses the access-list command for access control.
The keyword inbound enclosed in parentheses without any interface name, which means the rule is
applied to traffic the PIX Firewall receives from multiple interfaces, as long as the traffic direction is
from a lower security interface to a higher security interface. For example, this rule may be applied
for traffic from outside to inside, and from dmz to inside. This is only possible for users with a
previously configured PIX Firewall that uses a conduit command for access control. This is
irrelevant for users configuring a new PIX Firewall or with a PIX Firewall that uses the access-list
command for access control.
Service—Specifies the destination network service and its associated protocol that is applicable to
the given rule.
Description—Provides information about the given rule and its associated properties. The
information that displays in this column depends on the rule type. It is not an editable comment field.
If a rule has a source service, port, or port range, it will be displayed in this column. Source
service does not have its own column because it is rarely used.
If a rule is an implicit rule, it will be indicated in this column
The AAA Rules option displays the following fields:
#—A number indicating order of evaluation for the rule. Starts at 1 for each Server Group within
AAA rule action type. The numbering restarts for a new Server Group and also restarts for a new
Action.
Action—Indicates the action that applies to the given rule type. Options are authenticate, do not
authenticate, authorize, do not authorize, account, and do not account.
Source Name/Address—Displays the IP addresses and names of hosts that will be required to
authenticate, will have AAA server-based authorization rules applied, or will be subject to
accounting when connecting to hosts specified in the Destination Name/Address column.
Destination Name/Address—Displays the IP addresses and names of hosts that will be required to