[c-nsp] What's everyone else doing with Pix 7.x
Jeff Kell
jeff-kell at utc.edu
Tue Apr 11 14:50:50 EDT 2006
Voll, Scott wrote:
> In 7.x you can apply ACL on a Out bound interface rather then just he
> Inbound on Pix FOS 6.x. What are others doing with the outbound ACL?
> Just setting the outbound for permit ip any any?
When you do that on inbound traffic (outside to inside) with NAT it lets you play some interesting tricks. If you have a group of disparate web servers internally, with IPs spread far and wide, you can static NAT them into a common subnet on the outside and apply access rules on "outside in" to the group, then turn around and be more specific as necessary on the "inside out" if the actual inside subnets have their own policies.
Ironically the group objects in 7.0 essentially lets you do the same thing logically, but probably not as efficiently.
Jeff
More information about the cisco-nsp
mailing list