Order of access lists

[dayron]

Hello,
Currently we use a PIX 501. I have access lists set up to control inbound traffic, but all inside > out traffic flows freely. I want to restric what traffic is allowed out of our company. My concern is the order in which Cisco applies access lists. How does a PIX process which access list gets priority over the other? If I were to throw in a rule blocking all outbound traffic then a rule opening just specific ports to specific hosts, will this work or will the deny all rule over ride the new ones I add? I hope I'm clear. Maybe someone knows a better way of asking

 

[routerman]

The ACL's are processed top down, so if your first rule denies all traffic then everything is blocked. So generally apply the most specific matches first (host addresses), then wider matches (subnet). Also the ACL has an implicit deny at the end, so if the traffic is not matched in the list its dropped anyway.

The PIX ACL works on traffic inbound to the interface, so keep this in mind when designing the list.

Best way is to use notepad, the first line removes the existing ACL, and subsequent lines apply the ACL in the order you want. Also remember when you remove the ACL you remove the statement that applies it to the interafce also.

EG In notepad:

no access-list 120
access-list 120 permit ip host n.n.n.n host x.x.x.x eq smtp
access-list 120 permit tcp host n.n.n.n any eq FTP
access-list 120 deny ip any any

access-group 120 in interface inside

 

[netbum]

Just going to throw this out there as another way to do it. Depending on what kind of device you have on the inside interface of the pix (router or layer 3 switch) you could also put your access-lists there as well.

I have found this to be fairly easy since you can use standard router acl's.