AAA PIX - Page 3
Now that you know how the command works, look at the effects of the commands. The first two lines of the configuration regarding access lists read:
outbound limit_acctg deny 10.200.200.0 255.255.255.0 outbound limit_acctg except 10.10.1.51
The first outbound command denies all packets from the Class C network at 10.1.1.0. When using the deny and permit forms of the outbound command, you are referring to the destination IP address. You could use the word permit in the example instead of deny, which would allow packets from these IP addresses. The effects of the second line cannot be fully determined until you look at the apply command. However, you can still see that an exception to the previous deny command exists. This exception allows packets associated with the IP address of 10.10.1.51 through the PIX. Here the word associated is used instead of destination or source because whether you are concerned about the source or the destination IP address is actually determined by the apply command. If the apply command specifies a source IP address, the packets from the source used with the outbound command are permitted or denied. If the apply command specifies a destination address, then packets whose destination address matches the IP address used with the outbound command are denied or permitted.
This is a two-step process that requires the administrator to ask two questions. First, look at the outbound command. Is this a permit or deny statement? Next, look at the apply command. Is the apply command concerned with the source or the destination address?
The next two lines are easy to understand. You permit access to the hosts at 10.200.200.66 and 10.200.200.67. At this point, you still do not have a definition as to whether the IP address associated with the except is a source or destination address. However, the apply command will resolve this outstanding issue. For review purposes, the two lines follow:
outbound limit_acctg permit 10.200.200.66 outbound limit_acctg permit 10.200.200.67
The apply statement is used to connect an access list with an interface and to define whether IP addresses specified with that access list are source or destination IP addresses. This example of the apply command follows:
apply (accounting) limit_acctg outgoing_destIn this example, you applied an access list to the interface previously defined as accounting by the nameif command. The access list you connected is the one called limit_acctg. As with a router's access lists, only one access list can be applied in a given direction on any PIX interface.
This apply command has applied the except command to source packets. The alternative would be to apply the except command to destination packets by using the outgoing_src parameter. The application of this command has a distinct effect on the access list. This effect is that the IP address specified by the except command is a source address.