AAA PIX - Page 5

By Cisco Press | Posted Oct 10, 2001
Page 5 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

For review purposes, look at Figure 4-9. Refer to Figure 4-9 while reviewing the following discussion about the command lines used.

Figure 4-9 PIX outbound command Example

(Click image for larger view in a new window)

The following line prevents access to all of the 10.200.200.0/24 network from all hosts for all protocols. The PIX uses subnet masks, not wildcard masks.

 outbound limit_acctg deny 10.200.200.0 255.255.255.0
The following line is an exception to the preceding line. Because the apply statement uses outgoing_src, the preceding denial of access to the 10.200.200.0 network does not apply to the host with the IP address of 10.10.1.51. Because the security level is higher on the network where this computer sits, this computer has access to the whole of the 10.200.200.0 network.
 outbound limit_acctg except 10.10.1.51
The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.66.
 outbound limit_acctg permit 10.200.200.66
The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.67.
 outbound limit_acctg permit 10.200.200.67
The following line applies the access list called limit_acctg to the accounting interface and makes a definition for the except command, specifying that the IP addresses within the except command refer to a source address.
 apply (accounting) limit_acctg outgoing_dest
It is important to remember that the order of the outbound statements is not a concern because the PIX uses a best-fit algorithm.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter