AAA PIX - Page 5
For review purposes, look at Figure 4-9. Refer to Figure 4-9 while reviewing the following discussion about the command lines used.
The following line prevents access to all of the 10.200.200.0/24 network from all hosts for all protocols. The PIX uses subnet masks, not wildcard masks.
outbound limit_acctg deny 10.200.200.0 255.255.255.0The following line is an exception to the preceding line. Because the apply statement uses outgoing_src, the preceding denial of access to the 10.200.200.0 network does not apply to the host with the IP address of 10.10.1.51. Because the security level is higher on the network where this computer sits, this computer has access to the whole of the 10.200.200.0 network.
outbound limit_acctg except 10.10.1.51The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.66.
outbound limit_acctg permit 10.200.200.66The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.67.
outbound limit_acctg permit 10.200.200.67The following line applies the access list called limit_acctg to the accounting interface and makes a definition for the except command, specifying that the IP addresses within the except command refer to a source address.
apply (accounting) limit_acctg outgoing_destIt is important to remember that the order of the outbound statements is not a concern because the PIX uses a best-fit algorithm.