All Cisco-Network Study Notes: Outbound ACL

Outbound ACL

PIX OS 7.0 provides more granular access control by allowing both "incoming at interface" and "outgoing at interface" access policies to be configured.

The OUT keyword is applied on the access-group command. It identifies an access policy (access-list) that applies to outgoing traffic at the specified interface. The OUT keyword can reduce the number of commands in a configuration and make its logical interpretation easier.

To bind an access-list to an interface, use the access-group command in global configuration mode. To unbind an access-list from the interface, use the "no" form of this command.

access-group access-list {in | out} interface interface_name [per-user-override]
 no access-group access-list {in | out} interface interface_name

Example 3-4 shows how to use the access-list and apply that as outbound.

Example 3-4. Using an Outbound ACL

PIX# configure terminal
PIX(config)#
PIX(config)# names
PIX(config)# name user_net 10.1.1.0
PIX(config)# name dev_net 20.1.1.0
PIX(config)# name 24mask 255.255.255.0
. . .
PIX(config)# access-list acl_outbound permit tcp user_net 24mask any eq 80
PIX(config)# access-list acl_outbound deny tcp dev_net 24mask any
. . .
PIX(config)# access-group acl_outbound out interface outside
. . .

Note

The per-user-override option allows downloaded access-lists to override the access-list applied to the interface. If the per-user-override optional argument is not present, PIX preserves the existing filtering behavior.

The per-user access list is governed by the timeout value specified by the uauth option of the timeout command, but it can be overridden by the AAA per-user session timeout value.

nat-control

The PIX always has been a device supporting, even requiring, Network Address Translation (NAT) for maximum flexibility and security. NAT is introduced as an option in PIX OS 7.0.

Configuring nat-control on the PIX forces the PIX firewall to require NAT for a source address (for outbound traffic) and for a destination address for inbound traffic.

If you upgrade PIX firewall from 6.x to Version 7.x, nat-control is enabled on the PIX. For new configurations, nat-control is disabled by default. If no nat-control is specified, only hosts that require NAT need to have a NAT rule configured.

The nat-control statement is valid in routed firewall mode and in single and multiple security context modes. No new NAT functionality is provided with this feature. All existing NAT functionality remains the same.

If you have no nat-control configured, and if there is a nat matching, it will go through the NAT engine. Otherwise, the packet will go through without NATing. In PIX 6.3 and earlier, the packet is dropped if there is no NAT match.

Table 3-3 shows the comparison between nat-control and no nat-control.