Summary

Configuring the PIX to pass inbound or outbound traffic requires multiple steps. Basic connectivity allows users on a higher security-level interface of the PIX to transmit traffic to a lower security-level interface using NAT or PAT. This is accomplished using the nat command in conjunction with a global command. Because the PIX ASA allows higher security-level interfaces to transmit traffic to lower security-level interfaces, and because the PIX is stateful, users on the inside of the PIX should be able to run almost any application without extra configuration on the PIX.

Controlling outbound traffic is an important part of a comprehensive security policy; this control can be accomplished using the access-list command or the outbound command applied to a specific interface using the apply command. If it is available on the version of PIX you are running, the access-list command should be used instead of the outbound command to filter traffic. The access-group command applies an access list to an interface, much like the apply command.

Once outbound access is secure, moving on to allowing inbound access is relatively easy. By default, all inbound access (connections from a lower security-level interface to a higher security-level interface) is denied. Access lists or conduits can be used to allow inbound traffic. Conduits are not tied to a particular interface, and the rules defined in a conduit are applied to all inbound traffic. The fundamentals of the access-list command are no different between controlling inbound or outbound traffic. For inbound traffic, configuring a static translation (using the static command) is required for each publicly accessible server in addition to access-list or conduit.