Problem solve Get help with specific problems with your technologies, process and projects.

Traffic flow considerations for the Cisco PIX Firewall

Network architecture can become complex, putting firewalls in awkward positions that can compromise security.

In most small environments, firewalls are deployed in simple, common schemes, such as a firewall with three "legs": one for the Internet, one for the intranet and one for a DMZ. Another common scheme is two firewalls in series, where you have the intranet, a firewall, the DMZ, another firewall and finally the Internet. But as time goes by, things seem to become more complex. Some designs can get fairly contorted, putting firewalls in awkward positions that can compromise your security if you're not careful.

In any event, you need to pay attention to how traffic flows through your firewall. And this is particularly true of the Cisco PIX Firewall. While it's one of the most highly regarded firewalls, it does have some quirks that may not be obvious to the casual observer.


Primarily, you should make sure that the security levels on the interfaces reflect the realities of the traffic that flows through your network. This is because of the way the Adaptive Security Algorithm works. For starters, the ASA sets the default permissions. By default traffic is allowed to pass from an interface with a "higher" security level to a "lower" security level (such as from the Inside (100) to Outside (0) interfaces) but not from lower to higher. However, you may be tempted to override those with access-control lists, because, for example, another administrator wants to place a server in a zone where it really doesn't belong, and expects you to secure it anyway. Or maybe you want traffic to go in and out of a zone through the same interface.

So, you can configure the PIX in this manner, and it will block traffic like you configure, but what you need to realize is that you may not be getting the benefit of all the PIX's stateful features, again because of the way the ASA works. Specifically, features like the inspection engines and HTTP(S) and FTP filtering only work in one direction. For example, SMTP inspection is only from lower to higher interfaces, while NetBIOS inspection only applies from higher to lower interfaces. Filtering is only from higher to lower.

Thus, you may be paying for and expecting the robust protection of a top-shelf firewall, but designing yourself into a level of protection not much better than ACLs on a regular router. So as a general rule of thumb, don't put any security device into an unconventional situation without some due diligence.

One last caveat: The details of the behavior of these features may change as new versions of the PIX OS are released, so don't rely on my examples above to guide your design; check it yourself on CCO.

About the author
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This tip originally appeared on our sister site,

This was last published in March 2005

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.