Access lists on the PIX firewall can only be applied to traffic entering an interface, not traffic that is exiting an interface. This is unlike Cisco router, on which access lists can be applied in either direction.

The syntac for access lists on the PIX firewall is ver similar to that of Cisco routers. The key difference is that access lists on the PIX firewalls use standard wildcard masks, whereas on routers they use inverse wildcard masks. For example, when blcoking a 24-bit subnet, you would use a mask of 255.255.255.0 on a PIX firewall and a mask of 0.0.0.0.255 on Cisco router.

To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands.

The design of an access list should start with a definition of what is going to be allowed and then proceed to what is going to be denied.

A good practice is to add an explicit deny all statement to the end of an access list so you remember it is there when yu do a show access-list command. You can see how many packets

Inbound traffic is lower security-level to higher security-level

Outbound traffic is higher security-level to lower security-level