https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172145#M606844 <HTML><HEAD></HEAD><BODY><P>I believe you are thinking in terms of conduits which are not applied to interfaces. ACL's are applied to interfaces. You use the access-group command to apply an ACL to an interface. You allow all your access inbound from your ouside interface with one ACL. The same with your outbound access from your inside interface. As an example:</P><P></P><P>Access-list 101 permit tcp any host 192.168.1.1 eq ftp</P><P>Access-list 101 permit tcp any host 192.168.1.2 eq www</P><P>access-group 101 in interface outside</P><P></P><P>Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq www</P><P>Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq ftp</P><P>access-group 102 in interface inside</P><P></P><P>You can have as many ports open between interfaces, they just are all in one access-list that is applied to an interface vs separate conduits that are not applied to interfaces.</P><P></P><P>HTH</P><P>RJ</P><P></P></BODY></HTML> Wed, 16 Apr 2003 19:46:13 GMT rj.remien 2003-04-16T19:46:13Z https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172142#M606840 <P>On the old PIXes such as the classic, you have static and conduit commands to open ports to the outside. I know on the new versions, you can use access lists paired with static commands to open ports. You can also use conduits. I have two questions.</P><P>1. If you are using numbered access-lists wouldn't you be limited from 100-199 access lists?</P><P></P><P>2. Which way is better? Seems to me that conduit reduces complexity since you don't have to apply it to an interface. It knows what to do based on your static.</P><P></P><P>Thanks.</P> Fri, 21 Feb 2020 06:41:46 GMT https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172142#M606840 ty.masse 2020-02-21T06:41:46Z https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172143#M606841 <HTML><HEAD></HEAD><BODY><P>Conduits are said to be on their way out in future version of pixos, using ACLs is recommended to future proof your configuration.</P><P></P><P>ACLs also reduces training time, as they are highly similar to those used by IOS (IOS differs by using inverse subnet masks)</P></BODY></HTML> Wed, 16 Apr 2003 17:25:20 GMT https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172143#M606841 mostiguy 2003-04-16T17:25:20Z https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172144#M606842 <HTML><HEAD></HEAD><BODY><P>How about the 100-199 extended ACL limitation?</P></BODY></HTML> Wed, 16 Apr 2003 18:36:54 GMT https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172144#M606842 ty.masse 2003-04-16T18:36:54Z https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172145#M606844 <HTML><HEAD></HEAD><BODY><P>I believe you are thinking in terms of conduits which are not applied to interfaces. ACL's are applied to interfaces. You use the access-group command to apply an ACL to an interface. You allow all your access inbound from your ouside interface with one ACL. The same with your outbound access from your inside interface. As an example:</P><P></P><P>Access-list 101 permit tcp any host 192.168.1.1 eq ftp</P><P>Access-list 101 permit tcp any host 192.168.1.2 eq www</P><P>access-group 101 in interface outside</P><P></P><P>Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq www</P><P>Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq ftp</P><P>access-group 102 in interface inside</P><P></P><P>You can have as many ports open between interfaces, they just are all in one access-list that is applied to an interface vs separate conduits that are not applied to interfaces.</P><P></P><P>HTH</P><P>RJ</P><P></P></BODY></HTML> Wed, 16 Apr 2003 19:46:13 GMT https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172145#M606844 rj.remien 2003-04-16T19:46:13Z https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172146#M606846 <HTML><HEAD></HEAD><BODY><P>Also you do not have to use numbers for your access lists you can use anything. You should not mix conduits and access lists on the same system. Access list can also be run in turbo mode for much faster performance on PIX's that support that function ie anything but a 501.</P></BODY></HTML> Thu, 17 Apr 2003 10:04:48 GMT https://community.cisco.com/t5/network-security/pix-conduit-vs-access-lists/m-p/172146#M606846 richardmcmahon 2003-04-17T10:04:48Z