Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2463
Views
0
Helpful
4
Replies

Conduits & Access lists with Pix firewall

robin
Level 1
Level 1

‎12-05-2000 03:03 AM - edited ‎02-20-2020 09:46 PM

I have recently upgraded my Pix 520 from version 4.3 to 5.1(4) and I would like to convert all my conduit statements into access lists.

My question is: if I add an access list and assign it to an interface will the conduit statements I have work simultaniously with the new access list?

Thanks in advance

Robin

0 Helpful
4 Replies 4

pbass
Level 1
Level 1

‎12-05-2000 10:17 AM

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/intro.htm

Configure access lists carefully if your security policy limits outgoing connections. The access-list and access-group command statements take precedence over the conduit and outbound command statements in your configuration.

0 Helpful

h-hernandez
Level 1
Level 1

‎01-12-2001 10:35 AM

In case of not having any respond: When some pettion comes into your router from the internet, it will use the acces list and the pix will not have to make any work at all.

I believe ,in most cases, it is better that you use the pix as a firewall and leave the router without acces lists that actually diminish its performance.

Let say tha in you wanted to block NAPSTER in working ours, then you apply an acces list with time definition in the router, that would be an exeption.

0 Helpful

glbradford
Level 1
Level 1

‎01-21-2001 06:18 PM

They should work. The access lists would be evaluated first. It is not generally considered a good idea to run both though because it can get confusing quickly.

0 Helpful

fjsteffen
Level 1
Level 1

‎01-23-2001 04:10 PM

You certainly can do this but it is not recommended by Cisco in the PIX documentation due to the fact that access-list statements will be evaluated first and debugging can get kind of messy with both conduits and access-lists. On a side note, I did convert from conduits to access-lists on our PIX and found that due to access-lists being much more restrictive I was having to add acl statements in that I never had to add in before with conduits -- and that was just to get normal things to work properly. Anyway, I converted back to conduits and decided to stay with conduits only. Just fyi...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card