Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1378
Views
0
Helpful
4
Replies

PIX - Conduit to Access-list Conversion

ashokpawar
Level 1
Level 1

‎04-04-2002 03:11 AM - edited ‎02-20-2020 10:01 PM

Hi all,

I have a scenario something like this.

I have a PIX firewall with 4 interfaces configured say inside, dmz1, dmz2 and outside with security levels 100, 65, 30 and 0 respectively. By default everything is allowed from higher security level to lower securitylevel and everything denied from lower security level to higher security level. I am using conduit commands for all the traffic block and allow. Now i have decided to change all the conduit commands to Access-lists to be more specific in allowing and denying the traffic.

I also came to know that one can put access-list on an interface only for incoming traffic.

My question is

if i have a conduit command put on pix something like this.

conduit permit tcp host 10.10.10.1 eq www any (where 10.10.10.1 is in dmz1 and running http on that)

and if i change the same to Access-list form

access-list outside-in permit tcp any host 0.10.10.1 eq www

access-list outside-in deny ip any any deny

and apply this to outside interface for incoming traffic

access-list dmz2-in permit tcp any host 10.10.10.1 eq www

access-list dmz2-in deny ip any any

and apply it on dmz2 interface for incoming traffic

Will this replacement have an impact on the fact that all the traffic allowed from dmz2 to outside

will be denied ??? if so and it denies all the traffic from dmz2 to outside...how should i replace my conduit

commands so as to allow all the traffic from dmz2 to outside and still have some restrictions accessing my

10.10.10.1 on dmz1 interface from dmz2

One more question is why the pix is developed to have an access-list for only incoming traffic ???

Any significance ???

All the answers are highly appreciated and my sincere thanks in advance....

Ashok Pawar H.S.

0 Helpful
4 Replies 4

s-doyle
Level 3
Level 3

‎04-10-2002 11:06 AM

Applying that acl inbound on DMZ2 will replace the conduit and should not affect outbound traffic. PIX is moving (slowly) to an IOS-like CLI and that’s why they introduced the access-lists. I would guess the conduits will go away in the future sometime.

0 Helpful

ashokpawar
Level 1
Level 1
In response to s-doyle

‎04-10-2002 07:25 PM

doyle,

Thanks for your feedback...

0 Helpful

bdube
Level 2
Level 2

‎04-10-2002 08:12 PM

For my part, DMZ2 to outside trafic will be affected by your ACL.

First, when you create an ACL you don't need to specify deny ip any any, it's implicit with the PIX.

You must permit DMZ2's hosts to communicate with a permit statement to outside and limit to inside:

access-list dmz2-in permit tcp any host 10.10.10.1 eq www

access-list dmz2-in deny any 10.0.0.0 255.0.0.0

access-list dmz2-in permit tcp (dmz2 ip range) any eq www

access-list dmz2-in permit tcp (dmz2 ip range) any eq 443

access-list dmz2-in permit udp (dmz2 ip range) any eq domain

access-list dmz2-in permit tcp (dmz2 ip range) any eq smtp

And any other protocols you need to leave to outside.

Regards,

Ben

0 Helpful

jwitherell
Level 1
Level 1
In response to bdube

‎04-11-2002 05:36 AM

Are there any documents that thoroughly explain PIX Access Lists? So far, I only found the one document, which doesn't seem to go into as great of detail as I'd like. Please let me know if you guys have any other documents that you use.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card