Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
4
Replies

PIX Conduit vs Access-lists

ty.masse
Level 1
Level 1

‎04-16-2003 10:10 AM - edited ‎02-20-2020 10:41 PM

On the old PIXes such as the classic, you have static and conduit commands to open ports to the outside. I know on the new versions, you can use access lists paired with static commands to open ports. You can also use conduits. I have two questions.

1. If you are using numbered access-lists wouldn't you be limited from 100-199 access lists?

2. Which way is better? Seems to me that conduit reduces complexity since you don't have to apply it to an interface. It knows what to do based on your static.

Thanks.

0 Helpful
4 Replies 4

mostiguy
Level 6
Level 6

‎04-16-2003 10:25 AM

Conduits are said to be on their way out in future version of pixos, using ACLs is recommended to future proof your configuration.

ACLs also reduces training time, as they are highly similar to those used by IOS (IOS differs by using inverse subnet masks)

0 Helpful

ty.masse
Level 1
Level 1
In response to mostiguy

‎04-16-2003 11:36 AM

How about the 100-199 extended ACL limitation?

0 Helpful

rj.remien
Level 1
Level 1
In response to ty.masse

‎04-16-2003 12:46 PM

I believe you are thinking in terms of conduits which are not applied to interfaces. ACL's are applied to interfaces. You use the access-group command to apply an ACL to an interface. You allow all your access inbound from your ouside interface with one ACL. The same with your outbound access from your inside interface. As an example:

Access-list 101 permit tcp any host 192.168.1.1 eq ftp

Access-list 101 permit tcp any host 192.168.1.2 eq www

access-group 101 in interface outside

Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq www

Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq ftp

access-group 102 in interface inside

You can have as many ports open between interfaces, they just are all in one access-list that is applied to an interface vs separate conduits that are not applied to interfaces.

HTH

RJ

0 Helpful

richardmcmahon
Level 1
Level 1
In response to rj.remien

‎04-17-2003 03:04 AM

Also you do not have to use numbers for your access lists you can use anything. You should not mix conduits and access lists on the same system. Access list can also be run in turbo mode for much faster performance on PIX's that support that function ie anything but a 501.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card