Pix Firewall commands.... Present and Future....

eherron · ‎03-10-2001

I have heard that the "conduit" statement will not be in future versions of the PIX IOS. I also heard that it would be replaced by the access list command set. Does anyone know this for certain or have I just heard gossip?

I am not all that good with access lists. Can anyone give me a good basic run down of the difference between the two sets of statements?

For instance in the current PIX command set I would use:

Conduit Permit icmp any any

How would I achieve this with an access list?

Thanks,

Eli

shabib.syed · ‎03-12-2001

Well I heard that too, more authentic caz i heard that from couple of cisco engineers. Access-list is basically replac'n conduits caz of router guyz being more comfortable with access-lists. Well I have acccess-list on mu pix two...since conduits and access-list dont seem to work in combination it is recommended to use either.

for command

conduit permit icmp any any

the access-list command will be

access-list acl_out permit icmp any any

With access-list u have to bind a accces-group into a interface like outside in this case.

access-group acl_out in interface outside

ssanjeev · ‎03-14-2001

Hi,

I also guess that conduit command is not going to be included in newer vesrions, there is as such no difference between access-list and conduit command. only thing is access-list got more prirority that conduit.

The reason for not including could be that pix and IOS can have more similirality.. that's what i guess.

-sanjeev

kharris · ‎03-14-2001

I've heard the same and it might even appear in some documentation. I've actually done an upgrade from version 4.4 to 5.1 and converted all of my conduits to access list. Not a very hard task, just remember to create the access-groups.

mmihalas · ‎03-15-2001

In the PIX configuration guide for verision 5.3 there is a note recommending using access lists "to maintain future compatibility". Page 2-23.

cdean · ‎03-15-2001

I believe that's true also. Recently tried to enter aaa accounting (ver 5.2) command and it wouldn't let me. A call to TAC found a 'hybrid configuration' for which the fix is to change outbound list to an access list.

patrickv · ‎03-16-2001

Hello, as far as I know the conduit command is a legacy command and should be replaced by access lists. Access lists, are much more powerfull. Conduit statements reflect all inbound communications on all lower level security interfaces. Example security100 (outside or dmz) to security0 (inside). This also means that the same conduit statement also applies for security50 to security0 interface.

Access lists are bound to interfaces, ip addresses and ports so they give you much more flexibility.

It's easier to have different accesses from different interfaces to the security0 interface with access lists, then it would be with conduits, because they reflect higher level interfaces to lower level interfaces security.

Hope this help you

patrick.vandenbulcke@offon.com

cyee · ‎03-16-2001

If true, this development (new to me) seems somewhat troubling if conduit capability is removed entirely.

1) If handled like a router, access lists would would appear to increase the burden on the processor because each list item would have to be examined until a match/no-match was found. Bad if lists are long.

2) Unless some tool is provided, admin would be grim if one wanted to control the order of list items to move higher activity items to the top of the list. (E.g., on router, remove all and replace).

My hope would be that they just leave both capabilites as they are now.

mitchell.steve · ‎03-16-2001

As with some others of you, I have just finished migrating to 5.3 on my PIXs. The manual seems to be pretty clear that the access-list/group commands are replacing the conduit method, so I went ahead and changed all my conduits also. In the process, however, as one of you mentioned, I found out you can have either conduits or access lists, but not both. I had intended to gradually replace my conduits, only to find that when I put my first access list in place the rest of the conduits stopped working. Oh, well, the price of progress, right?

rstaaf · ‎05-30-2001

I can tell you that conduits still work in release 6.0. From talking with several engineers they say there is no hurry but, yes conduit is a legacy command and will be replaced with access lists and groups. It is not so much that routers guys are more familiar with access lists and groups but that Cisco wants to standardize the command set as much as possible.

Bob

thomas.waddell · ‎05-31-2001

Bob,

Since you are using release 6.0, can you answer me something?

I just recently did a PIX install (5.3(1)) to protect a Windows 2000 network with an Exchange 2000 server in the DMZ. Since all of the server requirements are pretty new, documentation on which ports to open up from the DMZ server to the Windows 2000 servers on the inside was very lacking. As I was using Access-lists troubleshooting was hindered by the fact that denied packets logged to syslog don't show what port the packet was destined to. So when testing connectivity and communications failed. All I'd get was a log entry that only showed source and destination IP denied by Access-list. Completely useless for telling what port I'm missing in my configuration. During one go round, I used a sniffer to find the ports (cumbersome and time consuming to set up), it worked out some issues but took a long time to sift through all the captured packets looking for needle in the haystack. The next go round on a new issue I tried debug ip packets on the PIX, this gave me the ports, but in Hex, so I had to translate them before I could determine if they were a new port or one I've already seen and opened.

Finally I reverted back to conduits and was able to easily get the destination ports for every blocked packet.

Sorry for such a long explanation, the simple question is, has Cisco resolved this in 6.x so that when packets are blocked by an access-list the src and dst ports are included in the syslog?

If anyone else has an answer feel free to reply as well.

Regards,

Thomas

rstaaf · ‎05-31-2001

Thomas,

I haven't converted to access lists and groups yet so I couldn't tell you if it is any different than 5.31. The PDM alone is worth the upgrade in my opinion. If you are already on 5.31 I don't see any reason not to just make the move to 6.0.

Bob

thomas.waddell · ‎06-01-2001

Thanks Bob,

I've been contemplating the move to version 6, but I stalled after reading all the open Caveats. Seemed to be quite a few after such a short time in production. Have you had any issues at all?

-Thomas

rstaaf · ‎06-01-2001

Thomas,

I have not had a single problem although I only have a few servers behind the PIX and none of those annoying "USERS" :)

Bob

nagle · ‎06-13-2001

I also have the same problem. I switched to ACLs and now all the useful informatin is gone from the syslog. I just get "src ip dest_ip protocol (17,6) denied by access-group". It was VERY useful seeing the port numbers involved... I have version 5.1.2 on a PIX 520 (waiting for next fiscal year to get the 16MB card so I can upgrade). I'd appreciate it if any of you with a higher rev. could let me know.

Ben