Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
5
Replies

PIX Firewall

kpatoli
Level 1
Level 1

‎09-23-2003 11:49 PM - edited ‎02-20-2020 11:00 PM

I am working on PIX firewall 501. As per ASA, traffic can flow from a high security area to low security area without conduit. But i am unable to access the low security network without conduit. What can be the problem area?

0 Helpful
5 Replies 5

mostiguy
Level 6
Level 6

‎09-24-2003 02:54 AM

PIX have a default deny policy. You need a conduit or an ACL entry to allow access

0 Helpful

jmia
Level 7
Level 7

‎09-24-2003 04:08 AM

Hi -

By default, all inside traffic is allowed out via PIX but NOT allowed back into the network. If need certain traffic from the outside to be allowed in then you'll require conduits/ACLs and or static translation to be setup.

Hope this helps - Jay.

0 Helpful

l.mourits
Level 5
Level 5
In response to jmia

‎09-24-2003 03:10 PM

Besides the fact that it is not recommended to use conduits anymore and Cisco advices to use access-lists instead, the normal operation indeed would be (as the other guys allready stated) that from high to low is implicit permitted, and from low to high is implicit denied (due to ASA).

But as you seem to be able to open session from low to high without having a conduit that permits that, I can only think of one thing that could be wrong. I think you are having an established command at the PIX also. Using conduits with established commands could drill some serious securityholes if used incorrectly. So, check to see if there are any established command, and there are any, search on CCO for the established command, and you will find some pretty good documents about how to use this command and still keep it secure.

What you are describing is NOT normal operation for a PIX and is in fact a big security hole.

So, check as soon as possible.

Also, consider tranfroming your config into using ACL´s instead of conduits.

Hope this helps,

Leo

0 Helpful

mathia5
Level 1
Level 1
In response to l.mourits

‎09-25-2003 04:18 AM

Do you have any NAT or Static setup for the higher security level?

0 Helpful

mike-banks
Level 1
Level 1

‎09-25-2003 07:00 AM

It is true that you do not need a conduit or access-list to go from a higher to lower security level. Please provide more information on whether going from a dmz to outside, inside to outside, etc. It could be that you are just missing your NAT, STATIC or global commands.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card