Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
5
Replies

4 questions about ACLS/TACLs and Documentation

joneschw1
Level 1
Level 1

‎04-29-2004 04:26 AM - edited ‎03-09-2019 07:13 AM

OK, so I am getting more dangerous by the day with my firewalling, but I am still not all that great, and believe that I have redundant rules, or rules that basically are too wide open. I am also still using conduits instead of ACLs/TACLs. Here are my questions:

1. Should I be using ACLS instead of Conduits?

2. If yes, should I be using TACLS?

3, Could someone point me to some good documentation on building your whole firewall using ACLS/TACLs?

4. Could someone reccomend an upto date book for the PIX515. I have heard the official Cisco book is outdated.

Labels:
0 Helpful
5 Replies 5

ehirsel
Level 6
Level 6

‎04-29-2004 10:07 AM

Yes, you should migrate away from conduits and start using access-lists. Conduits may not be supported by later pix code and cisco recommends that you migrate away from them.

Turbo ACLs are supposed to be a performance enhancement when the acl entries number more than 19. I have not used them, but that is what the cisco doc says.

Off of www.cisco.com there is a link to technical documentation, then go to the network security section and select cisco secure pix firewall.

You should wind up getting to here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm as this is the link to the pix doc from 2.7 up thru 6.3. The online doc contains guides and command references.

Hope this helps, Ed Hirsel

0 Helpful

moriarty7
Level 1
Level 1
In response to ehirsel

‎05-07-2004 06:52 AM

You are right about acls larger than 19 are the only ones even compiled when set as a turbo ACL. However, depending on the size of your ACL I would not run that on anything like a 515 or smaller. (Also depends on your bandwidth.) I had some large issues trying to run compiled ACL's on 515's and 515E's due to that large memory requirement my ACL's created. On my 525's they run GREAT!

There is a new PIX book out by Cisco Press Authored by "Behtash" that include 6.3 info as well as the FWSM.

Hope this helps!

Craig Young

0 Helpful

jacquesd
Level 1
Level 1
In response to moriarty7

‎05-11-2004 02:23 AM

Hi,

Just a question. Is the PIX ACLs also matched from top to bottom? If so, I suppose standard best practices regarding the placement of rules in the list still apply (ie. most frequently matched rules at the top, 'world' rules at the bottom etc).

Thanks

Jacques

0 Helpful

moriarty7
Level 1
Level 1
In response to jacquesd

‎05-11-2004 05:33 AM

Jacques,

If your ACL is not a Turbo ACL then yes, matching is from the top down. If it is a turbo ACL each entry takes about the same time to match.

On our low end PIX, we frequently reorder the ACL's according to the counters that show access-list gives us for hits in order to make our lists more efficient.

Craig

0 Helpful

jacquesd
Level 1
Level 1
In response to moriarty7

‎05-11-2004 08:07 AM

Hi,

Thanks. It makes 100% sense, I did copy the whole lot and ordered them by hitcount, I suppose if all entries are permit, it is the best way to do this.

Jacques

0 Helpful
Customers Also Viewed These Support Documents