04-29-2004 04:26 AM - edited 03-09-2019 07:13 AM
OK, so I am getting more dangerous by the day with my firewalling, but I am still not all that great, and believe that I have redundant rules, or rules that basically are too wide open. I am also still using conduits instead of ACLs/TACLs. Here are my questions:
1. Should I be using ACLS instead of Conduits?
2. If yes, should I be using TACLS?
3, Could someone point me to some good documentation on building your whole firewall using ACLS/TACLs?
4. Could someone reccomend an upto date book for the PIX515. I have heard the official Cisco book is outdated.
04-29-2004 10:07 AM
Yes, you should migrate away from conduits and start using access-lists. Conduits may not be supported by later pix code and cisco recommends that you migrate away from them.
Turbo ACLs are supposed to be a performance enhancement when the acl entries number more than 19. I have not used them, but that is what the cisco doc says.
Off of www.cisco.com there is a link to technical documentation, then go to the network security section and select cisco secure pix firewall.
You should wind up getting to here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm as this is the link to the pix doc from 2.7 up thru 6.3. The online doc contains guides and command references.
Hope this helps, Ed Hirsel
05-07-2004 06:52 AM
You are right about acls larger than 19 are the only ones even compiled when set as a turbo ACL. However, depending on the size of your ACL I would not run that on anything like a 515 or smaller. (Also depends on your bandwidth.) I had some large issues trying to run compiled ACL's on 515's and 515E's due to that large memory requirement my ACL's created. On my 525's they run GREAT!
There is a new PIX book out by Cisco Press Authored by "Behtash" that include 6.3 info as well as the FWSM.
Hope this helps!
Craig Young
05-11-2004 02:23 AM
Hi,
Just a question. Is the PIX ACLs also matched from top to bottom? If so, I suppose standard best practices regarding the placement of rules in the list still apply (ie. most frequently matched rules at the top, 'world' rules at the bottom etc).
Thanks
Jacques
05-11-2004 05:33 AM
Jacques,
If your ACL is not a Turbo ACL then yes, matching is from the top down. If it is a turbo ACL each entry takes about the same time to match.
On our low end PIX, we frequently reorder the ACL's according to the counters that show access-list gives us for hits in order to make our lists more efficient.
Craig
05-11-2004 08:07 AM
Hi,
Thanks. It makes 100% sense, I did copy the whole lot and ordered them by hitcount, I suppose if all entries are permit, it is the best way to do this.
Jacques
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide