Re: Access-list vs Conduits.

masan · ‎09-18-2001

Since Cisco promotes the use of access-list over conduits, we are going to use only access-lists in a new pix setup.

But some questions came up.

Who has the higher priority, access-lists or conduits ??

If an access-list allows access and a conduit matching denies, who wins? And vice versa, or will a deny always “win”.

And if we don’t use any conduit between the interfaces and only use access-lists do we need any conduits at all. (Think “conduit allow/deny any any”)?

/Mads

rstaaf · ‎09-18-2001

It is simple, you can't use conduits and access lists in the same configuration at the same time. You have to use all conduits or all access lists, you can't use both.

Bob Staaf

Southern Web Services

Orlando, Fl

HEATH FREEL · ‎09-18-2001

Actually you can use both - although it is not recommended. I have been using Conduits for Firewall rules and Access-lists for VPN tunnels.

I would not recommend using both for firewalling.

mikgriff · ‎09-18-2001

Access lists will win...I have tested this in a lab and have found that the acl will win...however I would not suggest you use acl with conduits statements.Use one or the other..yes you will see people doing both but a rul e of thumb is to use one or the other...or do so in a way that you don't have a policy that overlapps acl's with conduits, that's were the problem lies..not that you can not use acl's and conduits on the pix, but don't define the policy with acl's and conduits in a definition..