Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access list & conduit usage.

Heres my question for the masses. Using a 6.0 version ios i have added in an acl, now since the default is that you can only add in 1 acl & have it applied incoming to the outside interface, my question is what if i added in some conduit statements also. I know that one can apply this since some of the labs on ciscos site have a similar scenario taking place in their sample labs.

So my questions are as follows.

1)If one adds in both the conduits & acls will the acl over ride the conduit? I dont seem to think that it will from what i have read about both of them. In addition i know that cisco is wanting for admins to move away from the conduit command.

2) But if its still there then why not use it?

3) Can any one elaborate on what problems or breach of security the conduit command could bring about?

I would like to use the acl command only for use with the vpn & static commands part of my config.

Further more this is just for a lab scenario & learning to get in to the habit of keeping a clean config.

4 REPLIES
Silver

Re: Access list & conduit usage.

Don't do this. Don't apply both conduits and ACLs to the same interface. It is an unsupported configuration. There is no guarantee as to how the device will operate, or will in the future if you upgrade the OS

Conduits and ACLs are functionally identical so there should be no difference security wise in opening a port to the same server by either method.

It sounds like you might not fully grok ACLs. I don't know what "only add in 1 acl" means. An ACL can have multiple lines, and then you bind the entire list to an interface with the access-group command. One method is to edit the lists in a text editor, and then cut and paste the entire prodution into your terminal session to the device:

no access-list test (this wipes away the old list)

access-list test permit .... (start adding new lines)

access-list test permit .....

access-group test in interface outside (when done adding lines, bind list to interface)

Gold

Re: Access list & conduit usage.

Hello Navid,

Just a note - How Matt (from the other post) has explained on how to write ACLs and not to MIX ACLs with Conduits are correct BUT remember to issue command: clear xlate - It's a good idea to clear translations (clear xlate) if you modify ACLs or Statics and save with command: write memory.

Thanks - Jay.

New Member

Re: Access list & conduit usage.

1)If one adds in both the conduits & acls will the acl over ride the conduit? I dont seem to think that it will from what i have read about both of them. In addition i know that cisco is wanting for admins to move away from the conduit command.

I beleive that ACLs do take precedence.

2) But if its still there then why not use it?

Do not combine ACLs with conduits.

3) Can any one elaborate on what problems or breach of security the conduit command could bring about?

The major difference between ACLs and conduits is that conduits apply from any lower security interface to higher security interface.

ACLs are specific to inbound traffic to the interface.

Therefore, if you have an inside, a DMZ, and outside and you have (let's say) a "permit ip any any" with a conduit to permit access from DMZ to inside. This will also apply to outside to inside. So, ACLs are better in their manner of operation.

FYI, conduits will be removed in the future from PIX OS versions.

Hope this helps.

Paras

New Member

Re: Access list & conduit usage.

Thank you for all of your replies. This works for me.

91
Views
0
Helpful
4
Replies