Hi.
I try to convert a conduit based configuration with a access-list one.
But:
I have servers in DMZ that need to access other servers from inside and all Internet.
I just need something like:
conduit permit tcp host inside_host eq a_port dmz_server
With access-list its far more complicated:
access-list from_dmz permit tcp host dmz_server host inside_host eq a_port
access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside
access-list from_dmz permit ip any any
access-group from_dmz in interface dmz
Why this (at least) weird behavior?
Because when I put an access-list to a interface I deny by default all traffic (even if is for a lower priority interface). Conduits didnt have this problems.
If I need to allow the access from dmz_server to another host from inside I need to enter this:
no access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside
no access-list from_dmz permit ip any any
access-list from_dmz permit tcp host dmz_server host inside_host#2 eq a_port
access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside
access-list from_dmz permit ip any any
With conduits I only need one command.
If I have three servers in dmz that need to access some hosts from inside
.I will need a too complex configuration with access-lists. With conduits its far more flexible.
Its out there somebody that can give me a good explanation for this enhancement that Cisco brought us.
A guy from Cisco maybe?????
Bye