Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
1
Replies

Cisco recommends us to replace conduits with access-lists…but how????

8dstaicu
Level 1
Level 1

‎02-22-2002 02:32 AM - edited ‎03-08-2019 09:53 PM

Hi.

I try to convert a conduit based configuration with a access-list one.

But:

I have servers in DMZ that need to access other servers from inside and all Internet.

I just need something like:

conduit permit tcp host inside_host eq a_port dmz_server

With access-list it’s far more complicated:

access-list from_dmz permit tcp host dmz_server host inside_host eq a_port

access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

access-list from_dmz permit ip any any

access-group from_dmz in interface dmz

Why this (at least) weird behavior?

Because when I put an access-list to a interface I deny by default all traffic (even if is for a lower priority interface). Conduits didn’t have this problems.

If I need to allow the access from dmz_server to another host from inside I need to enter this:

no access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

no access-list from_dmz permit ip any any

access-list from_dmz permit tcp host dmz_server host inside_host#2 eq a_port

access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

access-list from_dmz permit ip any any

With conduits I only need one command.

If I have three servers in dmz that need to access some hosts from inside….I will need a too complex configuration with access-lists. With conduits its far more flexible.

It’s out there somebody that can give me a good explanation for this “enhancement” that Cisco brought us.

A guy from Cisco maybe?????

Bye

Labels:
0 Helpful
1 Reply 1

mike-banks
Level 1
Level 1

‎02-25-2002 01:46 PM

Well, I am not a guy from Cisco. However, I know what you are talking about. During my PIX firewall class the instructor indicated that Cisco is trying to make the PIX software more IOS like. So, access list will be the preferred method in the future. So, after I got back from training I removed all my conduit statements and changed them to access list. I had to speak to one of the Cisco Engineers when I had a problem, but they said it was my choice whether to use conduits or access list.

As you learned when you apply an access list it defeats the ASA feature in the PIX. You now have to specify all outbound traffic as well.

It may be more of a hassle initially, but access list do provide tighter security.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents