Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Cisco recommends us to replace conduits with access-lists…but how?

Hi.

I try to convert a conduit based configuration with a access-list one.

But:

I have servers in DMZ that need to access other servers from inside and all Internet.

I just need something like:

conduit permit tcp host inside_host eq a_port dmz_server

With access-list it’s far more complicated:

access-list from_dmz permit tcp host dmz_server host inside_host eq a_port

access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

access-list from_dmz permit ip any any

access-group from_dmz in interface dmz

Why this (at least) weird behavior?

Because when I put an access-list to a interface I deny by default all traffic (even if is for a lower priority interface). Conduits didn’t have this problems.

If I need to allow the access from dmz_server to another host from inside I need to enter this:

no access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

no access-list from_dmz permit ip any any

access-list from_dmz permit tcp host dmz_server host inside_host#2 eq a_port

access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

access-list from_dmz permit ip any any

With conduits I only need one command.

If I have three servers in dmz that need to access some hosts from inside….I will need a too complex configuration with access-lists. With conduits its far more flexible.

It’s out there somebody that can give me a good explanation for this “enhancement” that Cisco brought us.

A guy from Cisco maybe?????

Bye

  • Other Security Subjects
1 REPLY
New Member

Re: Cisco recommends us to replace conduits with access-lists…b

The only difference between the 2 is the src and dst are swapped around. And the access-group needs to be bound to an interface.

ie

conduit permit tcp host DST eq 25 host SRC

access-list test permit tcp host SRC host DST eq 25

access-group test in interface dmz

The reason for phasing out conduits is because most people work with ACL's in a router enviroment and it makes sense to do the same on a firewall.

86
Views
0
Helpful
1
Replies