conduit vs access-list; second opinion

chuck007 · ‎07-12-2002

I found this message below and I'm having the same problem when converting from conduits to access-lists on the PIX. My config is the same: dmz hosts need to access hosts on the inside via a static translation on the dmz. The access-list forced me to use deny specific hosts and permit any any at the end. Now everytime I make changes, I have to create a new access-list with the new inserted commands, shutdown the DMZ interface, and finally apply the new access-list list like routers. With conduits I can dynamically change things without shutting down the interface.

This "improvement" seems more trouble some than conduits and it can't really "replace" conduits function for function in this case. However all Cisco material says this is the way to go and so does their support center.

Any thoughts or work-arrounds?

--Chuck

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26mode%3Dnew%26location%3D.ee7be92/0

Security

Cisco recommends us to replace conduits with access-lists?but how????

8dstaicu

Feb 22, 2002, 2:32am PST

Hi.

I try to convert a conduit based configuration with a access-list one.

But:

I have servers in DMZ that need to access other servers from inside and all Internet.

I just need something like:

conduit permit tcp host inside_host eq a_port dmz_server

With access-list it?s far more complicated:

access-list from_dmz permit tcp host dmz_server host inside_host eq a_port

access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

access-list from_dmz permit ip any any

access-group from_dmz in interface dmz

Why this (at least) weird behavior?

Because when I put an access-list to a interface I deny by default all traffic (even if is for a lower priority interface). Conduits didn?t have this problems.

If I need to allow the access from dmz_server to another host from inside I need to enter this:

no access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

no access-list from_dmz permit ip any any

access-list from_dmz permit tcp host dmz_server host inside_host#2 eq a_port

access-list from_dmz deny ip host dmz_server nat-ed_network_from_inside

access-list from_dmz permit ip any any

With conduits I only need one command.

If I have three servers in dmz that need to access some hosts from inside?.I will need a too complex configuration with access-lists. With conduits its far more flexible.

It?s out there somebody that can give me a good explanation for this ?enhancement? that Cisco brought us.

A guy from Cisco maybe?????

Bye

yusuff · ‎07-13-2002

let me try. It seems you are more comfortable with conduits than ACL, we'll its a choice anyway, that is why uptil now, Cisco has both 'conduits' and 'ACL' support on the newer versions too.

Let me give you some example and comparison.

With conduits, the are flexible in the way you specified, but they open holes on the entire PIX, with ACL they are interface specific i.e. an ACL protects on an interface basis, whereas, conduits open a blanket hole on the box, as you can see, this could cause issues sometimes, and you do not have a better control, with ACL you have a better control on who can access what and from where.

Another thing is that ACL is top down lookup, just like the router, as soon as there is a match; action will be taken, no further lookup. With conduits, they are most specific, it will match the most specific line.

one more thing, if you want to remove an ACL, you do not need to do a 'no' statement for every line in your ACL, just once

eg;

no access-list 101 <--- will remove entire ACL 101

HTH

R/Yusuf