Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Conduits & Access lists with Pix firewall

I have recently upgraded my Pix 520 from version 4.3 to 5.1(4) and I would like to convert all my conduit statements into access lists.

My question is: if I add an access list and assign it to an interface will the conduit statements I have work simultaniously with the new access list?

Thanks in advance

Robin

4 REPLIES
New Member

Re: Conduits & Access lists with Pix firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/intro.htm

Configure access lists carefully if your security policy limits outgoing connections. The access-list and access-group command statements take precedence over the conduit and outbound command statements in your configuration.

New Member

Re: Conduits & Access lists with Pix firewall

In case of not having any respond: When some pettion comes into your router from the internet, it will use the acces list and the pix will not have to make any work at all.

I believe ,in most cases, it is better that you use the pix as a firewall and leave the router without acces lists that actually diminish its performance.

Let say tha in you wanted to block NAPSTER in working ours, then you apply an acces list with time definition in the router, that would be an exeption.

New Member

Re: Conduits & Access lists with Pix firewall

They should work. The access lists would be evaluated first. It is not generally considered a good idea to run both though because it can get confusing quickly.

New Member

Re: Conduits & Access lists with Pix firewall

You certainly can do this but it is not recommended by Cisco in the PIX documentation due to the fact that access-list statements will be evaluated first and debugging can get kind of messy with both conduits and access-lists. On a side note, I did convert from conduits to access-lists on our PIX and found that due to access-lists being much more restrictive I was having to add acl statements in that I never had to add in before with conduits -- and that was just to get normal things to work properly. Anyway, I converted back to conduits and decided to stay with conduits only. Just fyi...

118
Views
0
Helpful
4
Replies