Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX - Conduit to Access-list Conversion

Hi all,

I have a scenario something like this.

I have a PIX firewall with 4 interfaces configured say inside, dmz1, dmz2 and outside with security levels 100, 65, 30 and 0 respectively. By default everything is allowed from higher security level to lower securitylevel and everything denied from lower security level to higher security level. I am using conduit commands for all the traffic block and allow. Now i have decided to change all the conduit commands to Access-lists to be more specific in allowing and denying the traffic.

I also came to know that one can put access-list on an interface only for incoming traffic.

My question is

if i have a conduit command put on pix something like this.

conduit permit tcp host 10.10.10.1 eq www any (where 10.10.10.1 is in dmz1 and running http on that)

and if i change the same to Access-list form

access-list outside-in permit tcp any host 0.10.10.1 eq www

access-list outside-in deny ip any any deny

and apply this to outside interface for incoming traffic

access-list dmz2-in permit tcp any host 10.10.10.1 eq www

access-list dmz2-in deny ip any any

and apply it on dmz2 interface for incoming traffic

Will this replacement have an impact on the fact that all the traffic allowed from dmz2 to outside

will be denied ??? if so and it denies all the traffic from dmz2 to outside...how should i replace my conduit

commands so as to allow all the traffic from dmz2 to outside and still have some restrictions accessing my

10.10.10.1 on dmz1 interface from dmz2

One more question is why the pix is developed to have an access-list for only incoming traffic ???

Any significance ???

All the answers are highly appreciated and my sincere thanks in advance....

Ashok Pawar H.S.

4 REPLIES
New Member

Re: PIX - Conduit to Access-list Conversion

Applying that acl inbound on DMZ2 will replace the conduit and should not affect outbound traffic. PIX is moving (slowly) to an IOS-like CLI and that’s why they introduced the access-lists. I would guess the conduits will go away in the future sometime.

New Member

Re: PIX - Conduit to Access-list Conversion

doyle,

Thanks for your feedback...

New Member

Re: PIX - Conduit to Access-list Conversion

For my part, DMZ2 to outside trafic will be affected by your ACL.

First, when you create an ACL you don't need to specify deny ip any any, it's implicit with the PIX.

You must permit DMZ2's hosts to communicate with a permit statement to outside and limit to inside:

access-list dmz2-in permit tcp any host 10.10.10.1 eq www

access-list dmz2-in deny any 10.0.0.0 255.0.0.0

access-list dmz2-in permit tcp (dmz2 ip range) any eq www

access-list dmz2-in permit tcp (dmz2 ip range) any eq 443

access-list dmz2-in permit udp (dmz2 ip range) any eq domain

access-list dmz2-in permit tcp (dmz2 ip range) any eq smtp

And any other protocols you need to leave to outside.

Regards,

Ben

New Member

Re: PIX - Conduit to Access-list Conversion

Are there any documents that thoroughly explain PIX Access Lists? So far, I only found the one document, which doesn't seem to go into as great of detail as I'd like. Please let me know if you guys have any other documents that you use.

100
Views
0
Helpful
4
Replies
CreatePlease to create content