I have a PIX firewall with 4 interfaces configured say inside, dmz1, dmz2 and outside with security levels 100, 65, 30 and 0 respectively. By default everything is allowed from higher security level to lower securitylevel and everything denied from lower security level to higher security level. I am using conduit commands for all the traffic block and allow. Now i have decided to change all the conduit commands to Access-lists to be more specific in allowing and denying the traffic.
I also came to know that one can put access-list on an interface only for incoming traffic.
My question is
if i have a conduit command put on pix something like this.
conduit permit tcp host 10.10.10.1 eq www any (where 10.10.10.1 is in dmz1 and running http on that)
and if i change the same to Access-list form
access-list outside-in permit tcp any host 0.10.10.1 eq www
access-list outside-in deny ip any any deny
and apply this to outside interface for incoming traffic
access-list dmz2-in permit tcp any host 10.10.10.1 eq www
access-list dmz2-in deny ip any any
and apply it on dmz2 interface for incoming traffic
Will this replacement have an impact on the fact that all the traffic allowed from dmz2 to outside
will be denied ??? if so and it denies all the traffic from dmz2 to outside...how should i replace my conduit
commands so as to allow all the traffic from dmz2 to outside and still have some restrictions accessing my
10.10.10.1 on dmz1 interface from dmz2
One more question is why the pix is developed to have an access-list for only incoming traffic ???
Any significance ???
All the answers are highly appreciated and my sincere thanks in advance....
Applying that acl inbound on DMZ2 will replace the conduit and should not affect outbound traffic. PIX is moving (slowly) to an IOS-like CLI and thats why they introduced the access-lists. I would guess the conduits will go away in the future sometime.
Are there any documents that thoroughly explain PIX Access Lists? So far, I only found the one document, which doesn't seem to go into as great of detail as I'd like. Please let me know if you guys have any other documents that you use.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :