Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX Firewall

I am working on PIX firewall 501. As per ASA, traffic can flow from a high security area to low security area without conduit. But i am unable to access the low security network without conduit. What can be the problem area?


Re: PIX Firewall

PIX have a default deny policy. You need a conduit or an ACL entry to allow access


Re: PIX Firewall

Hi -

By default, all inside traffic is allowed out via PIX but NOT allowed back into the network. If need certain traffic from the outside to be allowed in then you'll require conduits/ACLs and or static translation to be setup.

Hope this helps - Jay.


Re: PIX Firewall

Besides the fact that it is not recommended to use conduits anymore and Cisco advices to use access-lists instead, the normal operation indeed would be (as the other guys allready stated) that from high to low is implicit permitted, and from low to high is implicit denied (due to ASA).

But as you seem to be able to open session from low to high without having a conduit that permits that, I can only think of one thing that could be wrong. I think you are having an established command at the PIX also. Using conduits with established commands could drill some serious securityholes if used incorrectly. So, check to see if there are any established command, and there are any, search on CCO for the established command, and you will find some pretty good documents about how to use this command and still keep it secure.

What you are describing is NOT normal operation for a PIX and is in fact a big security hole.

So, check as soon as possible.

Also, consider tranfroming your config into using ACL´s instead of conduits.

Hope this helps,


Community Member

Re: PIX Firewall

Do you have any NAT or Static setup for the higher security level?

Community Member

Re: PIX Firewall

It is true that you do not need a conduit or access-list to go from a higher to lower security level. Please provide more information on whether going from a dmz to outside, inside to outside, etc. It could be that you are just missing your NAT, STATIC or global commands.

CreatePlease to create content