Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access Lists

Status
Not open for further replies.
rtiv

rtiv

IS-IT--Management
Mar 12, 2002
142
0
0
US
Was wondering if some people would like to give their opinions and facts on the following:

We had a company come in about 2 weeks ago and perform an audit on the configs of our 6 PIX Firewalls. One of the recommendatios was:

"Start replacing the numerous conduit statements you have by using access lists seeing that is the way Cisco will be going in the future with PIX configs"

Is this for real ? Should access lists be used over conduits ? If so, why ?

Thanks
 
Sort by date Sort by votes
HI.

It depends on the version of your pix firewalls, and your plans for the future.

If you are working with version 5.x or older and do not plan to upgrade, and everything is fine currently, you can stay with the conduits.

If you are planning to use new OS and new features like PDM, I would suggest following the suggestion and start using access-list instead.

If you have 3 or more interfaces and many rules, access-list might also have an advantage as they work per interface.

In any case, do NOT mix conduit and access-list in the same device. This can work but is dificult to manage and not practical at all.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi all,

Yizhar have fully reason.
If you have a pix with 3 interfaces or more, it's important to used access-list but if we have in old configuration a "conduit", the new conf with "access-list" would have to need to rewrite all rules and defined a scheme of network and some different applicative between pc, router etc...
If your case, we have 6 pix. This is very important to :
- Know version pix
- Know pix equipment (pix 520, 525 ?)
- Used Ipsec ?
- Know number of interface by pix ?

After, it's easy to defined number of day to migrated on new firmware.

Bordeau Jerome
France
 
Upvote 0 Downvote
Glad I looked here before I posted a new thread! Our PIX 520 currently has version 5.2(1). I want to upgrade it to the latest version, but our configuration is pretty elaborate and uses quite a few conduit commands. In looking at the documentation for 6.2, it appears conduit commands are still OK. Of course, they do recommend (as you folks have) that you use access-lists instead.

Our PIX 520 has six interfaces. We use five currently. Will upgrading to 6.2 overly complicate things? And what impact does multiple interfaces have with the conduit-vs.-access-list argument?

Thanks!

Dan
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
179
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
51
gbayi_omo
gbayi_omo
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
48
kythri
kythri
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
42
ChrisHirst
ChrisHirst
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
32
RMurr34
RMurr34

Part and Inventory Search

Sponsor

Back
Top