Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX with big access-list

Status
Not open for further replies.
nib

nib

Programmer
Mar 2, 2003
6
RU
I have a big access-list (about 700 records) on the cisco 7206
and I must rewrite it on the PIX 515E.

Without PIX:
cisco3550<---->cisco7206<---->cisco75XX

With PIX:
cisco7206<---->inside
PIX 515E outside <---->cisco75XX
cisco3550<---->dmz

Nat is disabled.

This access-list included rules for each interface (inside,dmz,outside).

I can used static and conduit commands (to the each)
or
I can converted access-list to three access-lists (to the inside,outside,dmz)

What I must doing?
 
Sort by date Sort by votes
Three access-lists (inside, dmz, outside)

The PIX only allow access-lists to be applied on the inbound of an interface.

Example:
If you want to disable all outbound tcp 80 access from your dmz, you would to this:

access-list 102 deny tcp any any eq 80
access-group 102 in interface dmz

If you want to allow inbound tcp 21 access from the internet(outside) to your dmz, you would do this:

access-list 101 permit tcp any any eq 21
access-group 101 in interface outside
 
Upvote 0 Downvote
Ok!

What kind of difference between access-list command and
static and conduit commands?

Conf:
ip address outside 10.0.0.0 255.0.0.0
ip address inside 10.80.0.0 255.255.0.0
ip address dmz 10.80.4.32 255.255.255.224

nat (inside) 0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0 0

Example:
1. access-list 100 permit tcp any any eq ssh
access-group 100 in interfcae outside

2. static (inside,outside) 10.80.0.0 10.80.0.0 netmask 255.255.0.0
static (dmz,outside) 10.80.4.32 10.80.4.32 netmask 255.255.255.224
conduit permit tcp any any eq ssh
 
Upvote 0 Downvote
statics are required if you use either conduits or access-lists.

Access-lists are faster than access-lists escpically w/ PIX 6.2(2) and the compiled access-lists.

However, I have been told by a Cisco TAC person that they will drop conduit and outbound support in future PIX OS releases.
 
Upvote 0 Downvote
I'm trying configuration (on the PIX 505 and OS 5.01):

access-list 100 permit tcp any any eq ssh
access-group 100 in interface outside

and I can connecting with outside to inside and outside to dmz
without static (inside,outside) and (dmz,outside)

Why? If you write:
baddos>> statics are required if you use either conduits or access-lists.
 
Upvote 0 Downvote
You will need statics for virtual ip's and whatnot. If it's a couple of hosts without virtual ips and NAT disabled, then you can get away w/o using statics. It's a good practice to do so though.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
735
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
757
Shmid
Shmid
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
151
ISDPCMAN
ISDPCMAN
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
123
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top