GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: A question that may not be answerable posted 04/08/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


When you use ACL's on a PIX, unless its permitted explicitly, its denied
implicitly. This is the same as an ACL on a router, with the exception of
the PIX doesn't "understand wildcard masks"
I am in both PIX's and routers all day long so it can become very confusing.
 
 
 
 

Thanks

Larry 

-----Original Message-----
From: Parrish, Bryan [mailto:parrishbm@xxxxxxxxxxxx] 
Sent: Monday, April 08, 2002 9:58 AM
To: 'Roberts, Larry'; 'Robert Alldread'
Cc: security@xxxxxxxxxxxxxx
Subject: RE: A question that may not be answerable



Isn't all traffic allowed (permitted, unless otherwise specified) out of the
PIX after setting up the NATs and Globals.  When using conduits this still
is true, but is this true when ACLs are used? or do we need to put in the
explicit permit?

>                               Bryan M. Parrish 
>                               Information Security Administrator UPMCHS 
>                               parrishbm@xxxxxxxxxxxx 
>                               Phone 412-647-1175 


-----Original Message----- 
From: Roberts, Larry [mailto:Larry.Roberts@xxxxxxxxxxxx
<mailto:Larry.Roberts@xxxxxxxxxxxx> ] 
Sent: Monday, April 08, 2002 10:37 AM 
To: 'Robert Alldread' 
Cc: security@xxxxxxxxxxxxxx 
Subject: RE: A question that may not be answerable 


Since an ACL has an explicit deny any any at the end, wouldn't you either 
have to end your ACL with an ip permit any any or 
At least add a line permitting the traffic that will hit the conduit ? 

Thanks 

Larry 

-----Original Message----- 
From: Robert Alldread [mailto:hackerboy@xxxxxxxxxxxxxxxx
<mailto:hackerboy@xxxxxxxxxxxxxxxx> ] 
Sent: None 
To: Larry.Roberts@xxxxxxxxxxxx 
Cc: security@xxxxxxxxxxxxxx 
Subject: Re: A question that may not be answerable 


Well, just to let you know, you can use both conduits and ACL at the same 
time on the PIX.  ACL's will be default take precendence over the conduits. 
An example where both are used is VPN.  Use conduit for specifing allowed or

denied traffic between the interfaces, and use ACL's to define which VPN 
subnets can access the internal network. 

I do this all day long and cn tell you that it would be best to know both. 
If you havent used conduits in a while, here is a tip.  Make sure you know 
the placement of any "eq www" or "eq 110".  And rememeber that the 
source/source-mask and dest/dest-mask are swapped on conduits. 

Good Luck! 

Skin-e 
---------- Original Message ---------------------------------- 
From: "Roberts, Larry" <Larry.Roberts@xxxxxxxxxxxx> 
Reply-To: "Roberts, Larry" <Larry.Roberts@xxxxxxxxxxxx> 
Date:  Sun, 7 Apr 2002 18:25:33 -0500 

Ok, 

I don't know if this violates the NDA or not, so be gentle. This concerns 
the PIX FW: Since Conduits and access-lists cannot be used at the same time,

is it safe to assume that you will be given the choice of which to use? IE 
will they say permit this traffic and you can choose, or do they specify " 
using access-lists permit this traffic " 

Since ACL's are the recommended way, should I concentrate on those? Its been

a while since I have messed with conduits, so I am starting to worry about 
whether I need to relearn them ? 

As much help as can be given without violating the NDA would be appreciated!


Thanks 

Larry 
__________________________________________________________________ 
To unsubscribe from the SECURITY list, send a message to 
majordomo@xxxxxxxxxxxxxx with the body containing: unsubscribe SECURITY 
__________________________________________________________________ 
To unsubscribe from the SECURITY list, send a message to 
majordomo@xxxxxxxxxxxxxx with the body containing: 
unsubscribe SECURITY 
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY