When you use ACL's on a PIX, unless its permitted explicitly, its denied
implicitly. This is the same as an ACL on a router, with the exception of
the PIX doesn't "understand wildcard masks"
I am in both PIX's and routers all day long so it can become very confusing.
Thanks
Larry
-----Original Message-----
From: Parrish, Bryan [mailto:parrishbm@xxxxxxxxxxxx]
Sent: Monday, April 08, 2002 9:58 AM
To: 'Roberts, Larry'; 'Robert Alldread'
Cc: security@xxxxxxxxxxxxxx
Subject: RE: A question that may not be answerable
Isn't all traffic allowed (permitted, unless otherwise specified) out of the
PIX after setting up the NATs and Globals. When using conduits this still
is true, but is this true when ACLs are used? or do we need to put in the
explicit permit?
> Bryan M. Parrish
> Information Security Administrator UPMCHS
> parrishbm@xxxxxxxxxxxx
> Phone 412-647-1175
-----Original Message-----
From: Roberts, Larry [mailto:Larry.Roberts@xxxxxxxxxxxx
<mailto:Larry.Roberts@xxxxxxxxxxxx> ]
Sent: Monday, April 08, 2002 10:37 AM
To: 'Robert Alldread'
Cc: security@xxxxxxxxxxxxxx
Subject: RE: A question that may not be answerable
Since an ACL has an explicit deny any any at the end, wouldn't you either
have to end your ACL with an ip permit any any or
At least add a line permitting the traffic that will hit the conduit ?
Thanks
Larry
-----Original Message-----
From: Robert Alldread [mailto:hackerboy@xxxxxxxxxxxxxxxx
<mailto:hackerboy@xxxxxxxxxxxxxxxx> ]
Sent: None
To: Larry.Roberts@xxxxxxxxxxxx
Cc: security@xxxxxxxxxxxxxx
Subject: Re: A question that may not be answerable
Well, just to let you know, you can use both conduits and ACL at the same
time on the PIX. ACL's will be default take precendence over the conduits.
An example where both are used is VPN. Use conduit for specifing allowed or
denied traffic between the interfaces, and use ACL's to define which VPN
subnets can access the internal network.
I do this all day long and cn tell you that it would be best to know both.
If you havent used conduits in a while, here is a tip. Make sure you know
the placement of any "eq www" or "eq 110". And rememeber that the
source/source-mask and dest/dest-mask are swapped on conduits.
Good Luck!
Skin-e
---------- Original Message ----------------------------------
From: "Roberts, Larry" <Larry.Roberts@xxxxxxxxxxxx>
Reply-To: "Roberts, Larry" <Larry.Roberts@xxxxxxxxxxxx>
Date: Sun, 7 Apr 2002 18:25:33 -0500
Ok,
I don't know if this violates the NDA or not, so be gentle. This concerns
the PIX FW: Since Conduits and access-lists cannot be used at the same time,
is it safe to assume that you will be given the choice of which to use? IE
will they say permit this traffic and you can choose, or do they specify "
using access-lists permit this traffic "
Since ACL's are the recommended way, should I concentrate on those? Its been
a while since I have messed with conduits, so I am starting to worry about
whether I need to relearn them ?
As much help as can be given without violating the NDA would be appreciated!
Thanks
Larry
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing: unsubscribe SECURITY
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY
