GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: A question that may not be answerable posted 04/08/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I love how they made the access-list masks different on each box... what were they thinking!!!

Recommending to customers to use the access-lists instead of conduits because it's the familiar IOS access-list syntax just doesn't work very well.. ;-)

-Denny


------------------------------------------------
On Mon, 8 Apr 2002 10:00:50 -0500 , "Roberts, Larry" <Larry.Roberts@xxxxxxxxxxxx> wrote:

> When you use ACL's on a PIX, unless its permitted explicitly, its denied
> implicitly. This is the same as an ACL on a router, with the exception of
> the PIX doesn't "understand wildcard masks"
> I am in both PIX's and routers all day long so it can become very confusing.
>  
>  
>  
>  
> 
> Thanks
> 
> Larry 
> 
> -----Original Message-----
> From: Parrish, Bryan [mailto:parrishbm@xxxxxxxxxxxx] 
> Sent: Monday, April 08, 2002 9:58 AM
> To: 'Roberts, Larry'; 'Robert Alldread'
> Cc: security@xxxxxxxxxxxxxx
> Subject: RE: A question that may not be answerable
> 
> 
> 
> Isn't all traffic allowed (permitted, unless otherwise specified) out of the
> PIX after setting up the NATs and Globals.  When using conduits this still
> is true, but is this true when ACLs are used? or do we need to put in the
> explicit permit?
> 
> >                               Bryan M. Parrish 
> >                               Information Security Administrator UPMCHS 
> >                               parrishbm@xxxxxxxxxxxx 
> >                               Phone 412-647-1175 
> 
> 
> -----Original Message----- 
> From: Roberts, Larry [mailto:Larry.Roberts@xxxxxxxxxxxx
> <mailto:Larry.Roberts@xxxxxxxxxxxx> ] 
> Sent: Monday, April 08, 2002 10:37 AM 
> To: 'Robert Alldread' 
> Cc: security@xxxxxxxxxxxxxx 
> Subject: RE: A question that may not be answerable 
> 
> 
> Since an ACL has an explicit deny any any at the end, wouldn't you either 
> have to end your ACL with an ip permit any any or 
> At least add a line permitting the traffic that will hit the conduit ? 
> 
> Thanks 
> 
> Larry 
> 
> -----Original Message----- 
> From: Robert Alldread [mailto:hackerboy@xxxxxxxxxxxxxxxx
> <mailto:hackerboy@xxxxxxxxxxxxxxxx> ] 
> Sent: None 
> To: Larry.Roberts@xxxxxxxxxxxx 
> Cc: security@xxxxxxxxxxxxxx 
> Subject: Re: A question that may not be answerable 
> 
> 
> Well, just to let you know, you can use both conduits and ACL at the same 
> time on the PIX.  ACL's will be default take precendence over the conduits. 
> An example where both are used is VPN.  Use conduit for specifing allowed or
> 
> denied traffic between the interfaces, and use ACL's to define which VPN 
> subnets can access the internal network. 
> 
> I do this all day long and cn tell you that it would be best to know both. 
> If you havent used conduits in a while, here is a tip.  Make sure you know 
> the placement of any "eq www" or "eq 110".  And rememeber that the 
> source/source-mask and dest/dest-mask are swapped on conduits. 
> 
> Good Luck! 
> 
> Skin-e 
> ---------- Original Message ---------------------------------- 
> From: "Roberts, Larry" <Larry.Roberts@xxxxxxxxxxxx> 
> Reply-To: "Roberts, Larry" <Larry.Roberts@xxxxxxxxxxxx> 
> Date:  Sun, 7 Apr 2002 18:25:33 -0500 
> 
> Ok, 
> 
> I don't know if this violates the NDA or not, so be gentle. This concerns 
> the PIX FW: Since Conduits and access-lists cannot be used at the same time,
> 
> is it safe to assume that you will be given the choice of which to use? IE 
> will they say permit this traffic and you can choose, or do they specify " 
> using access-lists permit this traffic " 
> 
> Since ACL's are the recommended way, should I concentrate on those? Its been
> 
> a while since I have messed with conduits, so I am starting to worry about 
> whether I need to relearn them ? 
> 
> As much help as can be given without violating the NDA would be appreciated!
> 
> 
> Thanks 
> 
> Larry 
> __________________________________________________________________ 
> To unsubscribe from the SECURITY list, send a message to 
> majordomo@xxxxxxxxxxxxxx with the body containing: unsubscribe SECURITY 
> __________________________________________________________________ 
> To unsubscribe from the SECURITY list, send a message to 
> majordomo@xxxxxxxxxxxxxx with the body containing: 
> unsubscribe SECURITY 
> __________________________________________________________________
> To unsubscribe from the SECURITY list, send a message to
> majordomo@xxxxxxxxxxxxxx with the body containing:
> unsubscribe SECURITY
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY