Older and newer syntax Firewall PI32.

Discussion in 'Cisco' started by AM, Dec 6, 2004.

  1. AM

    AM Guest

    Might anyone tell me if access lists and conduit statements can co-exist in a Pix configuration? PIX 4.2 and PIX 6.3

    Thanks in advance,

    Alex.
    AM, Dec 6, 2004
    #1
    1. Advertising

  2. AM

    John Smith Guest

    you typically want to avoid it anyway (even if it is possible and i'm not
    sure it is on the older 4.2). it also depends on what you mean by
    co-exist, you can have access-lists for other firewall purposes such as vpns
    and such, and still use conduits for normal passthrough access.
    can't you just convert your conduits to access-lists completely? of course,
    in some of my firewalls where i have over 2000 conduits that maybe not be
    realistic to do over nite at least...and may take extensive planning.


    "AM" <> wrote in message
    news:8wZsd.6916$...
    > Might anyone tell me if access lists and conduit statements can co-exist
    > in a Pix configuration? PIX 4.2 and PIX 6.3
    >
    > Thanks in advance,
    >
    > Alex.
    John Smith, Dec 6, 2004
    #2
    1. Advertising

  3. In article <8wZsd.6916$>, AM <> wrote:
    :Might anyone tell me if access lists and conduit statements can co-exist in a Pix configuration? PIX 4.2 and PIX 6.3

    access-lists as we know them today did not exist in PIX 4.2. PIX 4.2
    had "permit" and "deny" statements that served a similar purpose but
    they are not easy to work with: the PIX could re-write their order in
    unpredicatable ways, and the default when you hit the end wasn't to
    deny, it was to do the opposite of the last statement that had been
    evaluated. Mixing permit and deny statements (as is typical in any
    complex situation, especially one involving private address ranges and
    VPNs) was a mess to figure out the real meaning of the list. But Yes,
    conduits and permit/deny statements could co-exist in PIX 4.2.


    In PIX 6.3, conduit and access-list statements can coexist, but in some
    circumstances the conduit statements will be ignored completely, and
    you never have control over the order in which conduits are evaluated
    compared to the access-list . OTOH, 'co-exist' is not a well-defined
    phrase: if the question is "will they work together in a predictable
    and bug-free manner", the answer is "No".

    But you are not really asking the right question. What you -should- be
    asking for PIX 6.3 is whether conduits work properly at all. The
    answer to that one is "NO! And the problems WILL NOT be fixed." The
    problems are more acute when you start trying to use the newer features
    introduced in 6.2 or 6.3 (such as policy nat), but Cisco stopped trying
    to work on conduits by PIX 6.2, and didn't put much work into conduits
    beyond 6.0(1). If you are trying to use conduits in PIX 6.3, even
    without making them work in conjunction with ACLs, then chances are
    that the PIX is not handling the conduit properly but that you might
    not have noticed the problem yet. Perhaps you'll notice when your
    network gets cracked, perhaps not.

    The PIX is supposed to be a firewall, and if you bother to pay for one
    (rather than just using a consumer broadband NAT box), then you are
    supposed to be cocerned about the security of your network. Under the
    circumstances, do you really consider it wise to attempt to use an
    obsolete feature slated for complete removal in the next software
    release, when the manufacturer has already said that there are
    unfixable bugs with the obsolete feature??


    I have some sympathy for the fellow who posted a few months ago and
    said that his organization had something like 2500 PIXes that they
    had to update, in a situation where they had only short maintenance
    windows at each site. The logistics of that upgrade would be pretty
    rough!! But if you have only one or two PIXes and you haven't converted
    your conduits to ACLs in the 3+ years since ACLs were introduced
    at about 5.1(2), then I have to wonder why not.
    --
    I predict that you will not trust this prediction.
    Walter Roberson, Dec 6, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David
    Replies:
    0
    Views:
    587
    David
    Sep 23, 2003
  2. GMAN
    Replies:
    1
    Views:
    457
    Alpha
    Jul 10, 2006
  3. zillah

    VACL and command Syntax

    zillah, Aug 16, 2006, in forum: Cisco
    Replies:
    2
    Views:
    1,031
    kirandeepmittal
    Nov 26, 2010
  4. bugbear

    Canon choice - older A620 or newer A540?

    bugbear, Nov 15, 2006, in forum: Digital Photography
    Replies:
    2
    Views:
    342
  5. Douglas C. Neidermeyer

    Installing older version of WIN XP over newer version

    Douglas C. Neidermeyer, Sep 6, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    573
    Douglas C. Neidermeyer
    Sep 6, 2006
Loading...

Share This Page