[fw-wiz] PIX 520 - Converting conduits to access-lists

From: Eye Am (eyeam@optonline.net)
Date: 10/23/02

• Next message: Jean Caron: "[fw-wiz] Re: PIX 520 - Converting conduits to access-lists"
• Previous message: Kyle R. Hofmann: "Re: [fw-wiz] httport 3snf"
• Next in thread: Jean Caron: "[fw-wiz] Re: PIX 520 - Converting conduits to access-lists"
• Reply: Jean Caron: "[fw-wiz] Re: PIX 520 - Converting conduits to access-lists"
• Maybe reply: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - Converting conduits to access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Eye Am <eyeam@optonline.net>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Oct 23 08:02:01 2002

New here - need a little advice or direction please. Read firewall wizards
back to 1999 and am working with a couple friends. In a real spot here.

I moved a device into the DMZ. Changed it's IP to that of the DMZ, set the
6509 to the new VLAN, and added appropriate access-lists keeping the
existing conduits. Life was good. Then removed the associated conduits and
lost all outside connectivity to the devices. Can only access the device
with both conduits AND access-list/group configured. I thought it was bad
policy to have the two together. Here's what changes I made

Old conduits:

conduit permit tcp host my.public.addy.here eq ftp any

conduit permit tcp host my.public.addy.here eq domain any

conduit permit udp host my.public.addy.here eq domain any

conduit permit tcp host my.public.addy.here eq ftp-data any

So I made the following access-lists/groups

access-list DMZ_IN permit tcp any host my.public.addy.here eq ftp (hitcnt=0)

access-list DMZ_IN permit tcp any host my.public.addy.here eq ftp-data
(hitcnt=0)

access-list DMZ_IN permit udp any host my.public.addy.here eq domain
(hitcnt=0)

access-list DMZ_IN permit tcp any host my.public.addy.here eq domain
(hitcnt=0)

access-group DMZ_IN in interface DMZ

• Next message: Jean Caron: "[fw-wiz] Re: PIX 520 - Converting conduits to access-lists"
• Previous message: Kyle R. Hofmann: "Re: [fw-wiz] httport 3snf"
• Next in thread: Jean Caron: "[fw-wiz] Re: PIX 520 - Converting conduits to access-lists"
• Reply: Jean Caron: "[fw-wiz] Re: PIX 520 - Converting conduits to access-lists"
• Maybe reply: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - Converting conduits to access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: cisco 7200 performance issue ... High CPU can be caused by a high volume of traffic destined to the processor ... the 'hit' counts with the 'show access-lists' command. ... access-list 101 permit tcp any host 11.0.0.3 eq login ... (Incidents) Re: PIX VPN help. ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ... (comp.dcom.sys.cisco) Re: PIX VPN help. ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ... (comp.dcom.sys.cisco) Re: PIX VPN help. ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ... (comp.dcom.sys.cisco) Re: PIX VPN help. ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ... (comp.dcom.sys.cisco)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint