Firewall Wizards mailing list archives

PIX 520 - Converting conduits to access-lists

From: Eye Am <eyeam () optonline net>
Date: Wed, 23 Oct 2002 08:08:20 -0400

New here - need a little advice or direction please. Read firewall wizards
back to 1999 and am working with a couple friends. In a real spot here.



I moved a device into the DMZ. Changed it's IP to that of the DMZ, set the
6509 to the new VLAN, and added appropriate access-lists keeping the
existing conduits. Life was good. Then removed the associated conduits and
lost all outside connectivity to the devices. Can only access the device
with both conduits AND access-list/group configured. I thought it was bad
policy to have the two together. Here's what changes I made



Old conduits:



conduit permit tcp host my.public.addy.here eq ftp any

conduit permit tcp host my.public.addy.here eq domain any

conduit permit udp host my.public.addy.here eq domain any

conduit permit tcp host my.public.addy.here eq ftp-data any



So I made the following access-lists/groups





access-list DMZ_IN permit tcp any host my.public.addy.here eq ftp (hitcnt=0)

access-list DMZ_IN permit tcp any host my.public.addy.here eq ftp-data
(hitcnt=0)

access-list DMZ_IN permit udp any host my.public.addy.here eq domain
(hitcnt=0)

access-list DMZ_IN permit tcp any host my.public.addy.here eq domain
(hitcnt=0)

access-group DMZ_IN in interface DMZ



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX 520 - Converting conduits to access-lists Eye Am (Oct 23)
- Re: PIX 520 - Converting conduits to access-lists Jean Caron (Oct 23)
- <Possible follow-ups>
- Re: PIX 520 - Converting conduits to access-lists Miha Vitorovic (Oct 23)