Firewall Wizards mailing list archives
PIX 520 - Converting conduits to access-lists
From: Eye Am <eyeam () optonline net>
Date: Wed, 23 Oct 2002 08:08:20 -0400
New here - need a little advice or direction please. Read firewall wizards back to 1999 and am working with a couple friends. In a real spot here. I moved a device into the DMZ. Changed it's IP to that of the DMZ, set the 6509 to the new VLAN, and added appropriate access-lists keeping the existing conduits. Life was good. Then removed the associated conduits and lost all outside connectivity to the devices. Can only access the device with both conduits AND access-list/group configured. I thought it was bad policy to have the two together. Here's what changes I made Old conduits: conduit permit tcp host my.public.addy.here eq ftp any conduit permit tcp host my.public.addy.here eq domain any conduit permit udp host my.public.addy.here eq domain any conduit permit tcp host my.public.addy.here eq ftp-data any So I made the following access-lists/groups access-list DMZ_IN permit tcp any host my.public.addy.here eq ftp (hitcnt=0) access-list DMZ_IN permit tcp any host my.public.addy.here eq ftp-data (hitcnt=0) access-list DMZ_IN permit udp any host my.public.addy.here eq domain (hitcnt=0) access-list DMZ_IN permit tcp any host my.public.addy.here eq domain (hitcnt=0) access-group DMZ_IN in interface DMZ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 520 - Converting conduits to access-lists Eye Am (Oct 23)
- Re: PIX 520 - Converting conduits to access-lists Jean Caron (Oct 23)
- <Possible follow-ups>
- Re: PIX 520 - Converting conduits to access-lists Miha Vitorovic (Oct 23)