""Allen May"" wrote in message news:[EMAIL PROTECTED]... > I'm not sure if this was answered or not, but a firewall always assumes a > deny all at the end of the access-list for inbound. Outbound is different > since it allows all by default. >
Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. > Also, access-lists are the way to go since conduits will be phased out in > the near future. > > Allen > > ----- Original Message ----- > From: Steve Alston > To: > Sent: Monday, November 19, 2001 9:25 AM > Subject: Re: PIX conduit & access lists [7:26684] > > > > Carroll, > > Thanks for the reply. I'm using conduits now, but will switch to access > > lists in the future. (I'd like to fully understand the configuration I > > inherited before I start making changes) Are implicit denys inserted > behind > > each conduit as well? > > > > > > ""Carroll Kong"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Implicit denys behind every access-list are inserted. Are you > > > mixing conduits and access-lists? You really should not. Use ALL > > conduits > > > or ALL access-lists. If both are used, conduits take priority and > > override > > > your access-lists. Access-lists are first match, conduits are any > match. > > > > > > At 09:24 AM 11/19/01 -0500, Steve Alston wrote: > > > >Does the PIX 506 require an explicit deny statement after setting up a > > > >permit conduit or access list. > > > > > > > >I appear to be receiving more traffic (e.g. NTP) than my conduit > > statements > > > >allow. > > > > > > > >Thanks much, > > > >Steve > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27293&t=26684 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
