PIX conduit & access lists [7:26684]
Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26684&t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit & access lists [7:26684]
Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? ""Carroll Kong"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Implicit denys behind every access-list are inserted. Are you > mixing conduits and access-lists? You really should not. Use ALL conduits > or ALL access-lists. If both are used, conduits take priority and override > your access-lists. Access-lists are first match, conduits are any match. > > At 09:24 AM 11/19/01 -0500, Steve Alston wrote: > >Does the PIX 506 require an explicit deny statement after setting up a > >permit conduit or access list. > > > >I appear to be receiving more traffic (e.g. NTP) than my conduit statements > >allow. > > > >Thanks much, > >Steve > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26700&t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit & access lists [7:26684]
Patrick & Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored "conduit permit icmp any any" -- that behaved as expected. Thanks, Steve ""Allen May"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Very true and a good point, but the original question was about conduits > which only apply to lower->higher. Higher->lower requires NAT. I > accidentally typed access-list below but meant conduit. ;) *slap self & get > more coffee*. It still applies but wasn't what I meant to say. > > Thanks for pointing that out though. > > > - Original Message - > From: Patrick W. Bass > To: > Sent: Sunday, November 25, 2001 10:14 PM > Subject: Re: PIX conduit & access lists [7:26684] > > > > ""Allen May"" wrote in message > > news:[EMAIL PROTECTED]... > > > I'm not sure if this was answered or not, but a firewall always assumes > a > > > deny all at the end of the access-list for inbound. Outbound is > different > > > since it allows all by default. > > > > > > > Remeber this: Higher security level to lower security level, implicitly > > allowed. Lower security level to higher security level, implicitly > denied. > > Otherwise it gets tricky once you start messing with multipile DMZs. > > > > > Also, access-lists are the way to go since conduits will be phased out > in > > > the near future. > > > > > > Allen > > > > > > - Original Message - > > > From: Steve Alston > > > To: > > > Sent: Monday, November 19, 2001 9:25 AM > > > Subject: Re: PIX conduit & access lists [7:26684] > > > > > > > > > > Carroll, > > > > Thanks for the reply. I'm using conduits now, but will switch to > > access > > > > lists in the future. (I'd like to fully understand the configuration > I > > > > inherited before I start making changes) Are implicit denys inserted > > > behind > > > > each conduit as well? > > > > > > > > > > > > ""Carroll Kong"" wrote in message > > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > Implicit denys behind every access-list are inserted. Are you > > > > > mixing conduits and access-lists? You really should not. Use ALL > > > > conduits > > > > > or ALL access-lists. If both are used, conduits take priority and > > > > override > > > > > your access-lists. Access-lists are first match, conduits are any > > > match. > > > > > > > > > > At 09:24 AM 11/19/01 -0500, Steve Alston wrote: > > > > > >Does the PIX 506 require an explicit deny statement after setting > up > > a > > > > > >permit conduit or access list. > > > > > > > > > > > >I appear to be receiving more traffic (e.g. NTP) than my conduit > > > > statements > > > > > >allow. > > > > > > > > > > > >Thanks much, > > > > > >Steve > > > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27588&t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit & access lists [7:26684]
Thanks again Allen, Does that mean the responses to my outbound requests are allowed in by default? For example, my request for a web page is allowed through the firewall. Would the page in response of that request be allowed through the firewall? Steve ""Allen May"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > NAT or internal servers with "real" IP addresses using NAT 0 can access > anything until you block it. Outbound requests (such as http, ftp, etc) are > all enabled by default. Users outside the firewall cannot access internal > IPs without access-list or conduit statements. > > In short, all outbound enabled and all inbound disabled by default. > > For your conduit permit icmp any any I would enable echo reply only rather > than full icmp. Echo reply only allows replies back to the person pinging > or tracerouting. Full icmp can be exploited in DOS attacks. > example: > access-list 10 permit icmp any any echo-reply > access-group 10 interface outside > (apply one to interface inside for outbound) > > Allen > > - Original Message - > From: Steve Alston > To: > Sent: Wednesday, November 28, 2001 4:08 PM > Subject: Re: PIX conduit & access lists [7:26684] > > > > Patrick & Allen, > > Thanks for the responses -- helps loads. I'm still slightly confused. > > > > I did a clear conduit expecting to block all incoming traffic. Following > > the clear conduit, I did a show conduit to verify there were not any > > conduits in operation. At that time, I was still able to receive web > > traffic at my workstation. For that matter, the conduit statements only > > applied to specific servers so why am I able to receive http at my > > workstation? I did try to PING an IP address which failed when I removed > > the conduits and worked when I restored "conduit permit icmp any any" -- > > that behaved as expected. > > > > > > Thanks, > > Steve > > > > ""Allen May"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Very true and a good point, but the original question was about conduits > > > which only apply to lower->higher. Higher->lower requires NAT. I > > > accidentally typed access-list below but meant conduit. ;) *slap self & > > get > > > more coffee*. It still applies but wasn't what I meant to say. > > > > > > Thanks for pointing that out though. > > > > > > > > > - Original Message - > > > From: Patrick W. Bass > > > To: > > > Sent: Sunday, November 25, 2001 10:14 PM > > > Subject: Re: PIX conduit & access lists [7:26684] > > > > > > > > > > ""Allen May"" wrote in message > > > > news:[EMAIL PROTECTED]... > > > > > I'm not sure if this was answered or not, but a firewall always > > assumes > > > a > > > > > deny all at the end of the access-list for inbound. Outbound is > > > different > > > > > since it allows all by default. > > > > > > > > > > > > > Remeber this: Higher security level to lower security level, > implicitly > > > > allowed. Lower security level to higher security level, implicitly > > > denied. > > > > Otherwise it gets tricky once you start messing with multipile DMZs. > > > > > > > > > Also, access-lists are the way to go since conduits will be phased > out > > > in > > > > > the near future. > > > > > > > > > > Allen > > > > > > > > > > - Original Message - > > > > > From: Steve Alston > > > > > To: > > > > > Sent: Monday, November 19, 2001 9:25 AM > > > > > Subject: Re: PIX conduit & access lists [7:26684] > > > > > > > > > > > > > > > > Carroll, > > > > > > Thanks for the reply. I'm using conduits now, but will switch > to > > > > access > > > > > > lists in the future. (I'd like to fully understand the > > configuration > > > I > > > > > > inherited before I start making changes) Are implicit denys > > inserted > > > > > behind > > > > > > each conduit as well? > > > > > > > > > > > > > > > > > > ""Carroll Kong"" wrote in message >