Re: Access list or Conduit? [7:72514]
Conduits are global and access lists are interface specific. Go with access lists. At 09:11 PM 7/17/2003 +, E. Keith J. wrote: >Hi all > > > >The boss wants to allow ping. > >In the website I found the way by using an access list. > >In another config I see a conduit is used. > > > >What is the difference between using a conduit and an access list to allow >ping > > > >Is it that a conduit is to a specific host > >Rather than permit any? > > > >Thanks + International Network Services Darren S. Crawford - CCNP, CCDP, CISSP Sr. Network Systems Consultant Northwest Operation - Sacramento Office Voicemail: (916) 859-5200 x310 Pager: (800) 467-1467 Text Page: [EMAIL PROTECTED] Email: mailto://[EMAIL PROTECTED] Web: www.ins.com + Every Job is a Self-Portrait of the person Who Did It...Autograph Your Work With EXCELLENCE! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72557&t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
You can use the "icmp permit" to allow the icmp through. As well cisco recommends you allow unreachable through for SIP. By default all PIX interfaces will respond to icmp echo-reply. You must deny this with the "icmp deny" command. As well you can you a acl to apply to the icmp permit match acl command, to make the icmp echo-request more granular. Conduits are the old way of blasting a hole in the pix. Cisco recommends the trend of acl and icmp permit statement to mitigate attacks. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lynne Padgett Sent: July 17, 2003 7:09 PM To: [EMAIL PROTECTED] Subject: RE: Access list or Conduit? [7:72514] I agree. If I recall correctly, this change was implemented in the later versions of 5.x and conduits aren't used at all in the 6.x versions. Cisco did this to make the firewall code more IOS like. -Original Message- From: Wilmes, Rusty Sent: Thu Jul 17 20:37:15 2003 To: [EMAIL PROTECTED] Subject: RE: Access list or Conduit? [7:72514] my understanding is conduits are the same as access lists but are being phased out and replaced by access lists so that syntax is more uniform across platforms. -Original Message- From: E. Keith J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72552&t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
I agree. If I recall correctly, this change was implemented in the later versions of 5.x and conduits aren't used at all in the 6.x versions. Cisco did this to make the firewall code more IOS like. -Original Message- From: Wilmes, Rusty Sent: Thu Jul 17 20:37:15 2003 To: [EMAIL PROTECTED] Subject: RE: Access list or Conduit? [7:72514] my understanding is conduits are the same as access lists but are being phased out and replaced by access lists so that syntax is more uniform across platforms. -Original Message- From: E. Keith J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72546&t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
my understanding is conduits are the same as access lists but are being phased out and replaced by access lists so that syntax is more uniform across platforms. -Original Message- From: E. Keith J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72531&t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
Keith and Mark are correct. One thing to add, dont permit "icmp any any". You definately dont want to allow echo and other stuff from the internet for security reasons... It will allow script kiddie's to "map" your network. A better way is to only allow echo-replies, time-exceeded (trace routes), source-quench (so you can see icmp messages). Also allow icmp echo's (type 8) outbound. You will then be able to ping stuff on the net, but they can't ping you. see this sample... !create list access-list corp_internet_allowed_in permit icmp any any echo-reply access-list corp_internet_allowed_in permit icmp any any source-quench access-list corp_internet_allowed_in permit icmp any any unreachable access-list corp_internet_allowed_in permit icmp any any time-exceeded !apply list access-group corp_internet_allowed_in in interface outside ! create list access-list corp_internal_allowed_out permit icmp any !apply list access-group corp_internal_allowed_out in interface inside Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72535&t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
Statics/Conduits are the old pre-Cisco way of doing things in a PIX. Works well, is easy to configure but Cisco says that at some point support for that command will likely be discontinued. Cisco is trying to make the PIX OS more IOS-centric and has brought access lists into the command fold as of about v5.x. I was slow to adopt the change to access lists in my PIX's as I hadn't used them much before then. I was very familiar with conduits but since becoming more familiar with access lists I haven't found anything that I could do with conduits that I can't with access-lists and I'm not concerned that support for ACL's is disappearing anytime soon. Only thing I'd say is that I've read you can experience some very weird and unexpected results if you mix an access list and conduits together. Go with all one or all of the other. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of E. Keith J. Sent: Thursday, July 17, 2003 4:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72527&t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
