From: C King (cking007@xxxxxxxxxxx)
Date: Mon Mar 11 2002 - 02:45:11 GMT-3
I recently converted a PIX 515 (running 6.1) with about a hundred conduits
manually and it went fine. I did it offline in a text file and pasted it in
and it didn't take too long at all. The GUI would take forever to create
that many ACLs, and if you were trying to convert from conduits to ACLs it
likely wouldn't work as PDM cannot be used to update the rules if both
conduits and ACLs are in use. The docs mention that an interface can run
with both conduits and ACLs, but we weren't brave enough to try that.
One gotcha that we ran into was outbound traffic - using conduits all
outbound traffic (from higher security to lower security interfaces) was
implicitly allowed. With an ACL, this is not the default behavior - it
wants to drop everything (the implicit deny ip any any at the end of the
ACL). You'll need to look at either explicitly permitting allowed traffic
or using a permit ip any any command at the end.
The other gotcha we ran into was access from a lower security interface to a
higher - if a "permit ip any any" was present on the lower interface, the
lower sec interface could get anywhere on the higher interface using this
rule (e.g. a DMZ to the inside), which is contrary to how conduits work. If
you use a "permit ip any any", you will also need to build in some deny
statements from lower to higher interfaces to prevent this.
Hope this helps.
CK
----- Original Message -----
From: "kurt kruegel" <kurt@cybernex.net>
To: <ccielab@groupstudy.com>
Sent: Friday, March 08, 2002 12:54 PM
Subject: a little off topic pix q
> what's the best way to convert conduits to access-lists on a 525
> currently running 531 with a hundred or so conduits ???.
> do i have to upgrade to 6.0 and use that gui thingy ???.
> or write out the logic and manually enter ? nightmare ....
>
> thanks in advance.
> k
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:59 GMT-3