What is better? ACLs or Conduits

I am configuring a new Cisco 515 PIX Firewall that has two Interfaces for my network to replace a failing device.  The outside I/F of the 515 will be connected to a Cisco 2600 that connects to my T1(running).  The inside I/F will be connected to an internal network using a standard Class B private network of 192.168.x.x  I would like to know if I should use ACLs or use Conduits.  I know I will have do some port redirection with the static command, but what is the best solution for my needs.  Below is what I need to configure on my 515.

BTW, I am not new to firewalls or networking, but I am new to PIX Firewalls, so I could use the advice.

I will need my network to have the following capabilities:

Allow access to an internal Exchange Server from the Internet via POP3, SMTP, http and https.(110, 25, 80, 443).  Currently internal and external users hit this server via a Internet domain name of mail.myco.com.
Allow access to an internal PC from the Internet via pcAnywhere (5631 TCP, 5632 UDP) (temporary)
Allow for DNS resolution from the Internet (53)
Allow me to backup my router's config to an Internal TFTP server (69).
Allow me to connect this PIX to remote locations via VPN tunnels next month.  These VPN links will be both connections from PIX 501s, and a few software VPNs from PCs connected to the Internet.

I have read a number of recommendations on setting up a PIX in these types of configurations, but not sure which one to use, ACLs or Conduits.  I am inclined to use ACLs, but not sure which is better.  I looked at the configuring the PIX with PDM, but I go way back to the DOS days, so command line is my preference.  I may use it for the VPNs, but I believe it is better to use the command line for the initial configuration and port redirections.  

Who is Participating?
Here's the basic way it works...
The following is assuming that you have a block of public IP's and not just the one assigned to the interface..
\\--set up static nat translations for your public servers (public Ip's 1 and 2 are assigned to the router's Ethernet and your PIX outside, respectively)

  static (inside,outside) <public ip3> 192.168.x.x netmask
  static (inside,outside) <public ip4> 192.168.x.x netmask

\\--setup acls to allow public traffic into the PIX outside interface.
  access-list public_access_in permit tcp any host <public ip3> eq smtp
  access-list public_access_in permit tcp any host <public ip3> eq pop3
  access-list public_access_in permit tcp any host <public ip3> eq http
  access-list public_access_in permit tcp any host <public ip3> eq https

\\-- apply the access-list to the outside interface
  access-group public_access_in in interface outside

NOTES. PIX acls are different than router IOS acls.
1. It is not necessary to create any acl to permit outbound traffic from your inside clients. The PIX will allow the traffic out, create a dynamic nat xlate and keep track of the state of the tcp connection and allow responses back in.
2. The one exception to the above is icmp. You must expressly permit icmp packets, ie. ping replys, to come into the outside interface.
3. Only one access-list can be applied to any one interface at the same time.
4. Access-lists can only be applied "in" on any interface
5. PIX access-lists use subnet masks rather than wildcard masks like on a router
6. Access-lists can be applied to processes as well as interfaces. For example, VPN tunnels will use one acl to excempt VPN traffic from NAT, and another acl to define the 'interesting traffic' that will be encrypted and passed over the VPN tunnel.
7. Just like any acl, it is process top-down until first match, so placement is important.
8. You can create groups - host groups, protocol groups, and then reference groups in the acl. For example (this is not the proper syntax, just the concept)
  create a protocol group named "Exchange"
   include TCP ports 80, 443, 25, 110
  create a protocol group named "ICMP"
    include echo-reply, unreachables, time-exceeded only
  create a host group called "EXCH_Servers"
   include your 3 exchange servers (I know you don't have 3, this is just for illustration)
     host A, host B, Host C
 Now, you can create a streamlined access-list by referencing the groups..
   access-list public_acces_in permit tcp any object-group EXCH_Servers object-group Exchange
   access-list public_acces_in permit icmp any any object-group ICMP

>Also, do I used the PDM for the VPN configs later, or stick with command line.  
Depends on your comfort level with the command line. I personally like the command line to setup my static xlates, but the GUI has great wizards for setting up the VPN tunnels. Access-lists are easy to modify with the PDM, you can add an entry where it needs to be without blowing away the whole acl and re-creating it anew. Once you get used to the PDM GUI, it's not bad, but does still have limitations.

>Also, I will have to set a global address also for ACLs, right?
Not sure what you mean by that, but yes, you do have to have globals for internals hosts/clients. Global can be static 1-1 or it can be dynamic.

As you can see, we can get quite creative with ACL's, and it is not always trivial.
I would guess to use ACLs considering Cisco's site has this document on the conduit command being phased out and replaced by the access-list command.


Here is the excerpt:

Note   The conduit command has been superseded by the access-list command. We recommend that you migrate your configuration away from the conduit command to maintain future compatibility.
Access-lists all the way. Conduits are gone already with the latest PIX 7.0 version
If you need any help with your config, don't hesitate to post back here..
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Now only wish I had a PIX that would run 7.0. Only have 501's and 506e's here..
Just wait... they're working on a stripped down 7.1 version that will run in the memory constraints of the little guys...
Javier196Author Commented:
Great.  I will go with the ACLs.

I will have to add a static entry to allow access to my email and Webmail, but what would my entries be for the ACL.  I will have to add one for each port riight?...DNS, pcAnywhere and the TFTP port.

Also, do I used the PDM for the VPN configs later, or stick with command line.  
Javier196Author Commented:
Also, I will have to set a global address also for ACLs, right?
Javier196Author Commented:
Great explanation.  PIX is much more powerfull, but requires more configuration than less expensive Firewalls I have seen recently.  It is also quite different than Bordermanager (Novell) Firewall and an old software based firewall I managed back in the 90's.  The examples provided I believe will get me going, but I think I need to makes a few changes to my config before I continue.

I just took over this network a in Jan and I am rebuilding it from the ground up.  I had some internal servers to deal with right away, but I am now configuring the WAN.  I replaced the ISP router with a 2600 and it works great, but right now, I have a small Linksys router between my network and the 2600.  It was configured with all the port forwarding, so I left it till I could get to installing this PIX.  The Linksys had one external IP address assigned to it, so everthing currently comes in on this router on the one IP Address.  It is the sole IP address for my Internet connection, my MX record, and my email webpage points to it (an extension of my pop3 name).  I have another 10 IP addresses to use, so I should I change the IP Address for POP3 and also for my pcAnywhere forwardings before I continue.  I know that the PIX can only have one IP Addres assigned to the outside I/F, so do I configure the 2600 router so point additional addresses to the PIX.  Having all data enter on the one IP Address does not seem right.
>I know that the PIX can only have one IP Addres assigned to the outside I/F, so do I configure the 2600 router so point additional addresses to the PIX.  Having all data enter on the one IP Address does not seem right.

On the PIX, all you have to do is assign the outside interface the proper subnet mask and you can then use all 10 IP addresses for whatever you want. The router does not need anything other than the same subnet mask on the interface connected directly to the PIX.
Javier196Author Commented:
I apologize for the delay, I had a few other issues to address.

I am a little confused, maybe because of the way my previous firewall was configured before.  

Right now.  All of my port mappings are assigned to just one address, and that address is the xxx.xxx.20.98.  My pop3, webmail, TFPT, and pcAnywhere mappings are all assigned to the one address xxx.xxx.20.98.  It was a simple firewall and it was here when I got arrived.  It could only have one address assigned to the outside I/F, so all the port forwarding was done through the one address xxx.xxx.20.98.  The "outside" port of the router connected to my ISP is xxx.xxx.20.96, and the inside port is xxx.xxx.20.97.  The inside port of my 2600 router is then connected to my PIX at address xxx.xxx.20.98.   The following ports have been allocated  from my ISP: xxx.xxx.20.100-xxx.xxx.20.110.  Port 99 is not available since it is used by an IP Phone Server (no mapping necessary for this server).

With my PIX, xxx.xxx.20.98 is my "outside" interface.  I know I can configure the PIX to port forward all the necessary ports from this address, but I want to configure this Firewall properly from get go.  I have 11 more addresses allocated to me, I should use them.  It will help with logging and troubleshooting later.  

So, should I change the MX Record at my ISP to a new address and have xxx.xxx.20.98 act only as my "outside" interface for my PIX?  I think so.  I will be using VPNs later, and I want to make sure I don't make things hard on myself.  Therefore, I could have "mail.myco.com" point to xxx.xxx.20.100.  I could then assign xxx.xxx.20.101 and xxx.xxx.20.102 to my pcAnywhere mappings, and my TFTP server to xxx.xxx.20.103.  I would then have to map port port xxx.xxx.20.100 to my internal xxx.xxx.0.12 for ports 110, 80, and 443.  Do I need to do anything for SMTP port 25 since it is outgoing?

I would then have to map address xxx.xxx.20.101 to xxx.xxx.0.105 port 5631 (tcp) and 5632 (udp).  I would also have to map xxx.xxx.20.102 to xxx.xxx.0.110 ports 5633(tcp) and 5434(udp).  I would also assign xxx.xxx.20.103 to my TFTP xxx.xxx.0.10.

Also, from what I have been told, If I set up the configuration properly, I don't have to physically assign ip addresses xxx.xxx.20.100-103 to my PIX's outside port.  Proper configuration of the PIX will direct any data sent to the xxx.xxx.20.98-110 segment inside to my inside network from my outside network, right.  Now I just need the configs.

Let me know if I should change my mail mx record if my thinking is correct.  I will then configure my PIX and replace the old firewall.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.