What is better? ACLs or Conduits

Posted on 2005-04-28
Last Modified: 2013-11-16
I am configuring a new Cisco 515 PIX Firewall that has two Interfaces for my network to replace a failing device.  The outside I/F of the 515 will be connected to a Cisco 2600 that connects to my T1(running).  The inside I/F will be connected to an internal network using a standard Class B private network of 192.168.x.x  I would like to know if I should use ACLs or use Conduits.  I know I will have do some port redirection with the static command, but what is the best solution for my needs.  Below is what I need to configure on my 515.

BTW, I am not new to firewalls or networking, but I am new to PIX Firewalls, so I could use the advice.

I will need my network to have the following capabilities:

Allow access to an internal Exchange Server from the Internet via POP3, SMTP, http and https.(110, 25, 80, 443).  Currently internal and external users hit this server via a Internet domain name of
Allow access to an internal PC from the Internet via pcAnywhere (5631 TCP, 5632 UDP) (temporary)
Allow for DNS resolution from the Internet (53)
Allow me to backup my router's config to an Internal TFTP server (69).
Allow me to connect this PIX to remote locations via VPN tunnels next month.  These VPN links will be both connections from PIX 501s, and a few software VPNs from PCs connected to the Internet.

I have read a number of recommendations on setting up a PIX in these types of configurations, but not sure which one to use, ACLs or Conduits.  I am inclined to use ACLs, but not sure which is better.  I looked at the configuring the PIX with PDM, but I go way back to the DOS days, so command line is my preference.  I may use it for the VPNs, but I believe it is better to use the command line for the initial configuration and port redirections.  

Question by:Javier196
    LVL 6

    Expert Comment

    I would guess to use ACLs considering Cisco's site has this document on the conduit command being phased out and replaced by the access-list command.

    Here is the excerpt:

    Note   The conduit command has been superseded by the access-list command. We recommend that you migrate your configuration away from the conduit command to maintain future compatibility.
    LVL 79

    Expert Comment

    Access-lists all the way. Conduits are gone already with the latest PIX 7.0 version
    If you need any help with your config, don't hesitate to post back here..
    LVL 6

    Expert Comment

    Now only wish I had a PIX that would run 7.0. Only have 501's and 506e's here..
    LVL 79

    Expert Comment

    Just wait... they're working on a stripped down 7.1 version that will run in the memory constraints of the little guys...
    LVL 1

    Author Comment

    Great.  I will go with the ACLs.

    I will have to add a static entry to allow access to my email and Webmail, but what would my entries be for the ACL.  I will have to add one for each port riight?...DNS, pcAnywhere and the TFTP port.

    Also, do I used the PDM for the VPN configs later, or stick with command line.  
    LVL 1

    Author Comment

    Also, I will have to set a global address also for ACLs, right?
    LVL 79

    Accepted Solution

    Here's the basic way it works...
    The following is assuming that you have a block of public IP's and not just the one assigned to the interface..
    \\--set up static nat translations for your public servers (public Ip's 1 and 2 are assigned to the router's Ethernet and your PIX outside, respectively)

      static (inside,outside) <public ip3> 192.168.x.x netmask
      static (inside,outside) <public ip4> 192.168.x.x netmask

    \\--setup acls to allow public traffic into the PIX outside interface.
      access-list public_access_in permit tcp any host <public ip3> eq smtp
      access-list public_access_in permit tcp any host <public ip3> eq pop3
      access-list public_access_in permit tcp any host <public ip3> eq http
      access-list public_access_in permit tcp any host <public ip3> eq https

    \\-- apply the access-list to the outside interface
      access-group public_access_in in interface outside

    NOTES. PIX acls are different than router IOS acls.
    1. It is not necessary to create any acl to permit outbound traffic from your inside clients. The PIX will allow the traffic out, create a dynamic nat xlate and keep track of the state of the tcp connection and allow responses back in.
    2. The one exception to the above is icmp. You must expressly permit icmp packets, ie. ping replys, to come into the outside interface.
    3. Only one access-list can be applied to any one interface at the same time.
    4. Access-lists can only be applied "in" on any interface
    5. PIX access-lists use subnet masks rather than wildcard masks like on a router
    6. Access-lists can be applied to processes as well as interfaces. For example, VPN tunnels will use one acl to excempt VPN traffic from NAT, and another acl to define the 'interesting traffic' that will be encrypted and passed over the VPN tunnel.
    7. Just like any acl, it is process top-down until first match, so placement is important.
    8. You can create groups - host groups, protocol groups, and then reference groups in the acl. For example (this is not the proper syntax, just the concept)
      create a protocol group named "Exchange"
       include TCP ports 80, 443, 25, 110
      create a protocol group named "ICMP"
        include echo-reply, unreachables, time-exceeded only
      create a host group called "EXCH_Servers"
       include your 3 exchange servers (I know you don't have 3, this is just for illustration)
         host A, host B, Host C
     Now, you can create a streamlined access-list by referencing the groups..
       access-list public_acces_in permit tcp any object-group EXCH_Servers object-group Exchange
       access-list public_acces_in permit icmp any any object-group ICMP

    >Also, do I used the PDM for the VPN configs later, or stick with command line.  
    Depends on your comfort level with the command line. I personally like the command line to setup my static xlates, but the GUI has great wizards for setting up the VPN tunnels. Access-lists are easy to modify with the PDM, you can add an entry where it needs to be without blowing away the whole acl and re-creating it anew. Once you get used to the PDM GUI, it's not bad, but does still have limitations.

    >Also, I will have to set a global address also for ACLs, right?
    Not sure what you mean by that, but yes, you do have to have globals for internals hosts/clients. Global can be static 1-1 or it can be dynamic.

    As you can see, we can get quite creative with ACL's, and it is not always trivial.
    LVL 1

    Author Comment

    Great explanation.  PIX is much more powerfull, but requires more configuration than less expensive Firewalls I have seen recently.  It is also quite different than Bordermanager (Novell) Firewall and an old software based firewall I managed back in the 90's.  The examples provided I believe will get me going, but I think I need to makes a few changes to my config before I continue.

    I just took over this network a in Jan and I am rebuilding it from the ground up.  I had some internal servers to deal with right away, but I am now configuring the WAN.  I replaced the ISP router with a 2600 and it works great, but right now, I have a small Linksys router between my network and the 2600.  It was configured with all the port forwarding, so I left it till I could get to installing this PIX.  The Linksys had one external IP address assigned to it, so everthing currently comes in on this router on the one IP Address.  It is the sole IP address for my Internet connection, my MX record, and my email webpage points to it (an extension of my pop3 name).  I have another 10 IP addresses to use, so I should I change the IP Address for POP3 and also for my pcAnywhere forwardings before I continue.  I know that the PIX can only have one IP Addres assigned to the outside I/F, so do I configure the 2600 router so point additional addresses to the PIX.  Having all data enter on the one IP Address does not seem right.
    LVL 79

    Expert Comment

    >I know that the PIX can only have one IP Addres assigned to the outside I/F, so do I configure the 2600 router so point additional addresses to the PIX.  Having all data enter on the one IP Address does not seem right.

    On the PIX, all you have to do is assign the outside interface the proper subnet mask and you can then use all 10 IP addresses for whatever you want. The router does not need anything other than the same subnet mask on the interface connected directly to the PIX.
    LVL 1

    Author Comment

    I apologize for the delay, I had a few other issues to address.

    I am a little confused, maybe because of the way my previous firewall was configured before.  

    Right now.  All of my port mappings are assigned to just one address, and that address is the  My pop3, webmail, TFPT, and pcAnywhere mappings are all assigned to the one address  It was a simple firewall and it was here when I got arrived.  It could only have one address assigned to the outside I/F, so all the port forwarding was done through the one address  The "outside" port of the router connected to my ISP is, and the inside port is  The inside port of my 2600 router is then connected to my PIX at address   The following ports have been allocated  from my ISP:  Port 99 is not available since it is used by an IP Phone Server (no mapping necessary for this server).

    With my PIX, is my "outside" interface.  I know I can configure the PIX to port forward all the necessary ports from this address, but I want to configure this Firewall properly from get go.  I have 11 more addresses allocated to me, I should use them.  It will help with logging and troubleshooting later.  

    So, should I change the MX Record at my ISP to a new address and have act only as my "outside" interface for my PIX?  I think so.  I will be using VPNs later, and I want to make sure I don't make things hard on myself.  Therefore, I could have "" point to  I could then assign and to my pcAnywhere mappings, and my TFTP server to  I would then have to map port port to my internal for ports 110, 80, and 443.  Do I need to do anything for SMTP port 25 since it is outgoing?

    I would then have to map address to port 5631 (tcp) and 5632 (udp).  I would also have to map to ports 5633(tcp) and 5434(udp).  I would also assign to my TFTP

    Also, from what I have been told, If I set up the configuration properly, I don't have to physically assign ip addresses to my PIX's outside port.  Proper configuration of the PIX will direct any data sent to the segment inside to my inside network from my outside network, right.  Now I just need the configs.

    Let me know if I should change my mail mx record if my thinking is correct.  I will then configure my PIX and replace the old firewall.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now