What is better? ACLs or Conduits
Posted on 2005-04-28
I am configuring a new Cisco 515 PIX Firewall that has two Interfaces for my network to replace a failing device. The outside I/F of the 515 will be connected to a Cisco 2600 that connects to my T1(running). The inside I/F will be connected to an internal network using a standard Class B private network of 192.168.x.x I would like to know if I should use ACLs or use Conduits. I know I will have do some port redirection with the static command, but what is the best solution for my needs. Below is what I need to configure on my 515.
BTW, I am not new to firewalls or networking, but I am new to PIX Firewalls, so I could use the advice.
I will need my network to have the following capabilities:
Allow access to an internal Exchange Server from the Internet via POP3, SMTP, http and https.(110, 25, 80, 443). Currently internal and external users hit this server via a Internet domain name of mail.myco.com.
Allow access to an internal PC from the Internet via pcAnywhere (5631 TCP, 5632 UDP) (temporary)
Allow for DNS resolution from the Internet (53)
Allow me to backup my router's config to an Internal TFTP server (69).
Allow me to connect this PIX to remote locations via VPN tunnels next month. These VPN links will be both connections from PIX 501s, and a few software VPNs from PCs connected to the Internet.
I have read a number of recommendations on setting up a PIX in these types of configurations, but not sure which one to use, ACLs or Conduits. I am inclined to use ACLs, but not sure which is better. I looked at the configuring the PIX with PDM, but I go way back to the DOS days, so command line is my preference. I may use it for the VPNs, but I believe it is better to use the command line for the initial configuration and port redirections.