PIX Access Control List and content filtering (2)

PIX Access Control List and content filtering (2) 2. convert it to ACLwww.2cto.com. We recommend that you use ACL instead of conducting it in the configuration of the PIX Firewall. The access-list command uses the same syntax in the PIX Firewall and CiscoIOS, but there is an important difference between the two. In the PIX Firewall, the access-list command and other

PIX Access Control List and content filtering (2) II. convert it to ACL www.2cto.com. We recommend that you use ACL instead of conduit in the configuration of the PIX Firewall. The access-list command uses the same syntax in the PIX Firewall and Cisco IOS, but there is an important difference between the two. In the PIX Firewall, the access-list command and other

PIXAccessControlListAndContentFilter(2)

2. convert it to ACL

Www.2cto.com

We recommend that you use ACL instead of conducting it in the configuration of the PIX Firewall.

The access-list command uses the same syntax in the PIX Firewall and Cisco IOS, but there is an important difference between the two. In the PIX Firewall, the access-list command specifies the subnet mask like other commands, which is completely different from the access-list command in the Cisco IOS version.

The most important difference between ACL and conduit is that both commands can be combined with static commands to allow or deny TCP/UDP services from the outside network of the PIX Firewall to hosts located on the internal network.Access. More specifically, both commands can be used to allow or deny connection from interfaces with lower security levels to interfaces with higher security levels.

It defines the flow of traffic between these two interfaces, and allows the flow of traffic from one interfaceAccessThe host located on another interface creates an exception in the adaptive algorithm (ASA) of the PIX Firewall. In contrast, the access-list Command Used in the access-group command only acts on the delayed interface and affects all traffic entering the interface regardless of the security level of the interface. At the same time, the ACL is followed by an implicit deny rule. Once an interface is applied, all inbound data packets entering the interface must comply with the ACL rules, regardless of the security level of the interface.

The following lists the features of ACL and conducting it:

● The access-list command can only be bound to an interface through the access-group command.ControlAccessInstead of being bound to an interface;

● The access-list and access-group commands have a higher priority than the conductor command during configuration;

● ACL is more flexible than it. You can restrict connections from interfaces with higher security levels to interfaces with lower security levels, you can also allow or deny connections from interfaces with lower security levels to interfaces with higher security levels.

In future versions, the PIX firewall will not provide support for the program, so it is necessary to convert the existing program to an ACL.

Conducting it permit | deny protocol global_ip global_mask operator port [port] foreign_ip foreign_mask [operator port [port]

Access-list acl_ID [line line_num] deny | permit protocol source_addr source_mask [operator port [port] destination_addr destination_mask operator port [port]

To use the parameters in the conductor command in the access-list command, you can convert the parameters to the ACL. This change is true because the foreign_ip parameter in the conductor command is the same as the source_addr parameter in the access-list command. The global_ip parameter in the conductor command is the same as the destination_addr parameter in the access-list command. The following is an example of replacing the conductor command with the access-list command.

Access-list acl_ID permit | deny protocol foreign_ip foreign_mask [foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port]

The following describes a conductor command statement and its equivalent access-list command statement.

Conducting it permit tcp host 172.18.0.10 eq ftp 172.18.0.0 255.255.255.0

Access-list 102 permit tcp 172.18.0.0 255.255.255.0 host 172.18.0.10 eq ftp