PIX Access Control List and content filtering (2)

PIX Access Control List and content filtering (2) II. convert it to ACL www.2cto.com. We recommend that you use ACL instead of conduit in the configuration of the PIX Firewall. The access-list command uses the same syntax in the PIX Firewall and Cisco IOS, but there is an important difference between the two. In the PIX Firewall, the access-list command specifies the subnet mask like other commands, which is completely different from the access-list command in the Cisco IOS version. The most important difference between ACL and conduit is that both commands can be combined with static commands to allow or deny access to the TCP/UDP Service from the outside network of the PIX Firewall to the host located on the internal network. More specifically, both commands can be used to allow or deny connection from interfaces with lower security levels to interfaces with higher security levels. Conducting it defines the ability to flow between these two interfaces, and by allowing access from one interface to the host located on another interface, the adaptive algorithm (ASA) in the PIX Firewall) creates an exception. In contrast, the access-list Command Used in the access-group command only acts on the delayed interface and affects all traffic entering the interface regardless of the security level of the interface. At the same time, the ACL is followed by an implicit deny rule. Once an interface is applied, all inbound data packets entering the interface must comply with the ACL rules, regardless of the security level of the interface. The following lists the features of ACL and conducting it: ● the access-list command can control access only when it is bound to an interface through the access-group command, however, it does not need to be bound to an interface at all. ● when configured, the access-list and access-group commands have higher priority than the conductor command; ● The ACL is more flexible than the pipeline command. You can restrict connections from interfaces with higher security levels to interfaces with lower security levels, you can also allow or deny connections from interfaces with lower security levels to interfaces with higher security levels. In future versions, the PIX firewall will not provide support for the program, so it is necessary to convert the existing program to an ACL. Conducting it permit | deny protocol global_ip global_mask operator port [port] foreign_ip foreign_mask [operator port [port] access-list acl_ID [line line_num] deny | permit protocol implements source_mask [operator port] destination_addr destination_mask operator port [port] Move the parameters in the conductor command to the access-list Command for use, you can convert it to ACL. This change is true because the foreign_ip parameter in the conductor command is the same as the source_addr parameter in the access-list command. The global_ip parameter in the conductor command is the same as the destination_addr parameter in the access-list command. The following is an example of replacing the conductor command with the access-list command. Access-list acl_ID permit | deny protocol foreign_ip limit [Allow foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port] lists a conductor command statement and its equivalent access-list command statement.. Conducting it permit tcp host 172.18.0.10 eq ftp 172.18.0.0 255.255.255.0access-list 102 permit tcp 172.18.0.0 255.255.255.0 host 172.18.0.10 eq ftp