we upgraded from a pix 520 v6.3 to a pix 525 v7.1. The first thing I noticed was the lack of a conduit command. I've mentioned this to my boss several times in the past that conduits were deprecated and had the "if it ain't broke don't fix it" speech. Well now it's broke.
Right now I just have permit ip any any on all the interfaces and that's solving it in the interim, but obviously want to lock that down. Here's what I've tried so far, some things have been scrubbed:
access-list IN_DMZ4 remark machines that talk to internal servers access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
192.168.x.x eq 222 access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host 192.168.x.x eq 555 access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host 192.168.x.x eq 555 access-list IN_DMZ4 extended permit ip any interface outside access-list IN_DMZ4 extended permit ip any any access-group IN_DMZ4 in interface dmz4now I see hit counts to the specific hosts all correctly but the ip any any is still getting a ton of traffic. When i turn on logging here's the output I get (removed as much "fluff" from the logs as I could):
access-list IN_DMZ4 permitted udp dmz4/66.xx.xx.xx(61678) -> outside/67.xx.xx.xx(53) access-list IN_DMZ4 permitted udp dmz4/66.xx.xx.xx(61679) -> outside/67.xx.xx.xx(53) access-list IN_DMZ4 permitted tcp dmz4/66.xx.xx.xx(54446) -> outside/206.xx.xx.xx(25) access-list IN_DMZ4 permitted tcp dmz4/66.xx.xx.xx(54447) -> outside/206.xx.xx.xx(25)
the hit count for the permit ip any interface outside is 0. Shouldn't this traffic match that rule since it's destined for the outside network?
I know in 7.1 you can bind an access-list to outgoing traffic. I would then drop the current access-group, make an OUT_INSIDE ACL and bind it to traffic going out interface inside and then it's just using standard security level rules again. Problem is I'm thinking ahead and both of our other sites still have pix520's running v6.3, so being able to bind an acl to traffic going out an interface isn't going to work there. The one I rebuilt the config, bypassing conduits and using a permit ip any any with a deny above it to deny traffic to local interface so that it worked, but wasn't sure if that was the correct way of doing things. Let me explain it here, using that logic for this one, with several other dmz's I'd have to make an access-list like this:
access-list IN_DMZ4 remark machines that talk to internal servers access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
192.168.x.x eq 222 access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host 192.168.x.x eq 555 access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host 192.168.x.x eq 555 access=list IN_DMZ4 extended deny ip any 192.168.x.x 255.255.255.0 access=list IN_DMZ4 extended deny ip any 89.xx.xx.xx 255.255.255.0 access=list IN_DMZ4 extended deny ip any 128.xx.xx 255.255.255.0 access=list IN_DMZ4 extended deny ip any 42.xx.xx 255.255.255.0 access-list IN_DMZ4 extended permit ip any any access-group IN_DMZ4 in interface dmz4so I'm first denying traffic to all the other networks on the pix that is doesn't need to talk to, and then permitting everything else. Would that be the correct syntax that would be both 6.3 and 7.x compatible? Trying to make things as universal across all three sites as possible. thanks for any information.