ACCESS CONTROL LISTS AND TRAFFIC CONTROL

The conduit command always needs to be paired with a static command.

Turbo ACLs are very simple to create and work on all models of the PIX except the 501. The 501 does not support Turbo ACLs. Turbo ACLs are typically not used on smaller firewall models because they require too much memory.

conduit or ACL commands always need to be paired with a static command to permit traffic initiated from a lower security level interface to reach a higher security level interface.

The order of the conduit and access-list commands is as follows :

• conduit permit tcp (DESTINATION)(SOURCE)

• access-list 101 permit tcp (SOURCE)(DESTINATION)

Interfaces can have only one ACL attached to them in the inbound direction. Use the access- group command to attach the ACL to an interface. ACLs also take precedence over conduits .

When working on large, complex access lists, object groups enable you to save on the number of entries needed to create the access list. The following are the object group types and commands:

• object-group network ” Defines a group of hosts or subnets. The following commands create a network object-group:

   (config)# object-group network  TheNetworkList  (config-network)# network-object host 10.0.0.1 

• object-group services ” Defines a group of TCP and UDP port numbers . The following commands create a service object group:

   (config)# object-group service  ThePortList  tcp (config-service)# port-object eq telnet 

• object-group protocol ” Defines a group of IP protocols, such as IP, ICMP, TCP, and UDP. The following commands create a protocol object group:

   (config)# object-group protocol  TheProtocolList  (config-protocol)# protocol-object tcp 

• object-group icmp-type ” Defines a group of ICMP messages. The following commands create an ICMP object group:

   (config)# object-group icmp-type  TheICMPList  (config-icmp-type)# icmp-object echo