RE: PIX conduit vs access lists

[sn]

Does anyone know how to set-up a vpn between pix and netbsd ?   Mil - <<ou never know how many friends you have until you rent a place at the beach >>   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Thoreson Sent: Monday, April 08, 2002 6:03 PM To: '[EMAIL PROTECTED]' Subject: PIX conduit vs access lists   Does anyone have any opinions on the use of access lists vs conduits on the PIX?  Cisco seems to be pushing access lists in their newer pix os releases.   One thing I have noticed is with conduits, the pix will implicitely allow all traffic from a higher to lower security level.  For example if I have a machine in my dmz, security50, that wants to browse the web on the the outside, security0, this is automatically allowed without the use of a conduit statement.    If I use access-list on my dmz interface, with holes from the outside to the dmz, or from the dmz to the inside,  I will not be able to have this dmz machine browse the web unless I have an access list statement on the dmz allowing it through to the outside on port 80.  There isn't the implicit allow all traffic from higher to lower security that the conduit has.  Unless I'm missing something, access lists create more work.   Does anybody have any opinions on one or the other?   Thanks, Matt