https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692119#M1035382 <HTML><HEAD></HEAD><BODY><P>Yes indeed, but it's still recommended to have it specified there.</P><P></P><P>HTH</P><P>AK</P><P></P></BODY></HTML> Tue, 21 Nov 2006 15:49:18 GMT a.kiprawih 2006-11-21T15:49:18Z https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692115#M1035368 <P>Hi,</P><P></P><P>I am in the process of building a pix 515e to replace my 506e. Below is part of the current 506 configuration. </P><P></P><P>conduit permit tcp host xxx.xxx.xxx.xxx eq ssh any</P><P>conduit permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq syslog</P><P>conduit permit icmp any any</P><P>conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any</P><P>conduit permit udp host xxx.xxx.xxx.xxx eq 1812 any</P><P>conduit permit tcp host xxx.xxx.xxx.xxx eq 3101 any</P><P>conduit deny tcp any eq 6129 any</P><P></P><P>I undertsand that the conduit command is no longer available in later IOS versions (the 515e is running version 7.0{5}), can anyone advise me on what alternative commands I now need to use use?</P><P></P><P>Regards</P><P>John</P><P></P><P></P><P></P> Mon, 11 Mar 2019 08:58:44 GMT https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692115#M1035368 johnnymac 2019-03-11T08:58:44Z https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692116#M1035370 <HTML><HEAD></HEAD><BODY><P>Alternative option for Conduit is to use access-list (ACL).</P><P></P><P>Conduit does not give you ability to specify where/ports you should apply the restriction, while ACL provide flexible and more options to control and where to apply the ACL.</P><P></P><P>Conduit command goes by:</P><P></P><P>conduit <PERMIT> <PROTOCOL> <LOCAL internal=""> eq <PORT> <ACCESS by="" who=""></ACCESS></PORT></LOCAL></PROTOCOL></PERMIT></P><P></P><P>ACL command structure:</P><P></P><P>access-list <ACL_NAME> <PERMIT> <PROTOCOL> <SOURCE ip=""> <DESTINATION ip=""> eq <PORT></PORT></DESTINATION></SOURCE></PROTOCOL></PERMIT></ACL_NAME></P><P></P><P></P><P>Based on your conduit config, it control access from outside/internet to your xxx.xxx.xxx.xxx server (I assumed this is public IP for the server).</P><P></P><P>Therefore, the ACL version of it shoud be as follow (line by line):</P><P></P><P>*Existing conduit:</P><P></P><P>conduit permit tcp host xxx.xxx.xxx.xxx eq ssh any --&gt; allow any to access xxx.xxx.xxx.xxx IP. Same goes to others.</P><P>conduit permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq syslog </P><P>conduit permit icmp any any </P><P>conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any </P><P>conduit permit udp host xxx.xxx.xxx.xxx eq 1812 any </P><P>conduit permit tcp host xxx.xxx.xxx.xxx eq 3101 any </P><P>conduit deny tcp any eq 6129 any </P><P></P><P></P><P>*New ACL - apply/bind on Outside interface/port:</P><P></P><P>access-list outside permit tcp any host xxx.xxx.xxx.xxx eq ssh</P><P>access-list outside permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq syslog </P><P>access-list outside permit icmp any any </P><P>access-list outside permit tcp host xxx.xxx.xxx.xxx eq smtp</P><P>access-list outside permit udp host xxx.xxx.xxx.xxx eq 1812 </P><P>access-list outside permit tcp host xxx.xxx.xxx.xxx eq 3101 </P><P>access-list outside deny tcp any any eq 6129 </P><P></P><P>access-group outside in interface outside</P><P></P><P></P><P>Make sure your PIX has default route to internet router, i.e:</P><P></P><P>route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 --&gt; your internet router IP</P><P></P><P></P><P>Conduit/outbound notice:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml</A></P><P></P><P></P><P>Access-list &amp; COnduit Ref:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml</A></P><P></P><P></P><P>Hope this helps. Pls rate all useful post(s).</P><P>AK</P></BODY></HTML> Tue, 21 Nov 2006 10:31:16 GMT https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692116#M1035370 a.kiprawih 2006-11-21T10:31:16Z https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692117#M1035374 <HTML><HEAD></HEAD><BODY><P>Also, for the new ACL entries, I recommend to use 'deny ip any any' to deny all unwanted IP (TCP/UDP).</P><P></P><P>So, the last line (with deny statement) will be:</P><P></P><P>access-list outside deny ip any any</P><P></P><P></P><P>HTH</P><P>AK</P><P></P><P></P></BODY></HTML> Tue, 21 Nov 2006 10:36:26 GMT https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692117#M1035374 a.kiprawih 2006-11-21T10:36:26Z https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692118#M1035378 <HTML><HEAD></HEAD><BODY><P>Thanks thats very concise. Won't the access list have an implicit deny any any statement at the end of the access list by default?</P></BODY></HTML> Tue, 21 Nov 2006 10:57:16 GMT https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692118#M1035378 johnnymac 2006-11-21T10:57:16Z https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692119#M1035382 <HTML><HEAD></HEAD><BODY><P>Yes indeed, but it's still recommended to have it specified there.</P><P></P><P>HTH</P><P>AK</P><P></P></BODY></HTML> Tue, 21 Nov 2006 15:49:18 GMT https://community.cisco.com/t5/network-security/pix-506e-conduit-command/m-p/692119#M1035382 a.kiprawih 2006-11-21T15:49:18Z