Re: Pix 506e - conduit command

johnnymac · ‎11-21-2006

Hi,

I am in the process of building a pix 515e to replace my 506e. Below is part of the current 506 configuration.

conduit permit tcp host xxx.xxx.xxx.xxx eq ssh any

conduit permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq syslog

conduit permit icmp any any

conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any

conduit permit udp host xxx.xxx.xxx.xxx eq 1812 any

conduit permit tcp host xxx.xxx.xxx.xxx eq 3101 any

conduit deny tcp any eq 6129 any

I undertsand that the conduit command is no longer available in later IOS versions (the 515e is running version 7.0{5}), can anyone advise me on what alternative commands I now need to use use?

Regards

John

a.kiprawih · ‎11-21-2006

Alternative option for Conduit is to use access-list (ACL).

Conduit does not give you ability to specify where/ports you should apply the restriction, while ACL provide flexible and more options to control and where to apply the ACL.

Conduit command goes by:

conduit eq

ACL command structure:

access-list eq

Based on your conduit config, it control access from outside/internet to your xxx.xxx.xxx.xxx server (I assumed this is public IP for the server).

Therefore, the ACL version of it shoud be as follow (line by line):

*Existing conduit:

conduit permit tcp host xxx.xxx.xxx.xxx eq ssh any --> allow any to access xxx.xxx.xxx.xxx IP. Same goes to others.

conduit permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq syslog

conduit permit icmp any any

conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any

conduit permit udp host xxx.xxx.xxx.xxx eq 1812 any

conduit permit tcp host xxx.xxx.xxx.xxx eq 3101 any

conduit deny tcp any eq 6129 any

*New ACL - apply/bind on Outside interface/port:

access-list outside permit tcp any host xxx.xxx.xxx.xxx eq ssh

access-list outside permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq syslog

access-list outside permit icmp any any

access-list outside permit tcp host xxx.xxx.xxx.xxx eq smtp

access-list outside permit udp host xxx.xxx.xxx.xxx eq 1812

access-list outside permit tcp host xxx.xxx.xxx.xxx eq 3101

access-list outside deny tcp any any eq 6129

access-group outside in interface outside

Make sure your PIX has default route to internet router, i.e:

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 --> your internet router IP

Conduit/outbound notice:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml

Access-list & COnduit Ref:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Hope this helps. Pls rate all useful post(s).

AK

a.kiprawih · ‎11-21-2006

Also, for the new ACL entries, I recommend to use 'deny ip any any' to deny all unwanted IP (TCP/UDP).

So, the last line (with deny statement) will be:

access-list outside deny ip any any

HTH

AK

johnnymac · ‎11-21-2006

Thanks thats very concise. Won't the access list have an implicit deny any any statement at the end of the access list by default?

a.kiprawih · ‎11-21-2006

Yes indeed, but it's still recommended to have it specified there.

HTH

AK