PIX Firewall and conduit

s.terminiello · ‎01-23-2001

I have a PIX firewall 520 with six PIX interfaces. Is it possible on a PIX firewall to create a conduit that pertains to each PIX interface. For example, I may have one interface to a vendor and the outside interface to the Internet. For the interface that corresponds to the Internet I want SMTP traffic to flow. However for the interface that corresponds to the vendor I do not need SMTP on that interface at all.

murabi · ‎01-26-2001

Let’s say for example your inside smtp server is 10.10.10.10 and the static translation for it is 200.10.10.10. It would look like this:

static (inside,outside) 200.10.10.10 10.10.10.10 netmask 255.255.255.255

now let’s say you want to receive mail (smtp) from the whole Internet:

conduit permit tcp host 200.10.10.10 eq smtp any

If you use a mail relay on the outside, limit your conduit to only allow the mail relay server to connect to the inside mail server:

conduit permit tcp host 200.10.10.10 eq smtp host 200.10.10.11 (assuming 200.10.10.11 is the outside relay server)

Now all we did was gave all outside hosts access to the smtp server but are not allowing inbound traffic from the perimeter (vendor) network.

If you need the smtp server to get to (initiate a connection) the vendor network, a global (vendor) pool will allow it to get there or a static translation to the vendor network. If the vendor network needs access to the smtp server (needs to initiate traffic) then just add the appropriate conduits.

I hope this helps.

dschloss · ‎01-30-2001

Depending on the code level you are running you could also use ACLs instead of conduits. ACLs will allow policy definition per interface see example below.

#Define inbound ACL

access-list acl_inbound permit udp any host 24.151.2.210 eq domain

access-list acl_inbound permit udp any host 24.151.2.211 eq domain

access-list acl_inbound permit icmp any any

#Apply ACl to interface

access-group acl_inbound in interface outside