Question about CONDUIT command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2002 08:48 AM - edited 03-02-2019 12:00 AM
I've read that the conduit command was neccesasry to allow traffic to your net devices to bypass the rules on your PIX, that is for the older IOS versions. It has since been replaced by the access-list command. I am currently using both. I would like to get rid of the conduit command specifically because the PDM utility does not recognize it and will not function properly as long as the commands remain. When I remove the conduit commands and replace them with what I think are the correct access-list commands nothing works, specifically our ability to receive mail from the outside (but we can actually send to the outside). Here is the config.
access-list acl_ping permit icmp any any
access-list acl_inside permit tcp any any eq www
access-list acl_inside permit udp any any eq domain
access-list acl_inside permit udp any any eq tftp
access-list acl_inside permit ip any --moderator edit-- 255.255.255.0
access-list acl_inside permit tcp any any eq ftp
access-list acl_inside permit tcp any any eq ftp-data
access-list acl_inside permit tcp any any eq telnet
access-list acl_inside permit icmp any any
access-list acl_inside permit tcp any any eq https
access-list acl_inside permit tcp any any eq smtp
access-list acl_inside permit ip host 192.168.68.200 any
access-list acl_inside permit ip host 192.168.55.12 any
access-list acl_inside permit udp any any eq 7070
access-list acl_inside permit udp any any eq 7007
access-list acl_inside permit tcp any any eq 7070
access-list acl_inside permit udp any any range 6970 7170
access-list acl_inside permit tcp any any eq 554
access-list acl_inside permit tcp any any eq 8001
access-list acl_inside permit tcp any any eq 8080
access-list acl_inside permit ip host 192.168.55.30 any
access-list acl_inside permit icmp host 192.168.55.30 any
access-list acl_inside permit tcp host 192.168.55.30 eq www any
access-list acl_inside permit tcp host 192.168.55.30 eq https any
access-list acl_inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list acl_inside permit tcp host 192.168.55.21 eq ftp any
access-list acl_inside permit tcp host 192.168.55.21 eq ftp-data any
access-list acl_inside permit ip host 192.168.55.21 any
access-list acl_inside permit udp any host 192.168.55.96 range 5190 5193
access-list acl_inside permit tcp any host 192.168.55.96 range aol 5193
access-list acl_inside permit tcp host 192.168.55.96 any range aol 5193
access-list acl_inside permit udp host 192.168.55.96 any range 5190 5193
access-list acl_inside deny udp any any eq 5190
access-list acl_inside deny tcp any any eq aol
access-list acl_inside permit ip 10.2.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list acl_inside permit ip 10.3.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list acl_inside permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list acl_inside permit ip 10.216.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list acl_inside permit ip 192.168.0.0 255.255.0.0 10.216.0.0 255.255.0.0
access-list acl_inside permit tcp any any eq 10000
access-list acl_inside permit udp any any eq 10000
access-list acl_inside permit tcp 192.168.67.0 255.255.255.0 eq citrix-ica any
access-list acl_inside permit udp 192.168.67.0 255.255.255.0 eq 1604 any
access-list acl_inside permit ip 192.168.0.0 255.255.0.0 192.168.65.0 255.255.25
5.0
access-list acl_inside permit tcp host 192.168.55.12 eq smtp any
access-list acl_inside permit tcp any host 192.168.55.12 eq smtp
access-list acl_inside permit tcp host 192.168.55.12 eq pop3 any
access-list acl_inside permit tcp any host 192.168.55.12 eq pop3
access-list acl_inside permit tcp any any eq pop3
access-list acl_inside permit ip any host 192.168.55.12
access-list acl_inside permit ip 192.168.0.0 255.255.0.0 1.1.1.0 255.255.255.0
access-list acl_inside permit ip 1.1.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list ipsec permit ip 192.168.55.0 255.255.255.0 192.168.67.0 255.255.255.
0
access-list ipsec permit ip 192.168.68.0 255.255.255.0 192.168.67.0 255.255.255.
0
access-list ipsec permit ip 192.168.0.0 255.255.0.0 192.168.67.0 255.255.255.0
access-list nonat permit ip 192.168.55.0 255.255.255.0 192.168.67.0 255.255.255.
0
access-list nonat permit ip 192.168.68.0 255.255.255.0 192.168.67.0 255.255.255.
0
access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.80.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 host 203.47.133.230
access-list nonat permit ip 192.168.0.0 255.255.0.0 host 203.47.133.230
access-list nonat permit ip 192.168.0.0 255.255.0.0 host 213.121.208.107
access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.0.0 255.255.0.0 10.216.0.0 255.255.0.0
access-list nonat permit ip 192.168.0.0 255.255.0.0 1.1.1.0 255.255.255.0
access-list nonat permit ip any 1.1.1.0 255.255.255.224
pager lines 24
logging buffered warnings
logging trap warnings
logging host outside 1.1.1.10
logging host inside 192.168.55.24
logging host outside --moderator edit--
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu failover 1500
ip address outside --moderator edit-- 255.255.255.224
ip address inside 192.168.68.216 255.255.255.0
ip address failover 10.10.10.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 1.1.1.10-1.1.1.20
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 209.51.172.217
failover ip address inside 192.168.68.217
failover ip address failover 10.10.10.2
failover link failover
arp timeout 14400
global (outside) 1 --moderator edit--
nat (inside) 0 access-list nonat
nat (inside) 1 193.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) --moderator edit-- 192.168.55.12 netmask 255.255.255.255 0 0
static (inside,outside) --moderator edit-- 192.168.55.30 netmask 255.255.255.255 0 0
static (inside,outside) --moderator edit-- 192.168.55.21 netmask 255.255.255.255 0 0
static (inside,outside) --moderator edit-- 192.168.55.100 netmask 255.255.255.255 0
0
static (inside,outside) --moderator edit-- 192.168.55.24 netmask 255.255.255.255 0 0
static (inside,outside) --moderator edit-- 192.168.55.117 netmask 255.255.255.255 0
0
static (inside,outside) --moderator edit-- 192.168.55.27 netmask 255.255.255.255 0 0
static (inside,outside) --moderator edit-- 192.168.55.97 netmask 255.255.255.255 0 0
access-group acl_inside in interface inside
conduit permit tcp host --moderator edit-- any eq smtp
conduit permit tcp host --moderator edit-- eq smtp any
conduit permit tcp host --moderator edit-- eq pop3 any
conduit permit icmp any any
conduit permit ip host --moderator edit-- any
conduit permit icmp any host --moderator edit--
conduit permit ip host --moderator edit-- any
conduit permit ip host --moderator edit-- any
conduit permit udp host --moderator edit-- any
conduit permit ip host --moderator edit-- any
conduit permit ip host --moderator edit-- any
conduit permit udp host --moderator edit-- eq snmptrap any
conduit permit ip host --moderator edit-- --moderator edit-- 255.255.255.0
conduit permit ip host --moderator edit-- --moderator edit-- 255.255.255.0
conduit permit ip host --moderator edit-- host --moderator edit--
conduit permit ip host --moderator edit-- any
conduit permit ip host --moderator edit-- any
conduit permit esp host --moderator edit-- any
conduit permit udp host --moderator edit-- any eq isakmp
conduit permit tcp host --moderator edit-- any eq 1723
conduit permit gre host --moderator edit-- any
conduit permit ah host --moderator edit-- any
conduit permit icmp host --moderator edit-- any
conduit permit esp any host --moderator edit--
conduit permit gre any host --moderator edit--
conduit permit tcp any host --moderator edit-- eq 1723
conduit permit udp any host --moderator edit-- eq isakmp
conduit permit ip host --moderator edit-- any
conduit permit udp host 192.168.55.96 any
conduit permit tcp host 192.168.55.96 any
route outside 0.0.0.0 0.0.0.0 --moderator edit-- 1
route inside 1.1.1.0 255.255.255.0 192.168.68.1 1
route inside 10.2.0.0 255.255.0.0 192.168.68.11 1
route inside 10.3.0.0 255.255.0.0 192.168.68.11 1
route inside 192.168.1.0 255.255.255.0 192.168.68.1 1
route inside 192.168.55.0 255.255.255.0 192.168.68.1 1
route inside 192.168.67.0 255.255.255.0 192.168.68.1 1
route inside 192.168.69.0 255.255.255.0 192.168.68.1 1
route inside 192.168.70.0 255.255.255.0 192.168.68.1 1
route inside 192.168.79.0 255.255.255.0 192.168.68.1 1
route inside 193.168.1.0 255.255.255.0 192.168.68.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
- Labels:
-
Other Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2002 01:40 PM
The 6.2 command reference at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/c.htm#xtocid6 states "Add, delete, or show conduits through the PIX Firewall for incoming connections. However, the conduit command has been superseded by the access-list command. We recommend that you migrate your configuration away from the conduit command to maintain future compatibility." If there are connections to your mail server built during your change from conduit to acl... the PIX may hold those states. I would reboot the PIX after saving your changes and test from there.
