11-22-2005 01:36 PM - edited 03-09-2019 01:07 PM
I have a PIX 515 and I'm stuck back at 5.3 but I need to add access to my entire protected range to/from about a dozen unusual ports so I can run hosted Java applets. I was given the ports, and the IP addresses, but it took 45 DAYS!!! for my provider to get a tech out here. I didn't test properly after he left, and can't afford to wait another 45.
Is the following statement correct to allow traffic on port nnnn back/forth to xx.xx.xx.xx?
conduit permit any eq nnnn host xx.xx.xx.xx
What statement might I use to allow any traffic to/from my inside protected IPs to xx.xx.xx.xx?
11-22-2005 01:55 PM
this statement looks correct except the keyword "tcp or udp" but you can add this too
conduit permit tcp any host xx.xx.xx.xx eq nnnn
if it is a tcp port use conduit with tcp
if it is a udp port use conduit with udp
What statement might I use to allow any traffic to/from my inside protected IPs to xx.xx.xx.xx?
conduit permit ip any host xx.xx.xx.xx
try to replace the "any" with your inside netowrk Ip address
e.g.
conduit permit ip 10.1.1.0 255.255.255.0 host xx.xx.xx.xx
thanks
Nadeem
11-22-2005 02:13 PM
when configuring conduit as opposed to acl, one critical point is that the source and destination are in reverse order compared to acl.
e.g.
access-list 100 permit tcp any host 1.1.1.1 eq 80
conduit permit tcp host 1.1.1.1 eq 80 any
according to your original post,
conduit permit any eq nnnn host xx.xx.xx.xx
this conduit is incorrect. when configuring conduit/acl with specific port number, a protocol type is needed, such as tcp or udp.
i.e. conduit permit tcp any eq nnnn host xx.xx.xx.xx
with this conduit, pix will permit any traffic originated from the host xx.xx.xx.xx to any destination with tcp port nnnn. thus, this conduit will not achieve what you were attempting to achieve.
i guess the conduit should look like:
conduit permit tcp host xx.xx.xx.xx eq nnnn any
with this conduit, the pix will permit any traffic destined for host xx.xx.xx.xx with tcp port nnnn.
11-28-2005 11:01 AM
> with this conduit, pix will permit any traffic originated from the host xx.xx.xx.xx to any destination with tcp port nnnn
That's exactly what I want. Any traffic inbound or outbound to/from the remote server on xx.xx.xx.xx, as long as it's port nnn. I was tempted to allow ANY traffic to/from xx.xx.xx.xx just to make it easier on me, but I know then my defenses are weaker.
11-28-2005 10:57 AM
I told the engineers who were supposed to set this up it was TCP.
Another basic question, conduit permits traffic to and from?
11-28-2005 01:46 PM
acl - source - destination
conduit - destination - source
e.g.
access-list 100 permit tcp any host 1.1.1.1 eq 80
conduit permit tcp host 1.1.1.1 eq 80 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide