Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
5
Replies

Allow unusual ports for restricted IP range

Aaron Wedemeyer
Level 1
Level 1

‎11-22-2005 01:36 PM - edited ‎03-09-2019 01:07 PM

I have a PIX 515 and I'm stuck back at 5.3 but I need to add access to my entire protected range to/from about a dozen unusual ports so I can run hosted Java applets. I was given the ports, and the IP addresses, but it took 45 DAYS!!! for my provider to get a tech out here. I didn't test properly after he left, and can't afford to wait another 45.

Is the following statement correct to allow traffic on port nnnn back/forth to xx.xx.xx.xx?

conduit permit any eq nnnn host xx.xx.xx.xx

What statement might I use to allow any traffic to/from my inside protected IPs to xx.xx.xx.xx?

Labels:
0 Helpful
5 Replies 5

nkhawaja
Cisco Employee
Cisco Employee

‎11-22-2005 01:55 PM

this statement looks correct except the keyword "tcp or udp" but you can add this too

conduit permit tcp any host xx.xx.xx.xx eq nnnn

if it is a tcp port use conduit with tcp

if it is a udp port use conduit with udp

What statement might I use to allow any traffic to/from my inside protected IPs to xx.xx.xx.xx?

conduit permit ip any host xx.xx.xx.xx

try to replace the "any" with your inside netowrk Ip address

e.g.

conduit permit ip 10.1.1.0 255.255.255.0 host xx.xx.xx.xx

thanks

Nadeem

0 Helpful

jackko
Level 7
Level 7
In response to nkhawaja

‎11-22-2005 02:13 PM

when configuring conduit as opposed to acl, one critical point is that the source and destination are in reverse order compared to acl.

e.g.

access-list 100 permit tcp any host 1.1.1.1 eq 80

conduit permit tcp host 1.1.1.1 eq 80 any

according to your original post,

conduit permit any eq nnnn host xx.xx.xx.xx

this conduit is incorrect. when configuring conduit/acl with specific port number, a protocol type is needed, such as tcp or udp.

i.e. conduit permit tcp any eq nnnn host xx.xx.xx.xx

with this conduit, pix will permit any traffic originated from the host xx.xx.xx.xx to any destination with tcp port nnnn. thus, this conduit will not achieve what you were attempting to achieve.

i guess the conduit should look like:

conduit permit tcp host xx.xx.xx.xx eq nnnn any

with this conduit, the pix will permit any traffic destined for host xx.xx.xx.xx with tcp port nnnn.

0 Helpful

Aaron Wedemeyer
Level 1
Level 1
In response to jackko

‎11-28-2005 11:01 AM

> with this conduit, pix will permit any traffic originated from the host xx.xx.xx.xx to any destination with tcp port nnnn

That's exactly what I want. Any traffic inbound or outbound to/from the remote server on xx.xx.xx.xx, as long as it's port nnn. I was tempted to allow ANY traffic to/from xx.xx.xx.xx just to make it easier on me, but I know then my defenses are weaker.

0 Helpful

Aaron Wedemeyer
Level 1
Level 1
In response to nkhawaja

‎11-28-2005 10:57 AM

I told the engineers who were supposed to set this up it was TCP.

Another basic question, conduit permits traffic to and from?

0 Helpful

jackko
Level 7
Level 7
In response to Aaron Wedemeyer

‎11-28-2005 01:46 PM

acl - source - destination

conduit - destination - source

e.g.

access-list 100 permit tcp any host 1.1.1.1 eq 80

conduit permit tcp host 1.1.1.1 eq 80 any

0 Helpful
Customers Also Viewed These Support Documents