Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
929
Views
0
Helpful
5
Replies

conduit vs access list

eric.cote
Level 4
Level 4

‎05-10-2002 06:25 AM - edited ‎02-20-2020 09:17 PM

can anyone offer a doc-link or an brief explanation of the difference between conduits and access lists. Im quite familar with router access lists, this conduit thing is a bit new. Are conduits applied to all interfaces withn a pix and does it then allow for the flow of traffic in any direction? Unlike access lists, conduits don't seem to get applied to any specific interface nor do you have to explicitly define the direction of the traffic flow.

Labels:
0 Helpful
5 Replies 5

bsaenz
Level 1
Level 1

‎05-10-2002 07:07 AM

Hi,

Actually coduits are specific to an IP address such as follows:

"conduit permit tcp host 192.168.1.10 eq www any"

These permit access from the outside world to the inside world on the ports specified. SO if you want to open TCP ports ftp, and https you would do another conduit for each of them with the same IP address information.

You then have to apply also a static route such as this:

"static (DMZ,outside) [public IP] [Private IP] netmask 255.255.255.255"

This will allow traffic from the outside to access the private IP address on the inside through your PIX.

0 Helpful

eric.cote
Level 4
Level 4
In response to bsaenz

‎05-10-2002 07:35 AM

so, any configured conduits (at least by default) apply only to the outside interface torwards the inside?

0 Helpful

c-dudley
Level 1
Level 1
In response to eric.cote

‎05-10-2002 08:21 AM

Conduits are, in fact, inbound. There is an outbound command, which, when used with apply, works like an outbound access-list.

Conduits and outbound are the older way to do it. It still works fine, but if you are comfortable with ACLs, and your PIX version supports them, I'd recommend using them. The only caveat is that in PIX ACLs, you use the subnet mask, instead of the wildcard mask. Kind of a pain, but....

Chris

0 Helpful

bsaenz
Level 1
Level 1
In response to eric.cote

‎05-10-2002 08:23 AM

No. In the example I mentioned I used the DMZ and outside but you can apply the conduit to any zone in the same maneer.

If you want inside, DMZ you can do this as well.

Regards,

Ben

P.S. I just did this on our network so its fresh in my mind. Go to the Cisco site or email me off list and I will email you the documents that explain this...

0 Helpful

johnbroadway
Level 1
Level 1

‎05-13-2002 01:17 AM

I would say that I prefer the way in which a conduit works. A conduit makes use of the PIX ASA in that it automatically allows valid return traffic. When configuring access-lists on the other hand you will need to define the return traffic and specifically permit this in the access-lists.

0 Helpful
Customers Also Viewed These Support Documents