Re: Conduit with object-group?

jdepies · ‎12-18-2003

I cannot figure out the correct syntax for the conduit command to employ an object-group service.

the object group is like this:

object-group service Netmeeting TCP

port-object eq h323

port-object eq 1731

port-object eq 1503

I need the conduit to allow any outside IP to access one server through these ports:

The logical conclusion would be:

conduit permit tcp host x.x.x.x eq Netmeeting any

but that does not work, and I have tried many other variants per the command output below:

Usage: [no] conduit deny|permit <protocol>|object-group <protocol_obj_grp_id>

<g_ip> <g_mask> | object-group <network_obj_grp_id>

[<operator> <port> [<port>] | object-group <service_obj_grp_id>]

<f_ip> <f_mask> | object-group <network_obj_grp_id>

[<operator> <port> [<port>] | object-group <service_obj_grp_id>]

[no] conduit deny|permit icmp <g_ip> <g_mask> | object-group <network_obj_grp_id>

<f_ip> <f_mask> | object-group <network_obj_grp_id>

[<icmp_type> | object-group <icmp_type_obj_grp_id>]

Thanks for any help

Jeff

jhaggett · ‎12-18-2003

What version of OS are you running? Personally, I would not use the conduit command. It's best to setup a static one to one PAT with an access-list. example:

Static map:

static (inside,outside) tcp netmask 255.255.255.255 0 0

Then a access list:

access-list inbound permit ip tcp any host eq

jdepies · ‎12-18-2003

6.3.1

I need to use conduits.

Thanks

tvanginneken · ‎12-18-2003

Hi,

you need to use the 'object-group' keyword together with the name of the object-group

conduit permit tcp host x.x.x.x eq object-group Netmeeting any

Please know that version 7 of the new upcoming pix OS will probably no longer support the conduit commands.

Kind Regards,

Tom

jdepies · ‎12-19-2003

Thanks for the reply, however that did not work: this is what I got -

CS-PIX1(config)# conduit permit tcp host X.X.X.76 eq object-group Netmeeting any

ERROR: invalid port object-group

Usage: [no] conduit deny|permit |object-group

| object-group

[ [] | object-group ]

| object-group

[ [] | object-group ]

[no] conduit deny|permit icmp | object-group

| object-group

[ | object-group ]

CS-PIX1(config)#

Thanks

Jeff

tvanginneken · ‎12-20-2003

Hi Jeff,

It seems that I made a mistake in my previous reply.

Sorry for that.

This should work (no 'eq')

conduit permit tcp host X.X.X.76 object-group Netmeeting any

Regards,

Tom

koaps · ‎12-18-2003

bad idea

I believe cisco will be dropping support for conduits at some point.

Depending on what you are doing, something like this will work...

object-group service MyPorts udp

description Client PNAT UDP Services

port-object eq 7070

object-group network MyPNAT

description Clients PNAT Public IP

network-object host 6.21.12.18

access-list MyACL permit udp any object-group MyPorts object-group MyPNAT object-group MyPorts

access-list MyACL permit ip any object-group MyPNAT

access-list MyACL permit ip object-group MyPNAT any

static (inside,outside) udp 6.21.12.18 7070 192.168.1.8 7070 netmask 255.255.255.255 0 0

access-group MyACL in int outside

This will force inbound/outbound traffic for internal host 192.168.1.8 on udp port 7070 on my PNAT'd addy 6.21.12.18

This in effect overrides the NAT engine for just the specified port range. All other ip traffic from the internal host 192.168.1.8 will use the NAT engine.

It would be nice to be able to use object-groups in the static statements, but if your only reason to use conduits is for that support, I would say it's not worth it to use them and use statics instead.