Conduit
Statements
The conduit command can be used to create
an exception to the PIX Firewall ASA that prevents traffic originating on a
lower-level security traffic interface from passing to higher- level areas. The
most obvious example would be allowing outside users to access DMZ or inside
shared resources, such as servers.
PIX Firewall version 5.3 introduced ACL features similar to those
supported in Cisco IOS-based devices. Although it’s strongly recommended that
configurations use the more secure access-list command
approach instead of the conduits, conduits are still supported by the PIX OS for
backward compatibility.
|
STUDY TIP |
The current PIX Firewall Advanced Exam (CSPFA 9E0-111)
assumes PIX OS v6.2, so conduits won’t appear on the exam. All CCSP exams after
3/1/2003 also assume ACLS are the preferred approach over the older
conduits. |
The enhanced security of ACLs over conduits derives from the fact
that the scope of ACLs can be easily and explicitly limited because they’re
applied to specific interfaces with an access-group command.
The conduit command, on the other hand, applies to all but the
inside interface, and then relies on proper configuration of static and global commands to limit access.
Configuring
Conduits
The configuration mode conduit command, like the newer access-list
command, supports options for regular traffic filtering, ICMP message filtering,
and even object group implementation. Use the no form of each to remove the conduit command. The following standard and ICMP message conduit
syntax and examples are offered for informational purposes only:
Pix(config)# conduit {permit | deny} protocol global_ip
global_mask [operator port [port]] foreign_ip foreign_mask [operator port
[port]]Pix(config)# conduit {permit | deny} icmp global_ip global_mask
foreign_ip foreign_mask [icmp_type]
The clear conduit command removes all conduit command statements from your configuration. The clear conduit counters command clears the current conduit hit
count.
The following examples compare a conduit and an
access-list command used to allow access to a web server on
the DMZ. In each case, the static creates the address translation from the DMZ
(192.168.2.4) to the global IP address (1.1.1.4).
Pix(config)# static (dmz,outside) 1.1.1.4 192.168.2.4 netmask 255.255.255.255
Pix(config)# conduit permit tcp host 1.1.1.4 eq 80 any
or
Pix(config)# static (dmz,outside) 1.1.1.4 192.168.2.4 netmask 255.255.255.255
Pix(config)# access-list 105 permit tcp any host 1.1.1.4 eq 80
Pix(config)# access-group 105 in interface outside
The next example compares a conduit and an access-list command used to allow ICMP messages though the
router. Note that the access list is specifically limited to incoming traffic on
the outside interface.
pix(config)# conduit permit icmp any any echo-reply
pix(config)# conduit permit icmp any any time-exceeded
pix(config)# conduit permit icmp any any unreachable
pix(config)# access-list 100 permit icmp any any echo-reply
pix(config)# access-list 100 permit icmp any any time-exceeded
pix(config)# access-list 100 permit icmp any any unreachable
19pix
Pix(config)# access-group 100 in interface outside
Sections
Comments (0 posted)
Syndication
