×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Will conduit take precedence over statefull inspection?

Unanswered Question
Nov 3rd, 2003
User Badges:

Will the conduit statement:

conduit permit ip host host_ip any

allow out-of-session packets (for which firewall does not have entry in its connection table) arriving due to asymetric routing?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rais Tue, 11/04/2003 - 10:12
User Badges:
  • Silver, 250 points or more

Yes, all IP packets will be allowed.


HTH.

scoclayton Tue, 11/04/2003 - 12:43
User Badges:
  • Gold, 750 points or more

No, this is not correct. The conduit statement specified will allow SYN packets sourced from anywhere into this host but once the conn is created, the PIX will check Sequence #, ACK #, flags, etc. via the ASA to determine if the packets are allowed to pass. If the packets do not match a current conn, the PIX will silently drop the packet.


Scott

rais Tue, 11/04/2003 - 21:51
User Badges:
  • Silver, 250 points or more

Scott,


Thanks for the correction and clarification.


Rais.

Actions

This Discussion