11-03-2003 07:26 AM - edited 03-09-2019 05:22 AM
Will the conduit statement:
conduit permit ip host host_ip any
allow out-of-session packets (for which firewall does not have entry in its connection table) arriving due to asymetric routing?
11-04-2003 10:12 AM
Yes, all IP packets will be allowed.
HTH.
11-04-2003 12:43 PM
No, this is not correct. The conduit statement specified will allow SYN packets sourced from anywhere into this host but once the conn is created, the PIX will check Sequence #, ACK #, flags, etc. via the ASA to determine if the packets are allowed to pass. If the packets do not match a current conn, the PIX will silently drop the packet.
Scott
11-04-2003 09:51 PM
Scott,
Thanks for the correction and clarification.
Rais.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide