Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
267
Views
0
Helpful
3
Replies

Will conduit take precedence over statefull inspection?

jsluzewski
Level 1
Level 1

‎11-03-2003 07:26 AM - edited ‎03-09-2019 05:22 AM

Will the conduit statement:

conduit permit ip host host_ip any

allow out-of-session packets (for which firewall does not have entry in its connection table) arriving due to asymetric routing?

Labels:
0 Helpful
3 Replies 3

rais
Level 7
Level 7

‎11-04-2003 10:12 AM

Yes, all IP packets will be allowed.

HTH.

0 Helpful

scoclayton
Level 7
Level 7
In response to rais

‎11-04-2003 12:43 PM

No, this is not correct. The conduit statement specified will allow SYN packets sourced from anywhere into this host but once the conn is created, the PIX will check Sequence #, ACK #, flags, etc. via the ASA to determine if the packets are allowed to pass. If the packets do not match a current conn, the PIX will silently drop the packet.

Scott

0 Helpful

rais
Level 7
Level 7
In response to scoclayton

‎11-04-2003 09:51 PM

Scott,

Thanks for the correction and clarification.

Rais.

0 Helpful
Customers Also Viewed These Support Documents