Question about CONDUIT command

karlsd · ‎07-18-2002

I've read that the conduit command was neccesasry to allow traffic to your net devices to bypass the rules on your PIX, that is for the older IOS versions. It has since been replaced by the access-list command. I am currently using both. I would like to get rid of the conduit command specifically because the PDM utility does not recognize it and will not function properly as long as the commands remain. When I remove the conduit commands and replace them with what I think are the correct access-list commands nothing works, specifically our ability to receive mail from the outside (but we can actually send to the outside). Here is the config.

access-list acl_ping permit icmp any any

access-list acl_inside permit tcp any any eq www

access-list acl_inside permit udp any any eq domain

access-list acl_inside permit udp any any eq tftp

access-list acl_inside permit ip any --moderator edit-- 255.255.255.0

access-list acl_inside permit tcp any any eq ftp

access-list acl_inside permit tcp any any eq ftp-data

access-list acl_inside permit tcp any any eq telnet

access-list acl_inside permit icmp any any

access-list acl_inside permit tcp any any eq https

access-list acl_inside permit tcp any any eq smtp

access-list acl_inside permit ip host 192.168.68.200 any

access-list acl_inside permit ip host 192.168.55.12 any

access-list acl_inside permit udp any any eq 7070

access-list acl_inside permit udp any any eq 7007

access-list acl_inside permit tcp any any eq 7070

access-list acl_inside permit udp any any range 6970 7170

access-list acl_inside permit tcp any any eq 554

access-list acl_inside permit tcp any any eq 8001

access-list acl_inside permit tcp any any eq 8080

access-list acl_inside permit ip host 192.168.55.30 any

access-list acl_inside permit icmp host 192.168.55.30 any

access-list acl_inside permit tcp host 192.168.55.30 eq www any

access-list acl_inside permit tcp host 192.168.55.30 eq https any

access-list acl_inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list acl_inside permit tcp host 192.168.55.21 eq ftp any

access-list acl_inside permit tcp host 192.168.55.21 eq ftp-data any

access-list acl_inside permit ip host 192.168.55.21 any

access-list acl_inside permit udp any host 192.168.55.96 range 5190 5193

access-list acl_inside permit tcp any host 192.168.55.96 range aol 5193

access-list acl_inside permit tcp host 192.168.55.96 any range aol 5193

access-list acl_inside permit udp host 192.168.55.96 any range 5190 5193

access-list acl_inside deny udp any any eq 5190

access-list acl_inside deny tcp any any eq aol

access-list acl_inside permit ip 10.2.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list acl_inside permit ip 10.3.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list acl_inside permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0

access-list acl_inside permit ip 10.216.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list acl_inside permit ip 192.168.0.0 255.255.0.0 10.216.0.0 255.255.0.0

access-list acl_inside permit tcp any any eq 10000

access-list acl_inside permit udp any any eq 10000

access-list acl_inside permit tcp 192.168.67.0 255.255.255.0 eq citrix-ica any

access-list acl_inside permit udp 192.168.67.0 255.255.255.0 eq 1604 any

access-list acl_inside permit ip 192.168.0.0 255.255.0.0 192.168.65.0 255.255.25

5.0

access-list acl_inside permit tcp host 192.168.55.12 eq smtp any

access-list acl_inside permit tcp any host 192.168.55.12 eq smtp

access-list acl_inside permit tcp host 192.168.55.12 eq pop3 any

access-list acl_inside permit tcp any host 192.168.55.12 eq pop3

access-list acl_inside permit tcp any any eq pop3

access-list acl_inside permit ip any host 192.168.55.12

access-list acl_inside permit ip 192.168.0.0 255.255.0.0 1.1.1.0 255.255.255.0

access-list acl_inside permit ip 1.1.1.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list ipsec permit ip 192.168.55.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list ipsec permit ip 192.168.68.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list ipsec permit ip 192.168.0.0 255.255.0.0 192.168.67.0 255.255.255.0

access-list nonat permit ip 192.168.55.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list nonat permit ip 192.168.68.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.80.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 host 203.47.133.230

access-list nonat permit ip 192.168.0.0 255.255.0.0 host 203.47.133.230

access-list nonat permit ip 192.168.0.0 255.255.0.0 host 213.121.208.107

access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list nonat permit ip 192.168.0.0 255.255.0.0 10.216.0.0 255.255.0.0

access-list nonat permit ip 192.168.0.0 255.255.0.0 1.1.1.0 255.255.255.0

access-list nonat permit ip any 1.1.1.0 255.255.255.224

pager lines 24

logging buffered warnings

logging trap warnings

logging host outside 1.1.1.10

logging host inside 192.168.55.24

logging host outside --moderator edit--

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

mtu outside 1500

mtu inside 1500

mtu failover 1500

ip address outside --moderator edit-- 255.255.255.224

ip address inside 192.168.68.216 255.255.255.0

ip address failover 10.10.10.1 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 1.1.1.10-1.1.1.20

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 209.51.172.217

failover ip address inside 192.168.68.217

failover ip address failover 10.10.10.2

failover link failover

arp timeout 14400

global (outside) 1 --moderator edit--

nat (inside) 0 access-list nonat

nat (inside) 1 193.168.1.0 255.255.255.0 0 0

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

static (inside,outside) --moderator edit-- 192.168.55.12 netmask 255.255.255.255 0 0

static (inside,outside) --moderator edit-- 192.168.55.30 netmask 255.255.255.255 0 0

static (inside,outside) --moderator edit-- 192.168.55.21 netmask 255.255.255.255 0 0

static (inside,outside) --moderator edit-- 192.168.55.100 netmask 255.255.255.255 0

0

static (inside,outside) --moderator edit-- 192.168.55.24 netmask 255.255.255.255 0 0

static (inside,outside) --moderator edit-- 192.168.55.117 netmask 255.255.255.255 0

0

static (inside,outside) --moderator edit-- 192.168.55.27 netmask 255.255.255.255 0 0

static (inside,outside) --moderator edit-- 192.168.55.97 netmask 255.255.255.255 0 0

access-group acl_inside in interface inside

conduit permit tcp host --moderator edit-- any eq smtp

conduit permit tcp host --moderator edit-- eq smtp any

conduit permit tcp host --moderator edit-- eq pop3 any

conduit permit icmp any any

conduit permit ip host --moderator edit-- any

conduit permit icmp any host --moderator edit--

conduit permit ip host --moderator edit-- any

conduit permit udp host --moderator edit-- any

conduit permit ip host --moderator edit-- any

conduit permit udp host --moderator edit-- eq snmptrap any

conduit permit ip host --moderator edit-- --moderator edit-- 255.255.255.0

conduit permit ip host --moderator edit-- host --moderator edit--

conduit permit ip host --moderator edit-- any

conduit permit esp host --moderator edit-- any

conduit permit udp host --moderator edit-- any eq isakmp

conduit permit tcp host --moderator edit-- any eq 1723

conduit permit gre host --moderator edit-- any

conduit permit ah host --moderator edit-- any

conduit permit icmp host --moderator edit-- any

conduit permit esp any host --moderator edit--

conduit permit gre any host --moderator edit--

conduit permit tcp any host --moderator edit-- eq 1723

conduit permit udp any host --moderator edit-- eq isakmp

conduit permit ip host --moderator edit-- any

conduit permit udp host 192.168.55.96 any

conduit permit tcp host 192.168.55.96 any

route outside 0.0.0.0 0.0.0.0 --moderator edit-- 1

route inside 1.1.1.0 255.255.255.0 192.168.68.1 1

route inside 10.2.0.0 255.255.0.0 192.168.68.11 1

route inside 10.3.0.0 255.255.0.0 192.168.68.11 1

route inside 192.168.1.0 255.255.255.0 192.168.68.1 1

route inside 192.168.55.0 255.255.255.0 192.168.68.1 1

route inside 192.168.67.0 255.255.255.0 192.168.68.1 1

route inside 192.168.69.0 255.255.255.0 192.168.68.1 1

route inside 192.168.70.0 255.255.255.0 192.168.68.1 1

route inside 192.168.79.0 255.255.255.0 192.168.68.1 1

route inside 193.168.1.0 255.255.255.0 192.168.68.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

thomas.chen · ‎07-25-2002

The 6.2 command reference at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/c.htm#xtocid6 states "Add, delete, or show conduits through the PIX Firewall for incoming connections. However, the conduit command has been superseded by the access-list command. We recommend that you migrate your configuration away from the conduit command to maintain future compatibility." If there are connections to your mail server built during your change from conduit to acl... the PIX may hold those states. I would reboot the PIX after saving your changes and test from there.