can anyone offer a doc-link or an brief explanation of the difference between conduits and access lists. Im quite familar with router access lists, this conduit thing is a bit new. Are conduits applied to all interfaces withn a pix and does it then allow for the flow of traffic in any direction? Unlike access lists, conduits don't seem to get applied to any specific interface nor do you have to explicitly define the direction of the traffic flow.
Actually coduits are specific to an IP address such as follows:
"conduit permit tcp host 192.168.1.10 eq www any"
These permit access from the outside world to the inside world on the ports specified. SO if you want to open TCP ports ftp, and https you would do another conduit for each of them with the same IP address information.
You then have to apply also a static route such as this:
Conduits are, in fact, inbound. There is an outbound command, which, when used with apply, works like an outbound access-list.
Conduits and outbound are the older way to do it. It still works fine, but if you are comfortable with ACLs, and your PIX version supports them, I'd recommend using them. The only caveat is that in PIX ACLs, you use the subnet mask, instead of the wildcard mask. Kind of a pain, but....
I would say that I prefer the way in which a conduit works. A conduit makes use of the PIX ASA in that it automatically allows valid return traffic. When configuring access-lists on the other hand you will need to define the return traffic and specifically permit this in the access-lists.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...