Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

conduit vs access list

can anyone offer a doc-link or an brief explanation of the difference between conduits and access lists. Im quite familar with router access lists, this conduit thing is a bit new. Are conduits applied to all interfaces withn a pix and does it then allow for the flow of traffic in any direction? Unlike access lists, conduits don't seem to get applied to any specific interface nor do you have to explicitly define the direction of the traffic flow.

New Member

Re: conduit vs access list


Actually coduits are specific to an IP address such as follows:

"conduit permit tcp host eq www any"

These permit access from the outside world to the inside world on the ports specified. SO if you want to open TCP ports ftp, and https you would do another conduit for each of them with the same IP address information.

You then have to apply also a static route such as this:

"static (DMZ,outside) [public IP] [Private IP] netmask"

This will allow traffic from the outside to access the private IP address on the inside through your PIX.

New Member

Re: conduit vs access list

so, any configured conduits (at least by default) apply only to the outside interface torwards the inside?

New Member

Re: conduit vs access list

Conduits are, in fact, inbound. There is an outbound command, which, when used with apply, works like an outbound access-list.

Conduits and outbound are the older way to do it. It still works fine, but if you are comfortable with ACLs, and your PIX version supports them, I'd recommend using them. The only caveat is that in PIX ACLs, you use the subnet mask, instead of the wildcard mask. Kind of a pain, but....


New Member

Re: conduit vs access list

No. In the example I mentioned I used the DMZ and outside but you can apply the conduit to any zone in the same maneer.

If you want inside, DMZ you can do this as well.



P.S. I just did this on our network so its fresh in my mind. Go to the Cisco site or email me off list and I will email you the documents that explain this...

New Member

Re: conduit vs access list

I would say that I prefer the way in which a conduit works. A conduit makes use of the PIX ASA in that it automatically allows valid return traffic. When configuring access-lists on the other hand you will need to define the return traffic and specifically permit this in the access-lists.