Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Conduit with object-group?

I cannot figure out the correct syntax for the conduit command to employ an object-group service.

the object group is like this:

object-group service Netmeeting TCP

port-object eq h323

port-object eq 1731

port-object eq 1503

I need the conduit to allow any outside IP to access one server through these ports:

The logical conclusion would be:

conduit permit tcp host x.x.x.x eq Netmeeting any

but that does not work, and I have tried many other variants per the command output below:

Usage: [no] conduit deny|permit <protocol>|object-group <protocol_obj_grp_id>

<g_ip> <g_mask> | object-group <network_obj_grp_id>

[<operator> <port> [<port>] | object-group <service_obj_grp_id>]

<f_ip> <f_mask> | object-group <network_obj_grp_id>

[<operator> <port> [<port>] | object-group <service_obj_grp_id>]

[no] conduit deny|permit icmp <g_ip> <g_mask> | object-group <network_obj_grp_id>

<f_ip> <f_mask> | object-group <network_obj_grp_id>

[<icmp_type> | object-group <icmp_type_obj_grp_id>]

Thanks for any help

Jeff

6 REPLIES
New Member

Re: Conduit with object-group?

What version of OS are you running? Personally, I would not use the conduit command. It's best to setup a static one to one PAT with an access-list. example:

Static map:

static (inside,outside) tcp netmask 255.255.255.255 0 0

Then a access list:

access-list inbound permit ip tcp any host eq

New Member

Re: Conduit with object-group?

6.3.1

I need to use conduits.

Thanks

Re: Conduit with object-group?

Hi,

you need to use the 'object-group' keyword together with the name of the object-group

conduit permit tcp host x.x.x.x eq object-group Netmeeting any

Please know that version 7 of the new upcoming pix OS will probably no longer support the conduit commands.

Kind Regards,

Tom

New Member

Re: Conduit with object-group?

Thanks for the reply, however that did not work: this is what I got -

CS-PIX1(config)# conduit permit tcp host X.X.X.76 eq object-group Netmeeting any

ERROR: invalid port object-group

Usage: [no] conduit deny|permit |object-group

| object-group

[ [] | object-group ]

| object-group

[ [] | object-group ]

[no] conduit deny|permit icmp | object-group

| object-group

[ | object-group ]

CS-PIX1(config)#

Thanks

Jeff

Re: Conduit with object-group?

Hi Jeff,

It seems that I made a mistake in my previous reply.

Sorry for that.

This should work (no 'eq')

conduit permit tcp host X.X.X.76 object-group Netmeeting any

Regards,

Tom

New Member

Re: Conduit with object-group?

bad idea

I believe cisco will be dropping support for conduits at some point.

Depending on what you are doing, something like this will work...

object-group service MyPorts udp

description Client PNAT UDP Services

port-object eq 7070

object-group network MyPNAT

description Clients PNAT Public IP

network-object host 6.21.12.18

access-list MyACL permit udp any object-group MyPorts object-group MyPNAT object-group MyPorts

access-list MyACL permit ip any object-group MyPNAT

access-list MyACL permit ip object-group MyPNAT any

static (inside,outside) udp 6.21.12.18 7070 192.168.1.8 7070 netmask 255.255.255.255 0 0

access-group MyACL in int outside

This will force inbound/outbound traffic for internal host 192.168.1.8 on udp port 7070 on my PNAT'd addy 6.21.12.18

This in effect overrides the NAT engine for just the specified port range. All other ip traffic from the internal host 192.168.1.8 will use the NAT engine.

It would be nice to be able to use object-groups in the static statements, but if your only reason to use conduits is for that support, I would say it's not worth it to use them and use statics instead.

173
Views
0
Helpful
6
Replies