Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX conduit allowing IP any

We have a conduit on our test PIX allowing IP any from the DMZ to the internal network. I read this on Cisco's website regarding IP any:

Note: Be careful when implementing these commands. If either the conduit permit ip any any or access-list 101 permit ip any any command is implemented, any host on the untrusted network could access any host on the trusted network using IP as long as there was an active translation.

My question is this: will a conduit denying UDP port 1434 (or any port for that matter) have any affect with the IP any conduit in place? Given that there is more than likely an active translation in the table.

Thanks for any help

New Member

Re: PIX conduit allowing IP any

If your conduit rule denying UDP is set before the ip any any, all traffic will be let through except for that specific UDP port or which ever port you define. By looking at your notes it seems that you are trying to protect the slammer worm coming to your network from your DMZ while still allowing for other traffic to go through, if this is the case putting the UDP port rule before the ip any any will protect you from the worm

CreatePlease to create content