Re: PIX OS 6.2 & Conduits

johnbroadway · ‎05-28-2002

I don't know if anyone else has noticed this but, I upgraded our PIX to 6.2 yesterday and the syntax of the Conduit command seems to have changed slightly.

My Conduits from the previous OS were not taken and I had to recreate them all changing the syntax slightly.

Just watch out if your doing a remote upgrade of the OS and won't have console access during the reboot !

rgrcommo · ‎06-03-2002

Interesting.. I did this also the other day but I have access lists not conduits - and had no problems.. good to know though.

cyee · ‎06-04-2002

Can you post a short description of the syntactic differences?

TIA

johnbroadway · ‎06-09-2002

I noticed that the conduit command doesn't seem to accept any global mask except for a /32 or the keyword host.

It gives a "Source address doesn't pair" error.

The only solution I could find was to use /32 or the keyword host.

jerry.roy · ‎06-17-2002

Hello all,

I have a conduit command on my PIX that allows a ping from workstations on my lan to reach a remote machine across the net.

conduit permit icmp host 65.165.98.171 170.31.92.16 255.255.255.252

The host ip above is my (outside) IP address on my PIX. How can I accomplish the same thing with an access-list?

I believe NAT allows all (pings) out but the reply just cannot get back in. Do I place an access-group on the (outside) interface "in"

Thanks,

Jerry Roy

jwitherell · ‎06-18-2002

If you go to the PIX Support Pages, and search on ICMP, you'll find the document that explains how to manage ICMP traffic using the older method, as well as the newer access-list method.