Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Stray conduit command...

Here's a what if question-->

What if my PIX config had 'stray' conduit commands within...conduits that permitted access to certain IP's that no longer existed within my infrastructure...i.e. removed machines. Any negative impacts?

1 REPLY
New Member

Re: Stray conduit command...

The negative impacts are 1. your PIX now has to proccess access lists against non existent machines, and 2. if a machine gets added later with that IP address, and you forget to remove the conduit, you have a potential security hole.

I would remove any access list that is not being used any more. And speaking of access lists, you should convert the conduits to access lists. Cisco is moving away from conduits. You can go to the following link, select PIX from the drop down list, and post your config for suggestions not only on converting conduits to access lists (this is how I did it, and it worked flawlessly), but also other potential errors or security risks.

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

89
Views
0
Helpful
1
Replies
CreatePlease to create content