Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Will conduit take precedence over statefull inspection?

Will the conduit statement:

conduit permit ip host host_ip any

allow out-of-session packets (for which firewall does not have entry in its connection table) arriving due to asymetric routing?

3 REPLIES
Silver

Re: Will conduit take precedence over statefull inspection?

Yes, all IP packets will be allowed.

HTH.

Re: Will conduit take precedence over statefull inspection?

No, this is not correct. The conduit statement specified will allow SYN packets sourced from anywhere into this host but once the conn is created, the PIX will check Sequence #, ACK #, flags, etc. via the ASA to determine if the packets are allowed to pass. If the packets do not match a current conn, the PIX will silently drop the packet.

Scott

Silver

Re: Will conduit take precedence over statefull inspection?

Scott,

Thanks for the correction and clarification.

Rais.

92
Views
0
Helpful
3
Replies
CreatePlease to create content