Conduit Statements

The conduit command can be used to create an exception to the PIX Firewall ASA that prevents traffic originating on a lower-level security traffic interface from passing to higher- level areas. The most obvious example would be allowing outside users to access DMZ or inside shared resources, such as servers.

PIX Firewall version 5.3 introduced ACL features similar to those supported in Cisco IOS-based devices. Although it’s strongly recommended that configurations use the more secure access-list command approach instead of the conduits, conduits are still supported by the PIX OS for backward compatibility.

STUDY TIP?

The current PIX Firewall Advanced Exam (CSPFA 9E0-111) assumes PIX OS v6.2, so conduits won’t appear on the exam. All CCSP exams after 3/1/2003 also assume ACLS are the preferred approach over the older conduits.

The enhanced security of ACLs over conduits derives from the fact that the scope of ACLs can be easily and explicitly limited because they’re applied to specific interfaces with an access-group command. The conduit command, on the other hand, applies to all but the inside interface, and then relies on proper configuration of static and global commands to limit access.

Configuring Conduits

The configuration mode conduit command, like the newer access-list command, supports options for regular traffic filtering, ICMP message filtering, and even object group implementation. Use the no form of each to remove the conduit command. The following standard and ICMP message conduit syntax and examples are offered for informational purposes only:

Pix(config)# conduit {permit | deny} protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]Pix(config)# conduit {permit | deny} icmp global_ip global_mask foreign_ip foreign_mask [icmp_type]

The clear conduit command removes all conduit command statements from your configuration. The clear conduit counters command clears the current conduit hit count.

The following examples compare a conduit and an access-list command used to allow access to a web server on the DMZ. In each case, the static creates the address translation from the DMZ (192.168.2.4) to the global IP address (1.1.1.4).

Pix(config)# static (dmz,outside) 1.1.1.4 192.168.2.4 netmask 255.255.255.255
Pix(config)# conduit permit tcp host 1.1.1.4 eq 80 any

Pix(config)# static (dmz,outside) 1.1.1.4 192.168.2.4 netmask 255.255.255.255
Pix(config)# access-list 105 permit tcp any host 1.1.1.4 eq 80 
Pix(config)# access-group 105 in interface outside

The next example compares a conduit and an access-list command used to allow ICMP messages though the router. Note that the access list is specifically limited to incoming traffic on the outside interface.

pix(config)# conduit permit icmp any any echo-reply
pix(config)# conduit permit icmp any any time-exceeded
pix(config)# conduit permit icmp any any unreachable

pix(config)# access-list 100 permit icmp any any echo-reply ?
pix(config)# access-list 100 permit icmp any any time-exceeded ?
pix(config)# access-list 100 permit icmp any any unreachable
Pix(config)# access-group 100 in interface outside