Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 5

By Cisco Press | Posted Sep 20, 2001
Page 5 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

conduit Command
The conduit command is necessary to allow packets to travel from a lower security level to a higher security level. The PIX Firewall allows packets from a higher security level to travel to a lower security level. However, only packets in response to requests initiated on the higher security level interface can travel back through from a lower security level interface. The conduit command changes this behavior. By issuing a conduit command, you are opening a hole through the PIX to the host that is specified for certain protocols from specified hosts.

The conduit command acts very much like adding a permit statement to an access list. The default behavior of the PIX is to act as if there were a deny all access list applied. Because you must allow e-mail to reach your server, you need to use the conduit command. The rule for access from a higher security level interface to a lower security level interface is to use the nat command. For access from a lower security level interface to a higher security level interface, use the static and conduit commands. As with any opening into the corporate network, this opening should be as narrow as possible. The following allows any host on the Internet to send mail to the host:

 conduit permit tcp host 192.168.1.49 eq smtp any

If you wish to limit the originating IP address for e-mail, you could simply add an IP address and network mask to the end of the preceding line. You are allowed to have as many conduit statements as required. The following example allows SMTP traffic to enter the network from one of three networks -- two with Class C subnets and the final one with a Class B subnet:

 conduit permit tcp host 192.168.1.49 eq smtp 10.5.5.0 255.255.255.0
 conduit permit tcp host 192.168.1.49 eq smtp 10.15.6.0 255.255.255.0
 conduit permit tcp host 192.168.1.49 eq smtp 10.19.0.0 255.255.0.0
The combination of the static declaration and the conduit command can allow FTP traffic through your network. You have allowed FTP traffic to the FTP server with the following two lines:
 static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0
 conduit permit tcp host 192.168.1.35 eq ftp any
It is possible to have multiple conduit commands associated with a single IP address. For example, the following lines allow SMTP, FTP, and HTTP services to gain access to a single server:
 static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.1.35 eq ftp any
conduit permit tcp host 192.168.1.35 eq http any
conduit permit tcp host 192.168.1.35 eq smtp any
Notice that there is a single static statement for the host. Although some versions of the PIX IOS will allow you to enter multiple static commands for a single address, only the first static command is used. The PIX only allows the use of the host in the first static command. If you are using multiple conduit commands, you might deny some networks while allowing others. Alternatively, you might allow traffic from some networks, but not from others. In the following example, you deny FTP traffic from the 10.5.1.0 /24 network, while allowing traffic from all other networks:
 static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0
 conduit deny tcp host 192.168.1.35 eq ftp 10.5.1.0 255.255.255.0
 conduit permit tcp host 192.168.1.35 eq ftp any

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter