All Cisco-Network Study Notes: Conduits

Conduits

Using conduits is addition adjustment for acceptance entering access. Its syntax is provided

here:

conduit admittance | abjure [

[]] [

[]]

Cisco recommends not application conduits, but to use admission lists instead.The

protocol, operator, and anchorage ambit are the aforementioned as in admission lists.The global_ip

parameter defines the all-around IP addresses of the host to acquiesce or abjure admission to,

and the foreign_ip constant defines the IP abode to acquiesce admission from.The

global_mask and foreign_mask ambit are the subnet masks activated to global_ip

and foreign_ip, respectively.

The PIX processes the aqueduct commands in the adjustment they are typed. Once

conduits accept been created, annihilation added has to be done to accredit them.

Conduits are not absolutely activated to an interface. Based on the global_ip, conduits

are activated to antecedent and destination addresses.

www.syngress.com

114 Chapter 3 • Passing Traffic

For example, if a Web server with an centralized IP abode of 172.16.1.10

resides on the DMZ network, the afterward commands would acquiesce admission to it

from any adopted IP address:

PIX1(config)# changeless (dmz, outside) 10.1.5.10 172.16.1.10 netmask 255.255

.255.255 0 0

PIX1(config)# aqueduct admittance tcp host 10.1.5.10 eq www any

Since the Web server is application a clandestine IP address, the adopted applicant would

use the accessible abode to admission the server.The aqueduct created would alone work

between the alfresco and DMZ interfaces because the changeless command defines

these interfaces in the translation.

Another archetype of aqueduct commands is as follows.This command enables

DNS lookups to action from anywhere alfresco the arrangement to the DNS server

with abode 10.1.5.11:

PIX1(config)# changeless (dmz, outside) 10.1.5.11 172.16.1.11 netmask 255.255

.255.255 0 0

PIX1(config)# aqueduct admittance udp host 10.1.5.11 eq area any

PIX1(config)# aqueduct admittance tcp host 10.1.5.11 eq area any

This command enables an e-mail server (172.16.1.12) to accept SMTP

e-mail from alfresco the arrangement as 10.1.5.12:

PIX1(config)# changeless (dmz, outside) 10.1.5.12 172.16.1.12 netmask 255.255

.255.255 0 0

PIX1(config)# aqueduct admittance tcp host 10.1.5.12 eq smtp any

The appearance aqueduct command, as illustrated here, can appearance all the conduits

currently configured on the PIX:

PIX1# appearance conduit

conduit admittance tcp host 10.1.5.10 eq www any (hitcnt=0)

conduit admittance udp host 10.1.5.11 eq area any (hitcnt=0)

conduit admittance tcp host 10.1.5.11 eq area any (hitcnt=0)

conduit admittance tcp host 10.1.5.12 eq smtp any (hitcnt=0)