Firewalls - conduit

conduit

Add, delete, or show conduits through the firewall for incoming connections.

[no] conduit permit|deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]] conduit permit|deny icmp global_ip global_mask foreign_ip foreign_mask [ icmp_type ]
clear conduit
show conduit

Syntax Description

permit Permit access if the conditions are matched.

deny Deny access if the conditions are matched.

protocol Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See "Usage Guidelines" for a complete list of the ICMP types.

global_ip A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses. If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example:
conduit permit tcp host 209.165.201.1 eq ftp any

This example lets any foreign host access global address 209.165.201.1 for FTP.

global_mask Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.

foreign_ip An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option. If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example:
conduit permit tcp any eq ftp host 209.165.201.2

This example lets foreign host 209.165.201.2 access any global address for FTP.

foreign_mask Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting. For example: 255.255.255.192.

operator A comparison operand that allows you to specify a port or a port range. Use without an operator and port to indicate all ports; for example:
conduit permit tcp any any

Use eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP:
conduit deny tcp host 192.168.1.1 eq ftp 209.165.201.1

Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024).
conduit permit tcp host 192.168.1.1 lt 1025 any

Use gt and a port to permit or deny access to all ports greater than the port you specify.
For example, use gt 42 to permit or deny ports 43 to 65535.
conduit deny udp host 192.168.1.1 gt 42 host 209.165.201.2

Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:
conduit deny tcp host 192.168.1.1 neq 10 host 209.165.201.2 neq 42

Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.
conduit deny tcp any range ftp telnet any

By default, all ports are denied until explicitly permitted.

port Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value. For example:
conduit deny tcp any any

This command is the default condition for the conduit command in that all ports are denied until explicitly permitted.
You can view valid port numbers online at the following website:
http://www.isi.edu/in-notes/iana/assignments/port-numbers

icmp_type The type of ICMP message. An example of this command that permits all ICMP types is conduit permit icmp any any. This command lets ICMP pass inbound and outbound.

Usage Guidelines
A conduit command statement creates an exception to the firewall Adaptive Security Algorithm by permitting connections from one firewall network interface to access hosts on another.
The clear conduit command removes all conduit command statements from the configuration.
The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.
The conduit command has been superseded by the access-list command. We recommend that you migrate the configuration away from the conduit command to maintain future compatibility.
When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.
Converting conduit Commands to access-list Commands

Follow these steps to convert conduit command statements to access-list commands:

View the static command format. This command normally precedes both the conduit and access-list commands. The static command syntax is as follows.

static (high_interface,low_interface) global_ip local_ip netmask mask

For example:
static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255

This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.
View the conduit command format. The conduit command is similar to the access-list command in that it restricts access to the mapping provided by the static command. The conduit command syntax is as follows.

conduit action protocol global_ip global_mask global_operator global_port [global_port] foreign_ip foreign_mask foreign_operator foreign_port [foreign_port]

For example:
conduit permit tcp host 209.165.201.5 eq www any

This command permits TCP for the global IP address 209.165.201.5 that was specified in the static command statement and permits access over port 80 (www). The "any" option lets any host on the outside interface access the global IP address.
The static command identifies the interface that the conduit command restricts access to.
Create the access-list command from the conduit command options. The acl_name in the access-list command is a name or number you create to associate access-list command statements with an access-group or crypto map command statement.
Normally the access-list command format is as follows:

access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port

However, using the syntax from the conduit command in the access-list command, you can see how the foreign_ip in the conduit command is the same as the src_addr in the access-list command and how the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The access-list command syntax overlaid with the conduit command options is as follows.

access-list acl_name action protocol foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port]

For example:
access-list acl_out permit tcp any host 209.165.201.5 eq www

This command identifies the access-list command statement group with the "acl_out" identifier. You can use any name or number for the own identifier. (In this example the identifier, "acl" is from ACL, which means access control list and "out" is an abbreviation for the outside interface.) It makes the configuration clearer if you use an identifier name that indicates the interface to which you are associating the access-list command statements. The example access-list command, like the conduit command, permits TCP connections from any system on the outside interface. The access-list command is associated with the outside interface with the access-group command.
Create the access-group command using the acl_name from the access-list command and the low_interface option from the static command. The format for the access-group command is as follows.

access-group acl_name in interface low_ interface

For example:
access-group acl_out in interface outside

This command associates with the "acl_out" group of access-list command statements and states that the access-list command statement restricts access to the outside interface.

More on the conduit Command

If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access.
The conduit command statements are processed in the order entered into the configuration.
The permit and deny options for the conduit command are processed in the order listed in the PIX Firewall configuration. In the following example, host 209.165.202.129 is not denied access through the firewall because the permit option precedes the deny option.
conduit permit tcp host 209.165.201.4 eq 80 any
conduit deny tcp host 209.165.201.4 host 209.165.202.129 eq 80 any

If you want internal users to be able to ping external hosts, use:
conduit permit icmp any any command.

After changing or removing a conduit command statement, use the clear xlate command.
You can remove a conduit command statement with the no conduit command. Use the show conduit command to view the conduit command statements in the configuration and the number of times (hit count) an element has been matched during a conduit command search.
If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command.

ICMP Type Literals

ICMP Type Literal

0 echo-reply

3 unreachable

4 source-quench

5 redirect

6 alternate-address

8 echo

9 router-advertisement

10 router-solicitation

11 time-exceeded

12 parameter-problem

13 timestamp-reply

14 timestamp-request

15 information-request

16 information-reply

17 mask-request

18 mask-reply

31 conversion-error

32 mobile-redirect

Usage Notes

By default, all ports are denied until explicitly permitted.
The conduit command statements are processed in the order entered in the configuration. If you remove a command, it affects the order of all subsequent conduit command statements.
To remove all conduit command statements, cut and paste the configuration onto the console computer, edit the configuration on the computer, use the write erase command to clear the current configuration, and then paste the configuration back into the firewall.
If you use Port Address Translation (PAT), you cannot use a conduit command statement using the PAT address to either permit or deny access to ports.
Two conduit command statements are required for establishing access to the following services: discard, dns, echo, ident, pptp, rpc, sunrpc, syslog, tacacs-ds, talk, and time. Each service, except for pptp, requires one conduit for TCP and one for UDP. For DNS, if you are only receiving zone updates, you only need a single conduit command statement for TCP.
The two conduit command statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in the following example:
static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255
conduit permit tcp host 209.165.201.5 eq 1723 any
conduit permit gre host 209.165.201.5 any

In this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.
The RPC conduit command support fixes up UDP portmapper and rpcbind exchanges. TCP exchanges are not supported. This lets simple RPC-based programs work; however, remote procedure calls, arguments, or responses that contain addresses or ports will not be fixed up.
For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.
Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:
rpcinfo -u unix_host_ip_address 150001

You can overlay host statics on top of a net static range to further refine what an individual host can access:
static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0
conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp any
static (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0 conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3

In this case, the host at 209.165.202.3 has InternetPhone access in addition to its blanket FTP access.

Examples

The following commands permit access between an outside UNIX gateway host at 209.165.201.2, to an inside SMTP server with Mail Guard at 192.168.1.49. Mail Guard is enabled in the default configuration for firewall with the fixup protocol smtp 25 command. The global address on the firewall is 209.165.201.1.
static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0
conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2

To disable Mail Guard, enter the following command:
no fixup protocol smtp 25

You can set up an inside host to receive H.323 InternetPhone calls and allow the outside network to connect inbound via the IDENT protocol (TCP port 113). In this example, the inside network is at 192.168.1.0, the global addresses on the outside network are referenced via the 209.165.201.0 network address with a 255.255.255.224 mask.
static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0
conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 any
conduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any

You can create a web server on the perimeter interface that can be accessed by any outside host as follows:
static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0 conduit permit tcp host 209.165.201.4 eq 80 any

In this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.

permit	Permit access if the conditions are matched.
deny	Deny access if the conditions are matched.
protocol	Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See "Usage Guidelines" for a complete list of the ICMP types.
global_ip	A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses. If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example: conduit permit tcp host 209.165.201.1 eq ftp any This example lets any foreign host access global address 209.165.201.1 for FTP.
global_mask	Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.
foreign_ip	An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option. If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example: conduit permit tcp any eq ftp host 209.165.201.2 This example lets foreign host 209.165.201.2 access any global address for FTP.
foreign_mask	Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting. For example: 255.255.255.192.
operator	A comparison operand that allows you to specify a port or a port range. Use without an operator and port to indicate all ports; for example: conduit permit tcp any any Use eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP: conduit deny tcp host 192.168.1.1 eq ftp 209.165.201.1 Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024). conduit permit tcp host 192.168.1.1 lt 1025 any Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535. conduit deny udp host 192.168.1.1 gt 42 host 209.165.201.2 Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535: conduit deny tcp host 192.168.1.1 neq 10 host 209.165.201.2 neq 42 Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. conduit deny tcp any range ftp telnet any By default, all ports are denied until explicitly permitted.
port	Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value. For example: conduit deny tcp any any This command is the default condition for the conduit command in that all ports are denied until explicitly permitted. You can view valid port numbers online at the following website: http://www.isi.edu/in-notes/iana/assignments/port-numbers
icmp_type	The type of ICMP message. An example of this command that permits all ICMP types is conduit permit icmp any any. This command lets ICMP pass inbound and outbound.

ICMP Type	Literal
0	echo-reply
3	unreachable
4	source-quench
5	redirect
6	alternate-address
8	echo
9	router-advertisement
10	router-solicitation
11	time-exceeded
12	parameter-problem
13	timestamp-reply
14	timestamp-request
15	information-request
16	information-reply
17	mask-request
18	mask-reply
31	conversion-error
32	mobile-redirect