Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
conduits
- Thread starter staboogie
- Start date
no conduit .....
Or you can blow out all conduits by doing a clear conduit.
You should make access-lists though, they are much faster.
Example showing access to a webserver on your network.
access-list 101 permit tcp any host 192.168.1.1 eq 80
access-group 101 in interface outside
This would allow packets from the outside interface to go to the webserver 192.168.1.1 over TCP port 80.
-Bad Dos
Or you can blow out all conduits by doing a clear conduit.
You should make access-lists though, they are much faster.
Example showing access to a webserver on your network.
access-list 101 permit tcp any host 192.168.1.1 eq 80
access-group 101 in interface outside
This would allow packets from the outside interface to go to the webserver 192.168.1.1 over TCP port 80.
-Bad Dos
- Thread starter
- #3
- Thread starter
- #5
HI.
> I have no proof that the static has actually worked because even if I turn the machine off, I can ping it and get replys back
That's OK. I've seen that behavior in other pix implementations.
The pix is actually answering the ICMP on behalf of the internal host.
I don't know if this is good or bad, but your static works.
You should make the test using FTP client or TELNET to port 21 to see the real host.
The coduit command is like this:
conduit permit tcp host myserver eq ftp host remoteclient
myserver = the registered ip address specified in the "static" command.
If you're using nonstandard ftp port (other then 21), you should also add:
fixup protocol ftp ...
NOTE: the order is reversed versus access-list. In conduit the destination "global" address and port are first, then the originating "foreign" source address.
Some links:
Yizhar Hurwitz
> I have no proof that the static has actually worked because even if I turn the machine off, I can ping it and get replys back
That's OK. I've seen that behavior in other pix implementations.
The pix is actually answering the ICMP on behalf of the internal host.
I don't know if this is good or bad, but your static works.
You should make the test using FTP client or TELNET to port 21 to see the real host.
The coduit command is like this:
conduit permit tcp host myserver eq ftp host remoteclient
myserver = the registered ip address specified in the "static" command.
If you're using nonstandard ftp port (other then 21), you should also add:
fixup protocol ftp ...
NOTE: the order is reversed versus access-list. In conduit the destination "global" address and port are first, then the originating "foreign" source address.
Some links:
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question