So far, in our discussion of the PIX firewall, we have demonstrated its use and configuration as a packet filtration firewall and as a dynamic lookup and translation mechanism that hides the identity of internal machines. In this section we will briefly discuss how to build a virtual private network between two PIX units, thus connecting private networks with the Internet as a transport medium.
The conduit command is a short-circuit mechanism that lets hosts on the outside network bypass the PIX’s adaptive security mechanism to connect to hosts on the inside network. This isn’t really as scary as it may sound. It is frequently required and actually very normal to punch holes in the firewall for specific, known services, the security of which can be monitored and tested before the hole is opened.
You can put in an exception to the PIX’s adaptive security system either by using the conduit command or as the last parameter of the static command (an example of which is detailed below). But Cisco recommends that the conduit command be used.
Let us say that we have a mail-exchanging Unix host on our outside network (220.127.116.11) and an SMTP/POP host on our inside network (192.168.2.3). We wish to accomplish two things:
Map the address of our internal SMTP server statically to the translation table address 18.104.22.168 (the first one chosen by PIX).
Create a conduit that allows ...