Re: clearing conduit [7:63278]
Not sure if this is possible on PIX, but I've done this with access lists on routers. you would need tftp access to the router / pix in question. copy the running config to the tftp server and modify the copy on the tftp server. copy from the tftp server to STARTUP config. then issue copy start run. AFAIK this should work, but the safer way is definitely out of band as Daniel has already mentioned. Keith ""Sam Sneed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I've thought of this and will have this in place as well. So then I guess > that there is no way to add to middle of conduit without locking yourself > out. > > ""Daniel Cotts"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Look at the problem from another direction. How about a modem connected to > a > > terminal server. The TS connects to the PIX console port. That way your > > connection is out-of-band. I'd agree that the modem should be powered off > > except when needed. Local admin staff would have to hit the "big red > > switch." > > > > > -Original Message- > > > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, February 18, 2003 11:32 AM > > > To: [EMAIL PROTECTED] > > > Subject: clearing conduit [7:63278] > > > > > > > > > Lets say you are administering a PIX remotely. You SSH into a > > > machine on the > > > PIX's internal network and from there you telnet into the > > > PIX. Security is > > > via conduits and it might look like this: > > > > > > conduit permit tcp 192.168.43.0 255.255.255.255 eq 22 any > > > conduit permit tcp 192.168.43.0 255.255.255.255 eq 80 any > > > conduit permit tcp 192.168.43.0 255.255.255.255 eq 443 any > > > > > > > > > No I want to put > > > "conduit permit tcp 192.168.43.0 255.255.255.255 eq 21 any" > > > > > > in between the top 2 statements. Why it needs to be there is > > > not important, > > > this is a theoreitcal question. > > > How can I do this without blocking myself out of the PIX? > > > I imagine I would have to do a "clear conduit" and then enter > > > the whole new > > > list in again since you can't add a statement in the middle > > > of a conduit. > > > Once I do clear conduit I'd suspect I'd be blocked out before > > > I can add the > > > new conduit. > > > > > > Is this true? I know I could probably use access-lists to do > > > this but I'm > > > speaking strictly about conduits when I ask this question. > > > > > > The main question is if I'm administering the PIX remotely > > > and need to add a > > > conduit anywhere except the end of the list then how can I do > > > that without > > > locking myself out. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63299&t=63278 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: clearing conduit [7:63278]
I've thought of this and will have this in place as well. So then I guess that there is no way to add to middle of conduit without locking yourself out. ""Daniel Cotts"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Look at the problem from another direction. How about a modem connected to a > terminal server. The TS connects to the PIX console port. That way your > connection is out-of-band. I'd agree that the modem should be powered off > except when needed. Local admin staff would have to hit the "big red > switch." > > > -Original Message- > > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 11:32 AM > > To: [EMAIL PROTECTED] > > Subject: clearing conduit [7:63278] > > > > > > Lets say you are administering a PIX remotely. You SSH into a > > machine on the > > PIX's internal network and from there you telnet into the > > PIX. Security is > > via conduits and it might look like this: > > > > conduit permit tcp 192.168.43.0 255.255.255.255 eq 22 any > > conduit permit tcp 192.168.43.0 255.255.255.255 eq 80 any > > conduit permit tcp 192.168.43.0 255.255.255.255 eq 443 any > > > > > > No I want to put > > "conduit permit tcp 192.168.43.0 255.255.255.255 eq 21 any" > > > > in between the top 2 statements. Why it needs to be there is > > not important, > > this is a theoreitcal question. > > How can I do this without blocking myself out of the PIX? > > I imagine I would have to do a "clear conduit" and then enter > > the whole new > > list in again since you can't add a statement in the middle > > of a conduit. > > Once I do clear conduit I'd suspect I'd be blocked out before > > I can add the > > new conduit. > > > > Is this true? I know I could probably use access-lists to do > > this but I'm > > speaking strictly about conduits when I ask this question. > > > > The main question is if I'm administering the PIX remotely > > and need to add a > > conduit anywhere except the end of the list then how can I do > > that without > > locking myself out. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63288&t=63278 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: clearing conduit [7:63278]
Look at the problem from another direction. How about a modem connected to a terminal server. The TS connects to the PIX console port. That way your connection is out-of-band. I'd agree that the modem should be powered off except when needed. Local admin staff would have to hit the "big red switch." > -Original Message- > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 11:32 AM > To: [EMAIL PROTECTED] > Subject: clearing conduit [7:63278] > > > Lets say you are administering a PIX remotely. You SSH into a > machine on the > PIX's internal network and from there you telnet into the > PIX. Security is > via conduits and it might look like this: > > conduit permit tcp 192.168.43.0 255.255.255.255 eq 22 any > conduit permit tcp 192.168.43.0 255.255.255.255 eq 80 any > conduit permit tcp 192.168.43.0 255.255.255.255 eq 443 any > > > No I want to put > "conduit permit tcp 192.168.43.0 255.255.255.255 eq 21 any" > > in between the top 2 statements. Why it needs to be there is > not important, > this is a theoreitcal question. > How can I do this without blocking myself out of the PIX? > I imagine I would have to do a "clear conduit" and then enter > the whole new > list in again since you can't add a statement in the middle > of a conduit. > Once I do clear conduit I'd suspect I'd be blocked out before > I can add the > new conduit. > > Is this true? I know I could probably use access-lists to do > this but I'm > speaking strictly about conduits when I ask this question. > > The main question is if I'm administering the PIX remotely > and need to add a > conduit anywhere except the end of the list then how can I do > that without > locking myself out. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63285&t=63278 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
clearing conduit [7:63278]
Lets say you are administering a PIX remotely. You SSH into a machine on the PIX's internal network and from there you telnet into the PIX. Security is via conduits and it might look like this: conduit permit tcp 192.168.43.0 255.255.255.255 eq 22 any conduit permit tcp 192.168.43.0 255.255.255.255 eq 80 any conduit permit tcp 192.168.43.0 255.255.255.255 eq 443 any No I want to put "conduit permit tcp 192.168.43.0 255.255.255.255 eq 21 any" in between the top 2 statements. Why it needs to be there is not important, this is a theoreitcal question. How can I do this without blocking myself out of the PIX? I imagine I would have to do a "clear conduit" and then enter the whole new list in again since you can't add a statement in the middle of a conduit. Once I do clear conduit I'd suspect I'd be blocked out before I can add the new conduit. Is this true? I know I could probably use access-lists to do this but I'm speaking strictly about conduits when I ask this question. The main question is if I'm administering the PIX remotely and need to add a conduit anywhere except the end of the list then how can I do that without locking myself out. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63278&t=63278 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
