search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PIX 'established' and 'conduit' command may have unexpected interactions

Vulnerability Note VU#6733

Original Release Date: 2002-01-04 | Last Revised: 2002-01-04


A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998.


Cisco PIX firewalls protecting servers which offer service to the internet-at-large are generally configured to provide a "static" NAT mapping to the servers. "Conduits" are specified, allowing inbound traffic to specific services on specific ports.

If the firewall is configured to allow "established" TCP connections, and an outside machine initiates a connection to an inside machine on a TCP port for which a conduit is set up (i.e. an allowed connection), that outside machine will subsequently, be allowed to connect to ANY TCP port on the inside machine (i.e. ports not specifically allowed in the firewall configuration). Note that the connection to the allowed port does not need to succeed - there does not need to be a service running on the port on the inside machine, it is enough that the connection is attempted to trigger the vulnerability.

Cisco described this problem in July, 1998, in a Cisco Tech Note. Quoting from that document,

A common administrative error may create security vulnerabilities in networks protected by Cisco PIX Firewalls. Specifically, if a firewall has been configured by an administrator who does not correctly understand the action
of the
established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behaviour of the established command
in the presence of static conduits to be counterintuitive.

If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the
permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected.


If a PIX firewall is configured to allow "established" connections, an intruder who can establish a connection to any port on a machine behind the firewall can, for at least a few minutes, establish a connection to ANY port on that machine, thus defeating the purpose of the firewall in the first place. Further quoting from the Cisco Tech Note:

The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.

This is particularly concerning if an intruder can establish an ftp connection to an ftp server that supports the PORT command. This may enable an intruder to establish a connection to virtually any machine behind the firewall if any machine behind the firewall has a vulnerable ftp server, and runs a publicly available service. For more information, CERT Advisory 1997-27.


Vendor Information


Cisco Affected

Notified:  May 12, 1998 Updated: December 14, 2001



Vendor Statement


Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Our thanks to Cameron MacKinnon who reported this vulnerability to us, and to Cisco, for the information contained in their Tech Note.

This document was written by Shawn V Hernan.

Other Information

CVE IDs: None
Severity Metric: 18.00
Date Public: 1998-07-15
Date First Published: 2002-01-04
Date Last Updated: 2002-01-04 00:55 UTC
Document Revision: 3

Sponsored by CISA.