I recently discoverd an issue where I cannot FTP from the outside of my firewall to the inside and up to the mainframe. Cisco says I need to convert my conduits to access-lists in order to correct the issue.
Has anyone ever crossed this issue before?
There are no rules preventing the ability to FTP from one network to the other.
I haven't encountered it, but that's because I never went the conduit route.
If you are looking for comments as to whether what Cisco is saying is plausible, then the answer is YES. As best I can tell, Cisco stopped doing any development on conduits after 5.2(3), with the exception of some hack work to get them to work with 6.1 and later. The several known conduit-related bugs in PIX 5 and PIX 6 are effectively marked as "Won't Fix". If you look through the Bug Navigator at the effect of those bugs, you will see that there are complications with using conduits that there is no obvious reason for.
Cisco has been saying for a long time that conduits are deprecated. There is no support for conduits in PIX 7.0 .