topic Re: Convert static/conduit to access-list in Network Security

Convert static/conduit to access-list

iscs-mark — Mon, 11 Mar 2019 09:52:42 GMT

I know I'm old school and I'm a crotchety old IT guy. Static and conduits worked fine for me and dagnabit, I want to keep things that way. Alas, I know that can't go on forever. So can someone help me convert a few commands to access-lists please?

1) static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0

2) static (inside,outside) tcp interface 81 192.168.1.10 www netmask 255.255.255.255 0 0

And the associated conduit commands

3) conduit permit tcp any eq ftp any

4) conduit permit tcp any eq 81 any

5) static (inside,outside) 111.111.111.25 mail netmask 255.255.255.255 0 0

conduit permit tcp host 111.111.111.25 eq smtp any

conduit permit udp host 111.111.111.25 eq 25 any

conduit permit udp host 111.111.111.25 eq snmp host 207.214.246.57

Thanks so much any and all that help. I really need to get out of my PIX 5.0 days.

Re: Convert static/conduit to access-list

abinjola — Wed, 28 Mar 2007 00:07:29 GMT

the static remains the same , you need to add the following access-lists :-

access-l out_acl permit tcp any host x.x.x.x eq ftp

access-l out_acl permit tcp any host x.x.x.x eq 81

access-l out_acl permit tcp any host x.x.x.x eq 20

access-l out_acl permit tcp any host 111.111.111.25 eq 25

access-l out_acl permit udp any host 111.111.111.25 eq 25

access-l out_acl permit tcp host 207.214.246.57 host 111.111.111.25 eq snmp

access-g out_acl in interface outside

Note*:- x.x.x.x--->public ip of outside interface of firewall

see if this helps !

Re: Convert static/conduit to access-list

iscs-mark — Wed, 28 Mar 2007 16:04:42 GMT

The "out_acl" is just a name right? It can be anything correct?

Re: Convert static/conduit to access-list

suschoud — Wed, 28 Mar 2007 16:05:27 GMT

that's right.

Re: Convert static/conduit to access-list

iscs-mark — Wed, 28 Mar 2007 16:07:11 GMT

Thanks, most appreciated. Now I can ditch my 506 and get a 5505!

Re: Convert static/conduit to access-list

David White — Wed, 28 Mar 2007 17:49:43 GMT

Also note that Cisco's Output Interpreter will automatically convert conduits/outbounds to ACLs for you. Just upload your config (via SSL) and hit a button 🙂

David.

Re: Convert static/conduit to access-list

iscs-mark — Wed, 28 Mar 2007 17:52:56 GMT

That won't be when I do a copy/paste then correct? That will be when I upload a config with a TFTP?

Re: Convert static/conduit to access-list

David White — Wed, 28 Mar 2007 18:13:52 GMT

You can copy and paste your config into OI. Or, you can save the config in a file (via TFTP or copying and pasting it to notepad) and then just upload the file. Either way works.

See OI here:

https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl

David.

Re: Convert static/conduit to access-list

iscs-mark — Wed, 28 Mar 2007 18:33:19 GMT

Thanks for that David. That's pretty cool! Makes my life easier.