03-27-2007 03:19 PM - edited 03-11-2019 02:52 AM
I know I'm old school and I'm a crotchety old IT guy. Static and conduits worked fine for me and dagnabit, I want to keep things that way. Alas, I know that can't go on forever. So can someone help me convert a few commands to access-lists please?
1) static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0
2) static (inside,outside) tcp interface 81 192.168.1.10 www netmask 255.255.255.255 0 0
And the associated conduit commands
3) conduit permit tcp any eq ftp any
4) conduit permit tcp any eq 81 any
5) static (inside,outside) 111.111.111.25 mail netmask 255.255.255.255 0 0
conduit permit tcp host 111.111.111.25 eq smtp any
conduit permit udp host 111.111.111.25 eq 25 any
conduit permit udp host 111.111.111.25 eq snmp host 207.214.246.57
Thanks so much any and all that help. I really need to get out of my PIX 5.0 days.
Solved! Go to Solution.
03-28-2007 09:05 AM
that's right.
03-27-2007 05:07 PM
the static remains the same , you need to add the following access-lists :-
access-l out_acl permit tcp any host x.x.x.x eq ftp
access-l out_acl permit tcp any host x.x.x.x eq 81
access-l out_acl permit tcp any host x.x.x.x eq 20
access-l out_acl permit tcp any host 111.111.111.25 eq 25
access-l out_acl permit udp any host 111.111.111.25 eq 25
access-l out_acl permit tcp host 207.214.246.57 host 111.111.111.25 eq snmp
access-g out_acl in interface outside
Note*:- x.x.x.x--->public ip of outside interface of firewall
see if this helps !
03-28-2007 09:04 AM
The "out_acl" is just a name right? It can be anything correct?
03-28-2007 09:05 AM
that's right.
03-28-2007 09:07 AM
Thanks, most appreciated. Now I can ditch my 506 and get a 5505!
03-28-2007 10:49 AM
Also note that Cisco's Output Interpreter will automatically convert conduits/outbounds to ACLs for you. Just upload your config (via SSL) and hit a button :-)
David.
03-28-2007 10:52 AM
That won't be when I do a copy/paste then correct? That will be when I upload a config with a TFTP?
03-28-2007 11:13 AM
You can copy and paste your config into OI. Or, you can save the config in a file (via TFTP or copying and pasting it to notepad) and then just upload the file. Either way works.
See OI here:
https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl
David.
03-28-2007 11:33 AM
Thanks for that David. That's pretty cool! Makes my life easier.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide