Showing results for 
Search instead for 
Did you mean: 

Converting frm Conduit to Access-List



Can really really use your help and advise here. I just converted the few conduit commands to access-list commands. I used the Output Interpreter utility. Everything seems to be function correctly thus far, at least no user complaints.

My concern is this, the Output Interpreter is giving me the following error warning;

The following static statements do not appear to have a corresponding 'conduit' or 'access-list/access-group pair:

static (insdie,outside) netmask 0 0

Consider configuring an access-list/access-group pair for these statics.

I tried creating another access group and list for the (which is our secondary external dns) and ended it with 'in interface out' . When I try this the next access-group would just overwrite the last one in the config file. Any help here is greatly appreciated.

Here is the config file:

: Saved

: Written by enable_15 at 16:22:52.786 UTC Mon Oct 7 2002

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password LsICg6if8W8s6Uok encrypted

passwd mOXq4Sf2Q.V1AanB encrypted

hostname PIX100


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list acl_outside permit tcp any host eq www

access-list acl_outside permit tcp any host eq domain

access-list acl_outside permit udp any host eq domain

access-list acl_outside permit icmp any any

access-list acl_outside_sec permit udp any host eq domain

access-list acl_outside_sec permit tcp any host eq domain

pager lines 24

logging on

logging timestamp

logging trap warnings

logging host inside

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 netmask

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

access-group acl_outside in interface outside

route outside 1

route inside 1

route outside 1

route outside 1

route outside 1

route outside 1

route outside 1

route outside 1

route outside 1

route outside 1

route outside 1

route inside 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside inside

floodguard enable

no sysopt route dnat

telnet inside

telnet timeout 60

ssh timeout 5

terminal width 80


: end

2 Replies 2

Cisco Employee
Cisco Employee

You can only have one access-group per interface. You should instead modify the access-list acl_outside to include this new line, instead of creating a new access-list.


Not applicable

I am not sure how to the modify this access-list acl_outside to include the new line? Can you help with this next step or point me to a doc?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers