Easy way to convert Conduits to Access-Lists

stownsend · ‎01-23-2003

It looks like i got off on the wring track and am using comduit statrments instead of Access lists.

Should I convert all of the conduits to Acess list, or jsut add the new items as access lists?

Here is part of my config. I have many more conduit statements. How would I go about converting all of these to Access lists?

Thanks,

Scott<-

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.255.0

ip address outside 192.168.0.17 255.255.255.0

ip address inside 10.1.0.2 255.255.0.0

ip address dmz 172.16.0.1 255.255.255.0

global (outside) 1 192.168.0.181-192.168.0.245 netmask 255.255.255.0

global (outside) 1 192.168.0.20 netmask 255.255.255.0

global (dmz) 1 172.16.0.50-172.16.0.254 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 192.168.0.250 10.1.1.13 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.0.180 10.1.1.181 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.0.30 172.16.0.30 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.0.31 172.16.0.31 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.0.32 172.16.0.32 netmask 255.255.255.255 0 0

conduit permit tcp 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

conduit permit tcp host 192.168.0.250 eq 3389 host 1.2.3.4

conduit permit icmp any any

conduit permit esp 192.168.0.0 255.255.255.0 host 4.5.6.7

conduit permit ah 192.168.0.0 255.255.255.0 host 4.5.6.7

conduit permit udp 192.168.0.0 255.255.255.0 eq isakmp host 4.5.6.7

conduit permit tcp host 192.168.0.180 eq 1433 host 7.8.9.1

conduit permit tcp host 192.168.0.180 eq 1434 host 7.8.9.1

mpalardy · ‎01-23-2003

Hello Scott,

First, conduit and access-list won't work on the same interface. You will have to manage your time to make the conversion of ALL the conduit's to access-list's at the same time.

Second there's a tricky part in the conversion. You must know witch interface will 'fit' the new access-list. Study carefully each conduit. You need to know what the conduit is doing and why, before applying an ACL to an interface . Example:

conduit permit icmp any any

must be convert to:

access-list out_access_in permit icmp any any (not secure if internet)

access-group out_access_in in interface outside

access-list dmz_access_in permit icmp any any

access-group dmz_access_in in interface dmz

Third, do not forget to reverse your host's or IP's when converting. Ex.:

conduit permit tcp host 192.168.0.180 eq 1434 host 7.8.9.1

access-list out_access_in permit tcp host 7.8.9.1 host 192.168.0.180 eq 1434

We went thru that process a few month's ago. We think we have a better secure environment since then and are able to use PDM. Still we need to have a good security policies.

Good Luck

Michael

stownsend · ‎01-23-2003

Thanks for the Reply!

I guess I'll need to convert all of them in one fell swoop! Looks like, again, another late night. )-;

Scott<-

gfullage · ‎01-23-2003

A conduit to ACL convertor has been added to the PIX Output Interpretor here:

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

Just paste in your PIX config, it'll tell you a bunch of things about it, and then at the bottom there'll be your ACL's.

stownsend · ‎01-23-2003

WOW, thats a cool tool!!!

Thanks!

Scott<-