cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
518
Views
0
Helpful
8
Replies

Convert static/conduit to access-list

mark
Level 1
Level 1

I know I'm old school and I'm a crotchety old IT guy. Static and conduits worked fine for me and dagnabit, I want to keep things that way. Alas, I know that can't go on forever. So can someone help me convert a few commands to access-lists please?

1) static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0

2) static (inside,outside) tcp interface 81 192.168.1.10 www netmask 255.255.255.255 0 0

And the associated conduit commands

3) conduit permit tcp any eq ftp any

4) conduit permit tcp any eq 81 any

5) static (inside,outside) 111.111.111.25 mail netmask 255.255.255.255 0 0

conduit permit tcp host 111.111.111.25 eq smtp any

conduit permit udp host 111.111.111.25 eq 25 any

conduit permit udp host 111.111.111.25 eq snmp host 207.214.246.57

Thanks so much any and all that help. I really need to get out of my PIX 5.0 days.

1 Accepted Solution

Accepted Solutions

suschoud
Cisco Employee
Cisco Employee
8 Replies 8

abinjola
Cisco Employee
Cisco Employee

the static remains the same , you need to add the following access-lists :-

access-l out_acl permit tcp any host x.x.x.x eq ftp

access-l out_acl permit tcp any host x.x.x.x eq 81

access-l out_acl permit tcp any host x.x.x.x eq 20

access-l out_acl permit tcp any host 111.111.111.25 eq 25

access-l out_acl permit udp any host 111.111.111.25 eq 25

access-l out_acl permit tcp host 207.214.246.57 host 111.111.111.25 eq snmp

access-g out_acl in interface outside

Note*:- x.x.x.x--->public ip of outside interface of firewall

see if this helps !

The "out_acl" is just a name right? It can be anything correct?

suschoud
Cisco Employee
Cisco Employee

that's right.

Thanks, most appreciated. Now I can ditch my 506 and get a 5505!

Also note that Cisco's Output Interpreter will automatically convert conduits/outbounds to ACLs for you. Just upload your config (via SSL) and hit a button :-)

David.

That won't be when I do a copy/paste then correct? That will be when I upload a config with a TFTP?

You can copy and paste your config into OI. Or, you can save the config in a file (via TFTP or copying and pasting it to notepad) and then just upload the file. Either way works.

See OI here:

https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl

David.

Thanks for that David. That's pretty cool! Makes my life easier.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: