Conduit to ACL conversion

cisco24x7 · ‎11-27-2009

I do not have a Pix to test but can someone confirm that these two configurations below are equivalent. Thanks in advance

PIX 6.3(5)

outside: 1.1.1.1
inside: 10.0.0.254/24
dmz: 192.168.1.254/23

nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
access-list outside_acl permit tcp any any log
access-group outside_acl in interface outside
conduit permit tcp host 192.168.0.1 eq 389 host 192.168.1.1
conduit permit tcp host 192.168.0.1 eq 25 host 192.168.1.1
conduit permit tcp host 192.168.0.1 eq 21 host 192.168.1.1
conduit permit tcp host 192.168.0.1 eq 135 host 192.168.1.1

ASA 8.2(1):

outside: 1.1.1.1
inside: 10.0.0.254/24
dmz: 192.168.1.254/23
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
access-list outside_acl permit tcp any any log
access-group outside_acl in interface outside
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 389 log
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 25 log
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 21 log
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 135 log
access-list dmz_acl deny ip any 192.168.0.0 255.255.255.0 log
access-list dmz_acl permit ip any any log
access-group dmz_acl in interface dmz

Kureli Sankar · ‎11-29-2009

inside: 10.0.0.254/24

static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0

The above doesn't make sense. The inside n/w is 10.0.0.0/24 but, then this static says make the inside n/w 192.168.0.0/24 to look like 10.0.0.0/24 in the dmz. May be 192.168.0.0/24 lives on the inside as well.

Now, if the above is true then the acls are incorrect. The acls are talking about 192.168.0.1 for destination from the dmz which has to be 10.0.0.1 as the dmz will see the 192.168.0.0/24 as 10.0.0.0/24 so the destination should be 10.0.0.1 instead.

May be the static should be like this:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Then the acl is correct as it stands.

-KS

cisco24x7 · ‎11-29-2009

inside: 10.0.0.254/24

static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0

The above doesn't make sense.

Not sure what you meant by it?

There is NO network of 192.168.0.0/24 on the inside network. Everything is directly connected.

I want the DMZ to see the inside network of 10.0.0.0/24 as 192.168.0.0/24

Given this is what I want, is the configuration correct, especially the ACL?

Jon Marshall · ‎11-29-2009

cisco24x7 wrote:
inside:   10.0.0.254/24
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
The above doesn't make sense.
Not sure what you meant by it?
There is NO network of 192.168.0.0/24 on the inside network.  Everything is directly connected.
I want the DMZ to see the inside  network of 10.0.0.0/24 as 192.168.0.0/24
Given this is what I want, is the configuration correct, especially the ACL?

David

Looks okay to me. Presumably the permit ip any any on the DMZ acl is simply to allow DMZ servers to initiate connections outbound to outside ?

Jon

Kureli Sankar · ‎11-29-2009

I have no idea what I was thinking.

That static looks correct. Thought the global was local.

ACL looks good too.