Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Easy way to convert Conduits to Access-Lists

It looks like i got off on the wring track and am using comduit statrments instead of Access lists.

Should I convert all of the conduits to Acess list, or jsut add the new items as access lists?

Here is part of my config. I have many more conduit statements. How would I go about converting all of these to Access lists?

Thanks,

Scott<-

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.255.0

ip address outside 192.168.0.17 255.255.255.0

ip address inside 10.1.0.2 255.255.0.0

ip address dmz 172.16.0.1 255.255.255.0

global (outside) 1 192.168.0.181-192.168.0.245 netmask 255.255.255.0

global (outside) 1 192.168.0.20 netmask 255.255.255.0

global (dmz) 1 172.16.0.50-172.16.0.254 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 192.168.0.250 10.1.1.13 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.0.180 10.1.1.181 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.0.30 172.16.0.30 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.0.31 172.16.0.31 netmask 255.255.255.255 0 0

static (dmz,outside) 192.168.0.32 172.16.0.32 netmask 255.255.255.255 0 0

conduit permit tcp 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

conduit permit tcp host 192.168.0.250 eq 3389 host 1.2.3.4

conduit permit icmp any any

conduit permit esp 192.168.0.0 255.255.255.0 host 4.5.6.7

conduit permit ah 192.168.0.0 255.255.255.0 host 4.5.6.7

conduit permit udp 192.168.0.0 255.255.255.0 eq isakmp host 4.5.6.7

conduit permit tcp host 192.168.0.180 eq 1433 host 7.8.9.1

conduit permit tcp host 192.168.0.180 eq 1434 host 7.8.9.1

4 REPLIES
New Member

Re: Easy way to convert Conduits to Access-Lists

Hello Scott,

First, conduit and access-list won't work on the same interface. You will have to manage your time to make the conversion of ALL the conduit's to access-list's at the same time.

Second there's a tricky part in the conversion. You must know witch interface will 'fit' the new access-list. Study carefully each conduit. You need to know what the conduit is doing and why, before applying an ACL to an interface . Example:

conduit permit icmp any any

must be convert to:

access-list out_access_in permit icmp any any (not secure if internet)

access-group out_access_in in interface outside

access-list dmz_access_in permit icmp any any

access-group dmz_access_in in interface dmz

Third, do not forget to reverse your host's or IP's when converting. Ex.:

conduit permit tcp host 192.168.0.180 eq 1434 host 7.8.9.1

access-list out_access_in permit tcp host 7.8.9.1 host 192.168.0.180 eq 1434

We went thru that process a few month's ago. We think we have a better secure environment since then and are able to use PDM. Still we need to have a good security policies.

Good Luck

Michael

New Member

Re: Easy way to convert Conduits to Access-Lists

Thanks for the Reply!

I guess I'll need to convert all of them in one fell swoop! Looks like, again, another late night. )-;

Scott<-

Cisco Employee

Re: Easy way to convert Conduits to Access-Lists

A conduit to ACL convertor has been added to the PIX Output Interpretor here:

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

Just paste in your PIX config, it'll tell you a bunch of things about it, and then at the bottom there'll be your ACL's.

New Member

Re: Easy way to convert Conduits to Access-Lists

WOW, thats a cool tool!!!

Thanks!

Scott<-

142
Views
0
Helpful
4
Replies
CreatePlease login to create content