On the old PIXes such as the classic, you have static and conduit commands to open ports to the outside. I know on the new versions, you can use access lists paired with static commands to open ports. You can also use conduits. I have two questions.
1. If you are using numbered access-lists wouldn't you be limited from 100-199 access lists?
2. Which way is better? Seems to me that conduit reduces complexity since you don't have to apply it to an interface. It knows what to do based on your static.
I believe you are thinking in terms of conduits which are not applied to interfaces. ACL's are applied to interfaces. You use the access-group command to apply an ACL to an interface. You allow all your access inbound from your ouside interface with one ACL. The same with your outbound access from your inside interface. As an example:
Access-list 101 permit tcp any host 192.168.1.1 eq ftp
Access-list 101 permit tcp any host 192.168.1.2 eq www
access-group 101 in interface outside
Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq www
Access-list 102 permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-group 102 in interface inside
You can have as many ports open between interfaces, they just are all in one access-list that is applied to an interface vs separate conduits that are not applied to interfaces.
Also you do not have to use numbers for your access lists you can use anything. You should not mix conduits and access lists on the same system. Access list can also be run in turbo mode for much faster performance on PIX's that support that function ie anything but a 501.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :