[Last Call] Learn how to a build a cloud-first strategyRegister Now


PIX Configuration

Posted on 2004-11-11
Medium Priority
Last Modified: 2013-11-29
I'm running a PIX with the latest IOS and I'd like to set it up to use access-lists instead of conduits.

static (inside,outside) netmask 128 5
conduit permit tcp host eq smtp any

The above is a sample of what I have.  What I need is this:

Allow into network:, SMTP to, HTTP and HTTPS to
Allow out of network: HTTP, HTTPS, and SMTP from anyone, FTP from

The network also allows a VPN connection from various at home clients.

Can someone provide the access-list and related commands that I need to get this to work?

Question by:Robing66066
  • 2
  • 2
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 12557880

   clear conduit  <== removes all conduit statements

   access-list outside_in permit tcp any host eq smtp
   access-list outside_in permit tcp any host eq http
   access-list outside_in permit tcp any host eq https

   access-group outside_in in interface outside

Those commands assume that you have another static (inside,outside) statment for the http/https host
Be careful what you ask for in outbound control. You should permit DNS as well as the others. Without an explit access list applied to the inside interface, all outbound traffic is permitted. If you want to permit ONLY those protocols:
   access-list inside_out permit udp any eq 53
   access-list inside_out permit tcp any eq http
   access-list inside_out permit tcp any eq https
   access-list inside_out permit tcp any eq smtp
   access-list inside_out permit tcp host any eq ftp

   access-group inside_out in interface inside


Author Comment

ID: 12557944
Good point.  I didn't think of DNS.  

I notice you have the 10.1.x.x network listed.  In fact, I'll actually need any address with a 10.x.x.x be allowed out.  Would that change things to

I'm also assuming I'll need to add something like this:

static (inside,outside) netmask 128 5
LVL 79

Expert Comment

ID: 12557993
Yes, on both counts.
Use whatever mask is appropriate for you.
Statics are required.

Author Comment

ID: 12599362
Thanks.  I'll give it a try.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question