PIX Configuration

Posted on 2004-11-11
Last Modified: 2013-11-29
I'm running a PIX with the latest IOS and I'd like to set it up to use access-lists instead of conduits.

static (inside,outside) netmask 128 5
conduit permit tcp host eq smtp any

The above is a sample of what I have.  What I need is this:

Allow into network:, SMTP to, HTTP and HTTPS to
Allow out of network: HTTP, HTTPS, and SMTP from anyone, FTP from

The network also allows a VPN connection from various at home clients.

Can someone provide the access-list and related commands that I need to get this to work?

Question by:Robing66066
    LVL 79

    Accepted Solution


       clear conduit  <== removes all conduit statements

       access-list outside_in permit tcp any host eq smtp
       access-list outside_in permit tcp any host eq http
       access-list outside_in permit tcp any host eq https

       access-group outside_in in interface outside

    Those commands assume that you have another static (inside,outside) statment for the http/https host
    Be careful what you ask for in outbound control. You should permit DNS as well as the others. Without an explit access list applied to the inside interface, all outbound traffic is permitted. If you want to permit ONLY those protocols:
       access-list inside_out permit udp any eq 53
       access-list inside_out permit tcp any eq http
       access-list inside_out permit tcp any eq https
       access-list inside_out permit tcp any eq smtp
       access-list inside_out permit tcp host any eq ftp

       access-group inside_out in interface inside

    LVL 7

    Author Comment

    Good point.  I didn't think of DNS.  

    I notice you have the 10.1.x.x network listed.  In fact, I'll actually need any address with a 10.x.x.x be allowed out.  Would that change things to

    I'm also assuming I'll need to add something like this:

    static (inside,outside) netmask 128 5
    LVL 79

    Expert Comment

    Yes, on both counts.
    Use whatever mask is appropriate for you.
    Statics are required.
    LVL 7

    Author Comment

    Thanks.  I'll give it a try.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now