PIX Configuration

I'm running a PIX with the latest IOS and I'd like to set it up to use access-lists instead of conduits.

static (inside,outside) 200.200.200.158 10.1.0.104 netmask 255.255.255.255 128 5
conduit permit tcp host 200.200.200.158 eq smtp any

The above is a sample of what I have.  What I need is this:

Allow into network:, SMTP to 200.200.200.158, HTTP and HTTPS to 200.200.200.159
Allow out of network: HTTP, HTTPS, and SMTP from anyone, FTP from 10.1.0.15

The network also allows a VPN connection from various at home clients.

Can someone provide the access-list and related commands that I need to get this to work?

Thanks!
LVL 7
Robing66066Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:

   clear conduit  <== removes all conduit statements

   access-list outside_in permit tcp any host 200.200.200.158 eq smtp
   access-list outside_in permit tcp any host 200.200.200.159 eq http
   access-list outside_in permit tcp any host 200.200.200.159 eq https

   access-group outside_in in interface outside

Those commands assume that you have another static (inside,outside) statment for the http/https host
Be careful what you ask for in outbound control. You should permit DNS as well as the others. Without an explit access list applied to the inside interface, all outbound traffic is permitted. If you want to permit ONLY those protocols:
   access-list inside_out permit udp 10.1.0.0 255.255.255.0 any eq 53
   access-list inside_out permit tcp 10.1.0.0 255.255.255.0 any eq http
   access-list inside_out permit tcp 10.1.0.0 255.255.255.0 any eq https
   access-list inside_out permit tcp 10.1.0.0 255.255.255.0 any eq smtp
   access-list inside_out permit tcp host 10.1.0.15 any eq ftp

   access-group inside_out in interface inside




 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robing66066Author Commented:
Good point.  I didn't think of DNS.  

I notice you have the 10.1.x.x network listed.  In fact, I'll actually need any address with a 10.x.x.x be allowed out.  Would that change things to 10.0.0.0 255.0.0.0?

I'm also assuming I'll need to add something like this:

static (inside,outside) 200.200.200.159 10.1.0.105 netmask 255.255.255.255 128 5
0
lrmooreCommented:
Yes, on both counts.
Use whatever mask is appropriate for you.
Statics are required.
0
Robing66066Author Commented:
Thanks.  I'll give it a try.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.