Best ways to amend an out of date Pix configuaration -Cisco PIX 515UR


I have been given the task of updating our PIX Firewall v 6.1 (1)
At the moment it has configuration that points to old servers, out of date Access-lists and redundant groups.
I have been given the new config so it is a case of amending and deleting entries
My question is what is the best\safest way to go about removing entries. This is being done on a weekend and I don't want to come in Monday morning with havoc in the office.
I have added a few lines that need removing.

static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0

access-list acl_hao permit tcp any host xx.xx.xx.xx eq telnet
access-list acl_hao permit tcp any host xx.xx.xx.xx eq ftp
access-list acl_hao permit tcp any host xx.xx.xx.xx eq www
access-list acl_hao permit tcp any host xx.xx.xx.xx eq cmd
access-list acl_hao permit tcp any host xx.xx.xx.xx range 4500 4505
access-list acl_hao permit tcp any host xx.xx.xx.xx range 4000 4499

1) Are there quick ways to delete access-lists as there are 100's in this configuration
2) I have been given the new config. Is it safe to add this to a txt file and ftp over the original config?. Is this easily\safely done?

Thanks for any advice.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can setup a tftp server and firstly backup your config - download one if you don't have one already:
You can then tftp the config back to your pix if it is a config file.  
Just curious - how come you have a copy of the new config - who wrote it - are they sure it will work?  It just seems a little unusual for someone to be given the task of updating someone elses config (and taking the responsibility for problems!)

The other way to do it would be to save the current config, delete it and reload the PIX.
write erase         deletes it
reload                reloads pix

After the reload - you will be prompted to go into setup mode - answer no.

open up the config in wordpad/notepad and select it all and copy

In hyperterminal session
type conf t
and then select edit -  paste to host

save the config

write mem

and your set.  You would want to be absolutely sure that this config is ok though.

clarkeyiAuthor Commented:
Thanks for the advice. The new config was wrote by somebody who feels he is not confident enough to make the changes!!
So I am going to do it.
Does anyone know of a PIX simulator to test a few things on?

the only pix simulator is a pix. Get a 501 on ebay for cheap...
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

The other guy wrote it but is not confident enough to implement it?  you're a better man than I clarkeyi !
Best of luck
clarkeyiAuthor Commented:
If all screws up and I have the back up config file, I take it, it is just a case of TFTP''ing the old config back and overwriting it again.???
(I Hope)

Correct.  As long as you have the original.  I would also make a "copy and paste" copy of it to a notepad file - Just to be extra careful in case the image were to corrupt.  Its never happened to me - but will do no harm to be safe
clarkeyiAuthor Commented:

So when TFTP'ing it transfers as an image and not a standard txt file?.
I have installed Solarwinds TFTP software. Wil running the TFTP command to the server's IP address know a TFTP accplication is installed?

Yes - it transfers an image.  
And yes - by tftping from the PIX to the servers ip address, the PIX will "see" the tftp server running and copy the file into your specified tftp folder.

To see it in action, run the Solarwinds software and transfer a file - you will see the transfer information appearing on the Solarwinds application when you issue the command on the PIX.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
clarkeyiAuthor Commented:
I have new config in a txt file. How do i make this as a config file in order to tftp to the pix to implement these new settings?
I don't know if its possible to "change" the file to a config file from text - I don't really see the point as its going to be just as quick to paste the txt config back to the pix.

See my first post
open up the config in wordpad/notepad and select it all and copy

In hyperterminal session
type conf t
and then select edit -  paste to host

save the config

write mem

All config files are simple text files. Period.
There is no "conversion" necessary.
Edit the file to your heart's content using notepad or something. Call it mypixconfig.txt
When you want to reload it back to the PIX, when it asks for the file name, just put in "mypixconfig.txt"
clarkeyiAuthor Commented:
Cheers for all of your information. Once I get this out of the way I will feel better, but being the 1st time I have made changes in a live environment I want to be 100% sure I have got it all right or else it is back to Job serve on Monday!!
Thanks again
clarkeyiAuthor Commented:
Below is the  config I have been given. Will I need to remove any lines such as password referrals or the cryptochecksum. One i upload the new image wil lthe passwords be lost?

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_1 security20
nameif ethernet3 dmz_2 security15
nameif ethernet4 hao security10
nameif ethernet5 inactive security25

enable password <removed> encrypted
passwd <Removed> encrypted
hostname secure01

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names

access-list acl_out permit tcp any host xx.xx.xx.xx eq smtp
access-list acl_dmz_1 permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq smtp

pager lines 24
logging on
logging timestamp
logging console errors
logging trap errors
logging history errors
logging host inside

interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 10full
interface ethernet3 10baset
interface ethernet4 10baset
interface ethernet5 10baset shutdown
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu dmz_1 1500
mtu dmz_2 1500
mtu hao 1500
mtu inactive 1500
ip address outside xx.xx.xx.xx
ip address inside xx.xx.xx.xx
ip address dmz_1 xx.xx.xx.xx
ip address dmz_2 xx.xx.xx.xx
ip address hao xx.xx.xx.xx
ip address inactive xx.xx.xx.xx  

ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address dmz_1
failover ip address dmz_2
failover ip address hao
failover ip address inactive

pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
global (hao) 1 xx.xx.xx.xx
nat (inside) 1 0 0
nat (dmz_2) 1 xx.xx.xx.xx 0 0

static (inside,dmz_1) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0
static (inside,dmz_1) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0

static (dmz_1,outside) xx.xx.xx.xx xx.xx.xx.xx netmask 0 0

access-group acl_out in interface outside
access-group acl_dmz_1 in interface dmz_1
access-group acl_dmz_2 in interface dmz_2
access-group acl_hao in interface hao

route outside xx.xx.xx.xx 1

route inside xx.xx.xx.xx xx.xx.xx.xx 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

no sysopt route dnat

telnet xx.xx.xx.xx inside
telnet timeout 5
ssh timeout 5
terminal width 80
Here's the real key:
  ONLY put in the "new" config the changes.
Copying it over the existing one will only "merge" the two and not overwrite the existing one.
I would keep one complete copy of the existing, unchanged.
Make one edited copy with just the changes. Remember that some lines will have to have a "no" to remove it before a new line can take its place.
after you make the changes to the PIX, be sure to backukp a copy of the new complete config..

clarkeyiAuthor Commented:
Sorry, I am a bit lost here
What I was going to do was

1) Back up the original config. (I have done this)
2)Delete the exisiting config from the PIX and paste the new rules above into a txt file
3) Upload the new txt file
4) copy to memory

I was not going to amend the new conifg (above), just upload it on to the PIX.

I was hoping it was that simple, is it?

Please say YES!!!


YES! as long as you delete the existing config first...
clarkeyiAuthor Commented:
Yes, you are a star!!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.