Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 580
  • Last Modified:

Best ways to amend an out of date Pix configuaration -Cisco PIX 515UR

Hello

I have been given the task of updating our PIX Firewall v 6.1 (1)
At the moment it has configuration that points to old servers, out of date Access-lists and redundant groups.
I have been given the new config so it is a case of amending and deleting entries
My question is what is the best\safest way to go about removing entries. This is being done on a weekend and I don't want to come in Monday morning with havoc in the office.
I have added a few lines that need removing.

static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0

access-list acl_hao permit tcp any host xx.xx.xx.xx eq telnet
access-list acl_hao permit tcp any host xx.xx.xx.xx eq ftp
access-list acl_hao permit tcp any host xx.xx.xx.xx eq www
access-list acl_hao permit tcp any host xx.xx.xx.xx eq cmd
access-list acl_hao permit tcp any host xx.xx.xx.xx range 4500 4505
access-list acl_hao permit tcp any host xx.xx.xx.xx range 4000 4499

1) Are there quick ways to delete access-lists as there are 100's in this configuration
2) I have been given the new config. Is it safe to add this to a txt file and ftp over the original config?. Is this easily\safely done?

Thanks for any advice.

0
clarkeyi
Asked:
clarkeyi
  • 8
  • 5
  • 4
1 Solution
 
nodiscoCommented:
You can setup a tftp server and firstly backup your config - download one if you don't have one already:
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/
You can then tftp the config back to your pix if it is a config file.  
Just curious - how come you have a copy of the new config - who wrote it - are they sure it will work?  It just seems a little unusual for someone to be given the task of updating someone elses config (and taking the responsibility for problems!)

The other way to do it would be to save the current config, delete it and reload the PIX.
write erase         deletes it
reload                reloads pix

After the reload - you will be prompted to go into setup mode - answer no.

open up the config in wordpad/notepad and select it all and copy

In hyperterminal session
type conf t
and then select edit -  paste to host

save the config

write mem

and your set.  You would want to be absolutely sure that this config is ok though.



0
 
clarkeyiAuthor Commented:
Thanks for the advice. The new config was wrote by somebody who feels he is not confident enough to make the changes!!
So I am going to do it.
Does anyone know of a PIX simulator to test a few things on?

Cheers
0
 
lrmooreCommented:
the only pix simulator is a pix. Get a 501 on ebay for cheap...
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
nodiscoCommented:
The other guy wrote it but is not confident enough to implement it?  you're a better man than I clarkeyi !
Best of luck
0
 
clarkeyiAuthor Commented:
If all screws up and I have the back up config file, I take it, it is just a case of TFTP''ing the old config back and overwriting it again.???
(I Hope)

 
0
 
nodiscoCommented:
Correct.  As long as you have the original.  I would also make a "copy and paste" copy of it to a notepad file - Just to be extra careful in case the image were to corrupt.  Its never happened to me - but will do no harm to be safe
0
 
clarkeyiAuthor Commented:
Cheers

So when TFTP'ing it transfers as an image and not a standard txt file?.
I have installed Solarwinds TFTP software. Wil running the TFTP command to the server's IP address know a TFTP accplication is installed?

Cheers
0
 
nodiscoCommented:
Yes - it transfers an image.  
And yes - by tftping from the PIX to the servers ip address, the PIX will "see" the tftp server running and copy the file into your specified tftp folder.

To see it in action, run the Solarwinds software and transfer a file - you will see the transfer information appearing on the Solarwinds application when you issue the command on the PIX.

cheers
0
 
clarkeyiAuthor Commented:
I have new config in a txt file. How do i make this as a config file in order to tftp to the pix to implement these new settings?
0
 
nodiscoCommented:
I don't know if its possible to "change" the file to a config file from text - I don't really see the point as its going to be just as quick to paste the txt config back to the pix.

See my first post
*********
open up the config in wordpad/notepad and select it all and copy

In hyperterminal session
type conf t
and then select edit -  paste to host

save the config

write mem
*********

0
 
lrmooreCommented:
All config files are simple text files. Period.
There is no "conversion" necessary.
Edit the file to your heart's content using notepad or something. Call it mypixconfig.txt
When you want to reload it back to the PIX, when it asks for the file name, just put in "mypixconfig.txt"
Badabing!
0
 
clarkeyiAuthor Commented:
Cheers for all of your information. Once I get this out of the way I will feel better, but being the 1st time I have made changes in a live environment I want to be 100% sure I have got it all right or else it is back to Job serve on Monday!!
Thanks again
0
 
clarkeyiAuthor Commented:
Below is the  config I have been given. Will I need to remove any lines such as password referrals or the cryptochecksum. One i upload the new image wil lthe passwords be lost?

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_1 security20
nameif ethernet3 dmz_2 security15
nameif ethernet4 hao security10
nameif ethernet5 inactive security25

enable password <removed> encrypted
passwd <Removed> encrypted
hostname secure01

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names


access-list acl_out permit tcp any host xx.xx.xx.xx eq smtp
access-list acl_dmz_1 permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq smtp



pager lines 24
logging on
logging timestamp
logging console errors
logging trap errors
logging history errors
logging host inside 100.6.250.2

interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 10full
interface ethernet3 10baset
interface ethernet4 10baset
interface ethernet5 10baset shutdown
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu dmz_1 1500
mtu dmz_2 1500
mtu hao 1500
mtu inactive 1500
ip address outside xx.xx.xx.xx 255.255.255.240
ip address inside xx.xx.xx.xx 255.255.255.248
ip address dmz_1 xx.xx.xx.xx 255.255.0.0
ip address dmz_2 xx.xx.xx.xx 255.255.255.240
ip address hao xx.xx.xx.xx 255.255.255.248
ip address inactive xx.xx.xx.xx 255.255.255.248  

ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz_1 0.0.0.0
failover ip address dmz_2 0.0.0.0
failover ip address hao 0.0.0.0
failover ip address inactive 0.0.0.0

pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
global (hao) 1 xx.xx.xx.xx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz_2) 1 xx.xx.xx.xx 255.255.255.255 0 0


static (inside,dmz_1) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_1) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0


static (dmz_1,outside) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0


access-group acl_out in interface outside
access-group acl_dmz_1 in interface dmz_1
access-group acl_dmz_2 in interface dmz_2
access-group acl_hao in interface hao


route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

route inside xx.xx.xx.xx 255.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

no sysopt route dnat

telnet xx.xx.xx.xx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cryptochecksum
0
 
lrmooreCommented:
Here's the real key:
  ONLY put in the "new" config the changes.
Copying it over the existing one will only "merge" the two and not overwrite the existing one.
I would keep one complete copy of the existing, unchanged.
Make one edited copy with just the changes. Remember that some lines will have to have a "no" to remove it before a new line can take its place.
after you make the changes to the PIX, be sure to backukp a copy of the new complete config..

0
 
clarkeyiAuthor Commented:
Sorry, I am a bit lost here
What I was going to do was

1) Back up the original config. (I have done this)
2)Delete the exisiting config from the PIX and paste the new rules above into a txt file
3) Upload the new txt file
4) copy to memory

I was not going to amend the new conifg (above), just upload it on to the PIX.

I was hoping it was that simple, is it?

Please say YES!!!

Cheers

IAn
0
 
lrmooreCommented:
YES! as long as you delete the existing config first...
0
 
clarkeyiAuthor Commented:
Yes, you are a star!!
cheers

Ian
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 8
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now