?
Solved

Best ways to amend an out of date Pix configuaration -Cisco PIX 515UR

Posted on 2005-03-10
17
Medium Priority
?
579 Views
Last Modified: 2013-11-16
Hello

I have been given the task of updating our PIX Firewall v 6.1 (1)
At the moment it has configuration that points to old servers, out of date Access-lists and redundant groups.
I have been given the new config so it is a case of amending and deleting entries
My question is what is the best\safest way to go about removing entries. This is being done on a weekend and I don't want to come in Monday morning with havoc in the office.
I have added a few lines that need removing.

static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_2) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0

access-list acl_hao permit tcp any host xx.xx.xx.xx eq telnet
access-list acl_hao permit tcp any host xx.xx.xx.xx eq ftp
access-list acl_hao permit tcp any host xx.xx.xx.xx eq www
access-list acl_hao permit tcp any host xx.xx.xx.xx eq cmd
access-list acl_hao permit tcp any host xx.xx.xx.xx range 4500 4505
access-list acl_hao permit tcp any host xx.xx.xx.xx range 4000 4499

1) Are there quick ways to delete access-lists as there are 100's in this configuration
2) I have been given the new config. Is it safe to add this to a txt file and ftp over the original config?. Is this easily\safely done?

Thanks for any advice.

0
Comment
Question by:clarkeyi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
17 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 13508246
You can setup a tftp server and firstly backup your config - download one if you don't have one already:
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/
You can then tftp the config back to your pix if it is a config file.  
Just curious - how come you have a copy of the new config - who wrote it - are they sure it will work?  It just seems a little unusual for someone to be given the task of updating someone elses config (and taking the responsibility for problems!)

The other way to do it would be to save the current config, delete it and reload the PIX.
write erase         deletes it
reload                reloads pix

After the reload - you will be prompted to go into setup mode - answer no.

open up the config in wordpad/notepad and select it all and copy

In hyperterminal session
type conf t
and then select edit -  paste to host

save the config

write mem

and your set.  You would want to be absolutely sure that this config is ok though.



0
 

Author Comment

by:clarkeyi
ID: 13508778
Thanks for the advice. The new config was wrote by somebody who feels he is not confident enough to make the changes!!
So I am going to do it.
Does anyone know of a PIX simulator to test a few things on?

Cheers
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13513408
the only pix simulator is a pix. Get a 501 on ebay for cheap...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:nodisco
ID: 13514935
The other guy wrote it but is not confident enough to implement it?  you're a better man than I clarkeyi !
Best of luck
0
 

Author Comment

by:clarkeyi
ID: 13556245
If all screws up and I have the back up config file, I take it, it is just a case of TFTP''ing the old config back and overwriting it again.???
(I Hope)

 
0
 
LVL 19

Expert Comment

by:nodisco
ID: 13556353
Correct.  As long as you have the original.  I would also make a "copy and paste" copy of it to a notepad file - Just to be extra careful in case the image were to corrupt.  Its never happened to me - but will do no harm to be safe
0
 

Author Comment

by:clarkeyi
ID: 13560028
Cheers

So when TFTP'ing it transfers as an image and not a standard txt file?.
I have installed Solarwinds TFTP software. Wil running the TFTP command to the server's IP address know a TFTP accplication is installed?

Cheers
0
 
LVL 19

Accepted Solution

by:
nodisco earned 1600 total points
ID: 13563429
Yes - it transfers an image.  
And yes - by tftping from the PIX to the servers ip address, the PIX will "see" the tftp server running and copy the file into your specified tftp folder.

To see it in action, run the Solarwinds software and transfer a file - you will see the transfer information appearing on the Solarwinds application when you issue the command on the PIX.

cheers
0
 

Author Comment

by:clarkeyi
ID: 13566637
I have new config in a txt file. How do i make this as a config file in order to tftp to the pix to implement these new settings?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 13566682
I don't know if its possible to "change" the file to a config file from text - I don't really see the point as its going to be just as quick to paste the txt config back to the pix.

See my first post
*********
open up the config in wordpad/notepad and select it all and copy

In hyperterminal session
type conf t
and then select edit -  paste to host

save the config

write mem
*********

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13566900
All config files are simple text files. Period.
There is no "conversion" necessary.
Edit the file to your heart's content using notepad or something. Call it mypixconfig.txt
When you want to reload it back to the PIX, when it asks for the file name, just put in "mypixconfig.txt"
Badabing!
0
 

Author Comment

by:clarkeyi
ID: 13573352
Cheers for all of your information. Once I get this out of the way I will feel better, but being the 1st time I have made changes in a live environment I want to be 100% sure I have got it all right or else it is back to Job serve on Monday!!
Thanks again
0
 

Author Comment

by:clarkeyi
ID: 13573588
Below is the  config I have been given. Will I need to remove any lines such as password referrals or the cryptochecksum. One i upload the new image wil lthe passwords be lost?

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_1 security20
nameif ethernet3 dmz_2 security15
nameif ethernet4 hao security10
nameif ethernet5 inactive security25

enable password <removed> encrypted
passwd <Removed> encrypted
hostname secure01

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names


access-list acl_out permit tcp any host xx.xx.xx.xx eq smtp
access-list acl_dmz_1 permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq smtp



pager lines 24
logging on
logging timestamp
logging console errors
logging trap errors
logging history errors
logging host inside 100.6.250.2

interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 10full
interface ethernet3 10baset
interface ethernet4 10baset
interface ethernet5 10baset shutdown
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu dmz_1 1500
mtu dmz_2 1500
mtu hao 1500
mtu inactive 1500
ip address outside xx.xx.xx.xx 255.255.255.240
ip address inside xx.xx.xx.xx 255.255.255.248
ip address dmz_1 xx.xx.xx.xx 255.255.0.0
ip address dmz_2 xx.xx.xx.xx 255.255.255.240
ip address hao xx.xx.xx.xx 255.255.255.248
ip address inactive xx.xx.xx.xx 255.255.255.248  

ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz_1 0.0.0.0
failover ip address dmz_2 0.0.0.0
failover ip address hao 0.0.0.0
failover ip address inactive 0.0.0.0

pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
global (hao) 1 xx.xx.xx.xx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz_2) 1 xx.xx.xx.xx 255.255.255.255 0 0


static (inside,dmz_1) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,dmz_1) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0


static (dmz_1,outside) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 0 0


access-group acl_out in interface outside
access-group acl_dmz_1 in interface dmz_1
access-group acl_dmz_2 in interface dmz_2
access-group acl_hao in interface hao


route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

route inside xx.xx.xx.xx 255.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

no sysopt route dnat

telnet xx.xx.xx.xx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cryptochecksum
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13573832
Here's the real key:
  ONLY put in the "new" config the changes.
Copying it over the existing one will only "merge" the two and not overwrite the existing one.
I would keep one complete copy of the existing, unchanged.
Make one edited copy with just the changes. Remember that some lines will have to have a "no" to remove it before a new line can take its place.
after you make the changes to the PIX, be sure to backukp a copy of the new complete config..

0
 

Author Comment

by:clarkeyi
ID: 13575070
Sorry, I am a bit lost here
What I was going to do was

1) Back up the original config. (I have done this)
2)Delete the exisiting config from the PIX and paste the new rules above into a txt file
3) Upload the new txt file
4) copy to memory

I was not going to amend the new conifg (above), just upload it on to the PIX.

I was hoping it was that simple, is it?

Please say YES!!!

Cheers

IAn
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13575262
YES! as long as you delete the existing config first...
0
 

Author Comment

by:clarkeyi
ID: 13575426
Yes, you are a star!!
cheers

Ian
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question