Table Of Contents
Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco Security Appliance Software Version 7.0
Important Notes
Overview
At a Glance
Changed and Deprecated Commands
New Features
Changed and Deprecated Features and Commands
CLI Command Processor
Affected Commands
Upgrade Requirements
Change Impact
Conduits and Outbounds
Affected Commands
Upgrade Requirements
Change Impact
Converting conduit Commands to access-list Commands
Converting outbound Commands to access-list Commands
Fixups/Inspect
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
Interfaces
Affected Commands
Command Change Description
Upgrade Requirements
Change Impact
Access Control Lists (ACLs)
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
VPN
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
Failover
Important Notes
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
AAA
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
Management
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
OSPF
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
Media Gateway Control Protocol (MGCP)
Affected Commands
Upgrade Requirements
Configuring class-map, mgcp-map and policy-map for MGCP
Multicast
Background
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
NAT
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
Public Key Infrastructure (PKI)
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
Miscellaneous
Affected Commands
Upgrade Requirements
Command Change Description
Change Impact
Changes to Licenses
Prerequisites to Upgrading
Minimum Hardware Requirements
Minimum Software Requirements
Minimum Memory Requirements
Client PC Operating System and Browser Requirements
Minimum Connectivity Requirements
Upgrade Procedure
Important Notes
Basic Upgrade Procedure
Upgrading in Monitor Mode
Important Notes
Procedure
Upgrade Examples
Basic Upgrade from PIX Version 6.3 to Security Appliance Version 7.0
Assumptions
Before Upgrade
Upgrade
After Upgrade
Upgrading to a VPN Client with Remote Access
Assumptions
Before Upgrade
Upgrade
After Upgrade
Upgrading to Security Appliance Version 7.0 Using VLAN
Assumptions
Before Upgrade
Upgrade
After Upgrade
Upgrading to Security Appliance Version 7.0 with Voice Over IP
Assumptions
Before Upgrade
Upgrade
After Upgrade
Upgrading to Security Appliance Version 7.0 with Authentication
Assumptions
Before Upgrade
Upgrade
After Upgrade
Upgrading to Security Appliance Version 7.0 with Active/Standby Failover
Assumptions
Overview
Upgrading the Active PIX
Upgrading the Standby PIX
Upgrading to Security Appliance Version 7.0 with Conduits
Assumptions
Before Upgrade
Upgrade
After Upgrade
Syslog (System Log Message) Changes and Deletions
Changed Syslog Messages
Deleted Syslog Messages
Downgrade Procedure
Guidelines for Downgrading
Downgrade Procedure
Configuration Examples
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco Security Appliance Software Version 7.0
This guide describes how to upgrade from Cisco PIX Version 6.3 or 6.2 to Cisco PIX Security appliance Version 7.0. The upgrade to PIX Security appliance Version 7.0 is generally seamless, and requires little manual intervention on your part. This guide describes the changed and deprecated features and commands in detail. Examples of these changes are also included. New features added in PIX Security appliance Version 7.0 are briefly introduced in this guide.
The target audience for this guide is a security appliance administrator with an understanding of CLI commands and features, and experience configuring PIX.
Important Notes
•
The PIX Security appliance Version 7.0 runs on PIX 515/515E, PIX 525, and PIX 535, but is not supported on the PIX 501 or PIX 506/506E platforms at this time.
•PIX 515/515E systems shipped before the general availability of PIX Security appliance Version 7.0 require a mandatory memory upgrade. See the "Minimum Memory Requirements" section section for more information.
•Sharing a Stateful Failover interface with a regular firewall interface is not a supported configuration in PIX Security appliance Version 7.0. This restriction was true for PIX Version 6.3 and earlier versions, however, it was not enforced by the software. It is enforced in PIX Security appliance Version 7.0. If you do not have a dedicated interface for the Stateful Failover link, you must change your PIX Version 6.3 configuration manually before upgrading to PIX Security appliance Version 7.0. Failure to do so will result in errors during the configuration upgrade performed by PIX Security appliance Version 7.0. See the "Failover" section.
•Use of the PIX Version 6.3 npdisk utility, such as password recovery, will corrupt the PIX Security appliance Version 7.0 image and will require that you restart your system from monitor mode, and could cause you to lose your previous configuration, security kernel, and key information. See the "Upgrading in Monitor Mode" section.
•Unless otherwise specified, all references in this guide that apply to PIX Version 6.3 also apply to PIX Version 6.2.
•PDM does not run on PIX Version 7.0. You must upgrade the device manager to ASDM 5.0. See the ASDM release notes for information about installing ASDM on the security appliance.
This guide includes the following sections:
•Overview
•New Features
•Changed and Deprecated Features and Commands
–Conduits and Outbounds
–Fixups/Inspect
–Interfaces
–Access Control Lists (ACLs)
–VPN
–Failover
–AAA
–Management
–OSPF
–Media Gateway Control Protocol (MGCP)
–Multicast
–NAT
–Public Key Infrastructure (PKI)
–Miscellaneous
•Changes to Licenses
•Prerequisites to Upgrading
•Upgrade Procedure
•Upgrade Examples
•Syslog (System Log Message) Changes and Deletions
•Obtaining More Information
–Obtaining Documentation
–Documentation Feedback
–Cisco Product Security Overview
–Obtaining Technical Assistance
–Obtaining Additional Publications and Information
Overview
As a result of extensive enhancements and improvements made in PIX Security appliance Version 7.0, a number of existing CLI commands have been changed or deprecated (see Table 1). The PIX Security appliance Version 7.0 also includes over 50 new features, which are listed in the "New Features" section, and described in greater detail in other PIX Security appliance Version 7.0 documents.
Deprecated commands generally are automatically converted to the new syntax. The PIX Security appliance Version 7.0 then accepts only the new commands; a syntax error results when using the old commands.
At a Glance
Highlights of the changes in the PIX Security appliance Version 7.0 include:
•New minimum memory requirements for PIX 515/515E devices (see the "Upgrade Procedure" section).
•The fixup command has been deprecated and has been replaced with the inspect command. (see the "Fixups/Inspect" section).
•Support has been removed for the outbound and conduit commands (see the "Conduits and Outbounds" section).
•The operation of the no, clear, and show commands has changed significantly (see the "CLI Command Processor" section).
•Access lists no longer need to be compiled, affecting the access-list <id> compiled, access-list compiled commands (see the "Access Control Lists (ACLs)" section).
•The aaa-server command has added two new configuration modes: key and timeout (see "AAA" section).
•The interface command and the isakmp, crypto-map, and vpngroup commands have been enhanced to be hierarchical (see the "Interfaces" section and the "VPN" section).
•The failover command has changed to create more uniformity within the command (see the "Failover" section).
•Commands, such as the AAA, have changed to allow configuration of more specific parameters (see the "AAA" section).
•The mgcp command has moved under the mgcp-map command (see the "Media Gateway Control Protocol (MGCP)" section).
•The copy command applies to the new Flash filesystem; the syntax has changed, with the copy options now at the beginning of the command, instead of at the end. (See the "Management" section).
•Configuration modes have been introduced to the interface command, with interface-specific OSPF parameters now configured in interface configuration mode (see the "OSPF" section).
•Multicast commands have changed to accommodate PIM Sparse Mode (PIM-SM) and to align the PIX Security appliance Version 7.0 and Cisco IOS software multicast implementations (see the "Multicast" section).
•The PIX Security appliance Version 7.0 default NAT posture allows hosts on high security interfaces to communicate with low security interfaces without configuring NAT. The nat-control command has been added to maintain existing PIX Version 6.3 NAT requirements and will be implemented by default on systems upgrading to the PIX Security appliance Version 7.0. Using the no nat-control command will reinstate the default PIX Security appliance Version 7.0 posture (see the "NAT" section).
•Some of the keywords of the established command have been deprecated. Also, changes to the sysopt command have been introduced. In PIX Security appliance Version 7.0, the flashfs commands are not supported. In PIX Version 6.3, the TCP option 19 used by BGP MD5 was automatically allowed, but in PIX Security appliance Version 7.0, an extra configuration is required. See the "Miscellaneous" section.
•Command completion and mode navigation have changed.
Note The IPSec tunnel idle timeput behavior has changed between versions 6.3 and 7.0. In version 6.3, the idle timeout was appliable only to VPN client connections.. In Version 7.0, the 30-minute idle timeout applies to both client and LAN-to-LAN tunnels. To remove the idle timeout on LAN-to-LAN tunnels and restore the 6.3 behavior, you must create a new group-policy and specify none for the vpn-idle-timeout value. For example:
group-policy L2L internal
group-policy L2L attributes
Then, to ensure the new group-policy takes effect, you must apply it to each LAN-to-LAN tunnel-group. For example:
tunnel-group ip_address general-attributes
Changed and Deprecated Commands
Most changed and deprecated features and commands will be converted automatically when PIX Security appliance Version 7.0 boots on your system, with a few requiring manual intervention before or during the upgrade. See the "Changed and Deprecated Features and Commands" section for more details.
Table 1 lists the commands for both the automatic and manual conversions.
New Features
The primary focus of this guide is to describe changed and deprecated features and commands in the PIX Security appliance Version 7.0; however, this section includes an at-a-glance look at the new features. For more information on these features in PIX Security appliance Version 7.0 and their accompanying CLI commands, see the following documents:
•Cisco PIX Security Appliance Command Reference, Version 7.0
•Cisco Security Appliance CLI Configuration Guide, Version 7.0
•Cisco ASA 5500 Series Release Notes
•Adaptive Security Device Manager Online Help (previously known as PIX Device Manager, or PDM)
The PIX Security appliance Version 7.0 introduces the following new features:
Advanced Firewall Services
•Cisco Modular Policy Framework
•Advanced Web Security Services
•Tunneling Application Control
•Security Contexts
•Layer 2 Transparent Firewall
•FTP Session Command Filtering
•Extended Simple Mail Transport
•Protocol (ESMTP) Email Inspection Services
•3G Mobile Wireless Security Services
•Sun RPC/NIS+ Inspection Services
•Internet Control Message Protocol (ICMP) Inspection Services
•Enhanced TCP Security Engine
•Outbound Access Control Lists (ACLs)
•Time-based ACLs
•Enable/Disable Individual ACL Entries
•Improved Websence URL Filtering Performance
Voice over IP and Mutlimedia Security Services
•T.38 Fax over IP (FoIP)
•Gatekeeper Routed Control Signaling (GKRCS)
•Fragmented and Segmented Multimedia Stream Inspection
•MGCP Address Translation Services
•RTSP Address Translation Services
Robust IPSec VPN Services
•VPN Client Security Posture Enforcement
•VPN Client Blocking by Operating System and Type
•Automatic VPN Client Software Updates
•Improved Support for Non-Split Tunneling Remote Access VPN Environments
•Enhanced VPN NAT Transparency
•Native Integration with Popular User Authentication Services
•OSPF Dynamic Routing over VPN Tunnels
•Enhanced Spoke-to-Spoke VPN Support
•Enhanced X.509 Certificate Support
•Cisco IOS Software Certificate Authority Support
Resilient Architecture
•Active/Active Stateful Failover
•VPN Stateful Failover
•Improved Failover Transition Times
•Zero-Downtime Software Upgrades
Intelligent Networking Services
•PIM Multicast Routing
•QoS Services
•IPv6 Networking
•Common Security Level for Multiple Interfaces
•Improved VLAN Capacity
•Optional Address Translation Services
Flexible Management Solutions
•Improved SNMP Monitoring
•SSHv2 and Secure Copy Protocol (SCP)
•Storage of Multiple Configurations in Flash Memory
•Secure Asset Recovery
•Scheduled System Reloads
•Dedicated Out-of-Band Management Interface
•Enhanced ICMP Ping Services
•Command Line Interface (CLI) Usability Enhancements
•SMTP Email Alerts
•Administrative TACACS+ Accounting
•RADIUS Accounting to Multiple Servers
Changed and Deprecated Features and Commands
This section describes the changed and deprecated features and commands in detail.
Note The automatic conversion of commands results in a change in your configuration. You should review the configuration changes made by PIX Security appliance Version 7.0 after booting to verify that the automatic changes made by the software are satisfactory. You should then save the configuration to Flash memory. Saving the new configuration to Flash memory prevents the system from converting your configuration again the next time PIX Security appliance Version 7.0 is booted.
Many existing CLI commands have been extended with new keywords and other command line options, due to new functionality introduced in PIX Security appliance Version 7.0.
The changed and deprecated features are as follows:
•CLI Command Processor
•Conduits and Outbounds
•Fixups/Inspect
•Interfaces
•Access Control Lists (ACLs)
•VPN
•Failover
•AAA
•Management
•OSPF
•Media Gateway Control Protocol (MGCP)
•Multicast
•NAT
•Public Key Infrastructure (PKI)
•Miscellaneous
CLI Command Processor
As with PIX Version 6.3, PIX Security appliance Version 7.0 supports the CLI as a user interface for configuring, monitoring, and maintaining security appliances. The CLI parser capabilities have been enhanced in PIX Security appliance Version 7.0 to include Cisco IOS software-like parser services, such as context-sensitive Help and command completion, resulting in some minor behavior changes compared to PIX Version 6.3.
Also, the show and clear commands in PIX Version 6.3 were applied inconsistently. In some cases, these commands were used to show and clear configuration objects; in other cases they were used to show and clear operational data/statistics. To make the behavior consistent and distinguish between operations on configuration versus statistics, the show and clear commands have been modified to require additional keywords.
The PIX Security appliance Version 7.0 also introduces minor changes in mode navigation and terminology so that it is closer to the Cisco IOS software CLI.
This section includes the following topics:
•Affected Commands
•Upgrade Requirements
•Change Impact
Affected Commands
The following commands are affected in the upgrade to PIX Security appliance Version 7.0:
•no
•show
•clear
In addition to the preceding commands, command completion, and mode navigation have changed in PIX Security appliance Version 7.0.
Upgrade Requirements
You must use the new forms of the no, show, and clear commands. Your system will output errors, if you do not.
Change Impact
This section describes the impact that the changes will have on the CLI commands in PIX Security appliance Version 7.0.
•Operational Changes
•Context-Sensitive Help Changes
•Command Syntax Checking
•Mode Navigation and Terminology Changes
Operational Changes
The operation of the no, clear, and show commands has changed in PIX Security appliance Version 7.0, as follows:
•The no variant no longer removes multiple lines of configuration simultaneously. In PIX Security appliance Version 7.0, the no variant removes a single configuration line only. For example, a single no access-list <access-list name> removes the following commands in PIX Version 6.3:
access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.209 eq
37000
access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.68 eq
37000
access-list myaccesslist extended permit tcp host 10.175.28.98 host 10.180.210.68 eq
37000
But in PIX Security appliance Version 7.0, the preceding commands are removed by using either the clear configure access-list <access-list name> command or by the following:
no access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.209
eq 37000
no access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.68
eq 37000
no access-list myaccesslist extended permit tcp host 10.175.28.98 host 10.180.210.68
eq 37000
Second example: a single no fixup protocol http command removes the following commands in PIX Version 6.3:
But in PIX Security appliance Version 7.0, the preceding commands are removed by the following:
no inspect protocol http 80
no inspect protocol http 8080
The no variant removes configuration mode commands; both the command and all its configuration mode commands are removed. This behavior is the same in both PIX Version 6.3 and PIX Security appliance Version 7.0.
•To clear a configuration, PIX Security appliance Version 7.0 supports only the use of the clear configure <cmd> command from configuration mode.
The following examples illustrate the use of the clear configure command:
PIX Version 6.3
|
PIX Security appliance Version 7.0
|
Notes
|
clear access-list
<access-list name>
|
clear configure access-list
<access-list name>
|
If you use the no access-list <access-list name> command, you will receive an error message
|
|
|
|
|
clear configure crypto
dynamic-map
|
|
Note In PIX Version 6.3, the clear crypto command removed all crypto configurations other than certification authority (CA) configurations, such as trustpoints, certificates, and certificate maps. In PIX Security appliance Version 7.0, the clear configure crypto command removes all crypto configurations, including CA configurations. CA information is also displayed in the show crypto command output.
•In PIX Version 6.3, the show snmp-server command displayed the running configuration. In PIX Security appliance Version 7.0, the show running-config snmp-server command displays the running configuration and the show snmp-server statistics command displays run-time information on SNMP.
•The show <cmd> command shows statistics/buffer/counters and others. All show commands adhere to the model shown in the following example:
PIX Version 6.3
|
PIX Security appliance Version 7.0
|
|
show running-config crypto map
|
Context-Sensitive Help Changes
Table 2 lists the context-sensitive Help changes in PIX Security appliance Version 7.0:
Table 2 Context-Sensitive Help Changes
Feature
|
PIX Version 6.3
|
PIX Security appliance Version 7.0
|
Command Completion
|
When TAB is entered, it is ignored.
When ? is entered, the following message is displayed:
Type help or ? for a list of available commands.
|
You can type a partial command, then enter TAB to complete the command, or type a partial command, then enter ? to show all commands that begin with the partial command.
|
Command ?
|
The usage text for the command is displayed.
|
You can enter a command, followed by a space, and then type ? to show relevant input choices.
|
Command <keyword> ?
|
The usage text for the command is displayed.
|
Lists arguments that are available for the keyword.
|
Command Syntax Checking
Table 3 lists changes that occur as a result of the upgrade to PIX Security appliance Version 7.0:
Table 3 Command Syntax Checking
Feature
|
PIX Version 6.3
|
PIX Security appliance Version 7.0
|
Syntax error
|
An error message may be displayed followed by the usage text for the command.
|
PIX displays a ^ symbol to indicate the location of a command syntax error.
|
Incomplete command
|
An error message "Not enough arguments." may be displayed, followed by the usage text for the command.
|
PIX displays an `Incomplete command' message to indicate additional arguments are required.
|
Mode Navigation and Terminology Changes
The PIX Security appliance Version 7.0 introduces minor changes in mode navigation and terminology so that its behavior is more similar to the Cisco IOS software CLI.
Table 4 describes the mode navigation changes between PIX Version 6.3 and PIX Security appliance Version 7.0.
Table 4 Mode Terminology Changes
Mode/Command
|
PIX Version 6.3
|
PIX Security appliance Version 7.0
|
User EXEC Mode
|
Terminology
|
Unprivileged mode
|
User EXEC mode
|
Exit Method
|
^Z logs you out from the console.
|
^Z not supported as an exit method; however, you can still use exit, quit or logout commands as in PIX Version 6.3.
Entering ^Z will give the following error message:
ERROR:% Invalid input detected at '^' marker.
|
Privileged EXEC Mode
|
Terminology
|
Privileged mode
|
Privileged EXEC mode
|
Exit Method
|
^Z logs you out from the console.
|
^Z not supported as an exit method; however, you can still use the exit, quit or logout commands as in PIX Version 6.3.
Entering ^Z will give the following error message:
ERROR:% Invalid input detected at '^' marker.
|
Global Configuration Mode
|
Terminology
|
Configuration mode
|
Global configuration mode
|
Command-Specific Configuration Mode
|
Terminology
|
Subcommand mode
|
Command-specific configuration mode
|
Conduits and Outbounds
The PIX Security appliance Version 7.0 does not support the conduit and outbound commands; however it does support the widely used access list commands. The access list commands look more like Cisco IOS software commands, and completely replace the conduit and outbound commands; they introduce more functionality. If a PIX Version 6.3 system containing a configuration with conduit and/or outbound commands is upgraded to PIX Security appliance Version 7.0, it will output errors if you do not first migrate the conduit and outbound commands.
This section includes the following topics:
•Affected Commands
•Upgrade Requirements
•Change Impact
•Converting conduit Commands to access-list Commands
•Converting outbound Commands to access-list Commands
Affected Commands
The following commands are affected in the upgrade to PIX Security appliance Version 7.0:
•conduit
•outbound
Upgrade Requirements
The PIX Security appliance Version 7.0 requires that you convert the conduit and outbound commands in your configuration to access control list (access-list) commands before performing an upgrade to PIX Security appliance Version 7.0.
Change Impact
Your system will output errors if you do not first migrate the conduit and outbound commands before performing an upgrade to PIX Security appliance Version 7.0. Use the following resources to assist you in this process:
•The step-by-step instructions to convert the conduit commands to access-lists commands and the outbound commands to outgoing command configurations are described in the "Converting conduit Commands to access-list Commands" section and the "Converting outbound Commands to access-list Commands" section. For additional details, see the Cisco PIX Firewall Command Reference, Version 6.3.
•The PIX Outbound Conduit Converter is available to contracted users from the Cisco.com Software Center PIX directory at http://www.cisco.com/pcgi-bin/tablebuild.pl/pix.This is for registered customers only. To become a registered user, go to http://tools.cisco.com/RPF/register/register.do.
This tool facilitates the conversion of conduit and outbound commands to access control list configurations. However, due to the different nature of these access control methods, there may be some changes to the actual functionality and behavior, so this must be considered an aid and only a starting point. All configurations converted by the Outbound/Conduit Converter (OCC) tool must be verified and tested by the network security administrators familiar with the network in question and its security policies before being deployed.
Note The OCC tool does not support alias and policy nat commands. The OCC tool does not convert configuration combinations of both an exposure of all addresses behind an internal (higher security) interface, and either a default route to the same interface or commands enabling RIP/OSPF.
•The Output Interpreter provides a web interface that takes your existing configuration as input and produces a modified configuration as its output. This tool is available at the following URL: https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl. This is for registered customers only. To become a registered user, go to http://tools.cisco.com/RPF/register/register.do. To use the Output Interpreter, ensure word wrapping is off in your terminal client and paste the complete captured output from the write terminal command or the show running-config command into the Output Interpreter. To use Output Interpreter, you must have JavaScript enabled. The same caveats regarding verification and testing previously discussed hold true for Output Interpreter configuration conversions.
•With PIX Version 6.3, only inside hosts with last octet addresses of 0 and 255 could initiate a connection to an outside interface. If a host connected to the outside interface tried to initiated a connection to an inside host with .0 or .255 in the last octet of their IP address, PIX Version 6.3 denied it.
With PIX Security appliance Version 7.0,connections from the outside hosts are not denied, if an access-list permits it.
Converting conduit Commands to access-list Commands
To convert conduit command statements to access-list commands, perform the following steps:
Step 1 View the static command format. This command normally precedes both the conduit and access-list commands. The static command syntax is as follows.
static (high_interface,low_interface) global_ip local_ip netmask mask
For example:
static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255
This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.
Step 2 View the conduit command format. The conduit command is similar to the access-list command in that it restricts access to the mapping provided by the static command. The conduit command syntax is as follows.
conduit action protocol global_ip global_mask global_operator global_port [global_port]
foreign_ip foreign_mask foreign_operator foreign_port [foreign_port]
For example:
conduit permit tcp host 209.165.201.5 eq www any
This command permits TCP for the global IP address 209.165.201.5 that was specified in the static command statement and permits access over port 80 (www). The "any" option lets any host on the outside interface access the global IP address.
The static command identifies the interface that the conduit command restricts access to.
Step 3 Create the access-list command from the conduit command options. The acl_name in the access-list command is a name or number you create to associate access-list command statements with an access-group or crypto map command statement.
Normally the access-list command format is as follows:
access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr
dest_mask operator port
However, using the syntax from the conduit command in the access-list command, you can see how the foreign_ip in the conduit command is the same as the src_addr in the access-list command and how the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The access-list command syntax overlaid with the conduit command options is as follows.
access-list acl_name action protocol foreign_ip foreign_mask foreign_operator foreign_port
[foreign_port] global_ip global_mask global_operator global_port [global_port]
For example:
access-list acl_out permit tcp any host 209.165.201.5 eq www
This command identifies the access-list command statement group with the "acl_out" identifier. You can use any name or number for your own identifier. (In this example the identifier, "act" is from ACL, which means access control list and "out" is an abbreviation for the outside interface.) It makes your configuration clearer if you use an identifier name that indicates the interface to which you are associating the access-list command statements. The example access-list command, like the conduit command, permits TCP connections from any system on the outside interface. The access-list command is associated with the outside interface with the access-group command.
Step 4 Create the access-group command using the acl_name from the access-list command and the low_interface option from the static command. The format for the access-group command is as follows.
access-group acl_name in interface low_interface
For example:
access-group acl_out in interface outside
This command associates with the `acl_out' group of access-list command statements and states that the access-list command statement restricts access to the outside interface.
This completes the procedure for converting conduit commands to access-list commands.
Converting outbound Commands to access-list Commands
The outbound command creates a list of access control rules that let you specify the following:
•Whether inside users can create outbound connections
•Whether inside users can access specific outside servers
•What services inside users can use for outbound connections and for accessing outside servers
See the outbound list rules in the Cisco PIX Firewall Command Reference, Version 6.3.
Converting outbound Commands Applied to outgoing_src to access-list Commands
To convert outbound command statements to create an access list, perform the following steps:
Step 1 Review the access-list command format using the following existing PIX outbound configuration example:
outbound 1 deny 10.10.10.0 255.255.255.0 0
outbound 1 permit 10.10.20.20 255.255.255.255 0
outbound 1 except 192.168.10.1 255.255.255.255 0
apply (inside) 1 outgoing_src
The access-list command format (simplified version) is as follows:
access-list acl_name [deny | permit] protocol src_addr src_mask dest_addr dest_mask
Step 2 Verify that the IP addresses listed in the outbound configuration when applied to the outgoing_src command corresponds to the source address (src_addr) of the access list. The destination address (dest_addr) is equal to `any'
