[c-nsp] Pix upload config

Voll, Scott Scott.Voll at wesd.org
Fri Aug 20 13:12:01 EDT 2004 

We just put our ACL in notepad and paste it in with Tera Term.

Looks something like this:

conf term
no access-list acl_out
access-list acl_out permit 
access-list acl_out deny 
access-list acl_out deny ip 
access-list acl_out deny ip 
access-list acl_out deny ip 
access-list acl_out deny ip 
access-list acl_out deny ip 
access-list acl_out deny tcp 
access-group acl_out in interface OUTSIDE
access-list acl_out permit tcp 
access-list acl_out permit tcp 
Snip
access-list acl_out permit tcp 
access-list acl_out permit tcp any 
access-list acl_out permit tcp any 
access-list acl_out permit tcp any 
access-list acl_out permit tcp any 
access-list acl_out deny ip any any
access-group acl_out in interface OUTSIDE
exit

WE just apply it to the interface multiple times during the paste.  Put
your most critical things at the beginning and your good to go.  No one
even notices.

Scott

PS.  Our ACL is over 400 lines. And we are running 6.2 FOS

-----Original Message-----
From: Marcelo Maraboli [mailto:marcelo.maraboli at usm.cl] 
Sent: Friday, August 20, 2004 9:50 AM
To: Ian Dickinson
Cc: chris neill; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Pix upload config

Ian.

I tried this and the "tftp-server" and "copy" commands
are only intended for FLASH o PDM upgrades or "write net",
but cannot do a "conf net" on a PIX (version 6.2)

I developed a sheel script to generate an expect script
to connect via SSH to the pix and do a "conf t" and
all the "access-lists" commands by CLI....

this is a huge problem, because from the time I enter
"no access-list acl_outside", then "access-list...etc",
until I apply the "new" ACL with "access-group", the
PIX denies ALL traffic...which is about 2 minutes with
my long ACL... ;)

regards,

Ian Dickinson wrote:

> You can do this, but you must predefine the server etc...
> 
> tftp-server outside <IPaddress> <Pathname>
> 
> Ian
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of chris neill
> Sent: 19 August 2004 23:30
> To: Marcelo Maraboli
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Pix upload config
> 
> 
> you have to conf net from a tftp server on a secure dmz..
> 
> On Thu, Aug 19, 2004 at 05:48:08PM -0400, Marcelo Maraboli wrote:
> 
>>Hi
>>
>>I cannot find a way to upload a config file to a 525 PIX,
>>just like the "conf net" on a IOS Cisco Router from a TFTP
>>server.....
>>
>>is that too unsecure that the PIX has to be configured
>>manually ??? (by "conf t" each time ??)
>>
>>regards,
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

-- 
Marcelo Maraboli Rosselott
Jefe Area de Redes           (Network & UNIX Systems Administrator)
Ingeniero Civil Electronico                   (Electronic Engineer)

Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria, Chile.
phone: +56 32 654237
mailto:marcelo.maraboli at dcsc.utfsm.cl	http://elqui.dcsc.utfsm.cl/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list