PIX Firewalls Do Not Eat Large Amounts of Copypasta.

One of the appliances we use frequently here are Cisco PIX firewalls. These devices are excellent in that they help keep your network secure without you having to dedicate a computer to firewalling. They are not-so-excellent in that they're not user-friendly if you don't have much experience with the Cisco IOS, and the PDM doesn't always play nicely with commands entered from the console.

I've not had to worry about messing with these much since we have a Cisco guru in Switzerland, but since I needed to send a PIX to one of our new locations and he is unable to assist me remotely with this currently, I decided to get my hands dirty. Nothing major; just need to copy a config from one PIX to another. Easy, right?

Well, hrm. Doing a write net doesn't guarantee a good "image"; you can't just copy tftp://server/imagefile flash:image back over. The PIX tells you it's invalid.

Okay, no problem. I'll just do a config net to load the config.

Or not. Turns out the PIX config doesn't save in the same order as the commands must be entered.

So I spent today learning about the order in which the commands must be entered into the PIX firewall, and here's what it appears to be (after a write erase and reload:

1. Interface- and IP-related commands


2. Protocols


3. Names


4. Services (object-group and port-object commands)


5. VPDN commands


6. Sysopt commands to permit IPSec &/or PPTP


7. Crypto commands (except match) and ISAKMP commands & keys


8. ACLs


9. Crypto match commands (to link the crypto maps with the ACLs)


10. DHCPd commands


11. Everything else (ICMP, PDM, NAT, AAA Server, SNMP, etc).

I would suggest taking an existing config file and rearranging it for this purpose. Use Notepad++, since the config files use LFs only (as opposed to CR+LF).

A colleague suggested that you can then copy/paste the config into the PIX, but, as the title of this post suggests, that doesn't work out so well. The PIX seems to take only the first 10-15 lines, skip several, take another 10-15 lines, skip several more, etc., until you're left with a fragmented, wonky configuration. This doesn't work too well, and copy/pasting 10 lines at a time can be tedious, depending on how long your configuration is and how many VPNs you have to different sites. Instead, you may want to do it via the config net command.

BEFORE DOING SO: Have a TFTP server ready that you can connect directly to the PIX (more info below). Don't try to hack this remotely.


Aaand once more, for the cheap seats:
CAUTION! Don't do this remotely or on a live system unless your connectivity is already botched and you know you have a good working config file!

With that said, here's how you load your newly-rearranged PIX configuration file:

1. write erase


2. reload


3. no (When it asks you if you want managed setup)


4. enable


5. configure terminal


6. interface eth0 auto


7. interface eth1 100full


8. ip address inside [ip] [netmask]


9. config net [TFTPserver]:[reorderedfile]

For [ip] above, set it to the same IP range and subnet as your TFTP server. For mine, I loaded Solarwinds Free TFTP Server on a laptop and connected directly to the PIX via patch cable (port 1-4) for the TFTP connection, and used a Console cable for the actual Terminal connection. The [TFTPserver] above was my laptop's IP.

I keep seeing updated questions from people online regarding PIX firewalls, so I know I can't be the only person who works with them from time to time, despite the newer ASAs out there. Hopefully this information helps someone. Until next time!

Rob