Guest

Cisco PIX 500 Series Security Appliances

PIX Conduit and Outbound Feature Deprecation


November 04, 2003


Products Affected

Product

Comments

PIX operating system

Cisco PIX Security Appliance Series operating system

Problem Description

PIX Security Appliance release 6.3 will be the last release to support the conduit and outbound commands. The Access Control List (ACL) commands access-list and access-group were introduced in PIX release 5.0 to supersede them and have since been enhanced by additional features such as TurboACL, object grouping and remarks. The next major PIX feature release will no longer support the conduit and outbound commands and all PIX systems using these commands must be completely migrated over to using ACL commands prior to being upgraded.

The conduit and outbound commands will continue to be supported in any future PIX maintenance releases produced for release 6.3 and earlier

Background

The conduit command is used to permit or deny inbound connections through the PIX firewall. The conduit command functions by creating an exception to the PIX Adaptive Security Algorithm that permits connections from one PIX Firewall network interface to another. This exception is global and applies to all inbound connections from any lower security level interface to any higher security level interface.

The outbound command is used to permit or deny outbound connections through the PIX firewall. The outbound command is used in the creation of outbound filter lists which are applied to interfaces via the apply command.

The access-list and access-group commands are used to created Access Control Lists that may be used to permit or deny inbound or outbound connections through the PIX. Access Control Lists may be used in place of both conduit and outbound configurations, providing consistent and more flexible control of connections in either direction. Access Control Lists allow for filtering based upon source and destination addressing and ports and are applied individually to each interface allowing for much more granular and secure control of connections passing through the PIX.

Problem Symptoms

While the next major PIX feature release has yet to be released, it has been committed to not support conduit and outbound commands. If a PIX configured with those commands is upgraded to the next major feature release it will output errors regarding the conduit and outbound commands in the configuration. These commands will no longer be recognized and all PIX systems using these commands must be completely migrated over to using ACL commands prior to being upgraded, otherwise the functionality of the PIX will be severely impacted

Workaround/Solution

All customers currently utilizing conduit and outbound commands in their PIX configurations are strongly encouraged to plan migration to Access Control Lists. There are several resources available to assist in this process.

The PIX Command Reference gives instruction on how to convert conduit commands to inbound Access Control List configurations. Refer to the Command Reference section on the conduit command

The PIX Outbound Conduit Converter (OCC) is available to contracted customers from the Cisco.com Software Center PIX directory (registered customers only) . This tool facilitates the conversion of conduit and outbound commands to Access Control List configurations. However, due to the different nature of these access control methods there may be some changes to the actual functionality and behavior put in place so this must be considered an aid and only a starting point. All configurations converted by the OCC tool must be verified and tested by the network security administrators familiar with the network in question and its security policies before being implemented.

The Cisco.com Output Interpreter (registered customers only) provides a web interface that also performs the conversion. Ensure word wrapping is off in your terminal client and paste the complete captured output from write terminal or show running-config into Output Interpreter. To use Output Interpreter , you must be a registered user, be logged in, and have JavaScript enabled. The same caveats regarding verification and testing hold true for Output Interpreter conversions.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.