Guest_imported
New member
- Jan 1, 1970
- 0
I have a bunch of old PIXs someone left with conduits and outbounds, and I couldn't find anyone else who wrote a script...so I made one myself. Should work with most configs. But like any translation, there are differences that can't be translated exactly, but it does 99% of the work. But someone else may find it usefull.
Runs on UNIX with awk. Tested with standard linux and gawk 3.1.0.
#!/bin/sh
#
# Program to convert old conduit and outbound PIX configs to access-lists.
# This program attempts to convert conduits/outbounds to ACLs with the same function. Due to functionality
# differences, this is not always possible. Output will contain warnings if questionable commands are used.
#
# ACLs have an implicit DENY at the end, outbounds do not...THIS IS A HUGE DIFFERENCE and could block traffic!
# Again...verify all work before applying the output to a live PIX!!!!
#
# Written by: Will Morgan CCIE, CISSP
# Date Written: 02-12-02
# Date Modified: 02-14-02
# Version 2.01
# As this was written mostly in awk, it requires awk to run...duh.
#
# To report problems, or to comment email morgwil@hotmail.com
#
# Usage: pixconverter [-s] <file>
# "-s" will suppress WARNING messages
# The following lines parse the command line input for any options
SILENT="no"
while [ $# -gt 0 ]
do
case "$1" in
-s) SILENT="yes";;
*) OLDCONFIG=$1;;
esac
shift
done
TMPDIR=/tmp
TMPCONFIG=$TMPDIR/tmpconf
INTINFO=$TMPDIR/info
# Following lines simply get "apply"s to beginning of file, conduits rely on this for correct processing
cat $OLDCONFIG | grep apply | awk -F "(" '{print $1" "$2}' | awk -F "
" '{print $1 $2}' > $TMPCONFIG
cat $OLDCONFIG | grep -v apply >> $TMPCONFIG
awk -v suppress=$SILENT '
BEGIN {
aclcount=0
staticcount=0
}
{
src1="\b"
src2="\b"
sp1="\b"
sp2="\b"
sp3="\b"
dst1="\b"
dst2="\b"
dp1="\b"
dp2="\b"
dp3="\b"
if ($1 == "static" {
staticcount=staticcount+1
staticarray[staticcount,1]=$3
split($2, temparray, ","
split(temparray[2], temparray, ""
staticarray[staticcount,2]=temparray[1]
addtolist(staticarray[staticcount,2])
print
} else
if ($1 == "conduit" {
applyacl="yes"
action=$2
type=$3
i=4
getdst()
if (type != "icmp" getdport()
getsrc()
if (type != "icmp" getsport()
if (type == "icmp" geticmp()
if (dst1 == "host" {
dest=dst2 }
else dest=dst1
staticmatch="no"
if (dest == "any" {
staticmatch="yes"
for (z = 1; z <= aclcount; z++) {
print "access-list acl-"aclarray[z]" "action" "type" "src1" "src2" "sp1" "sp2" "sp3" "dst1" "dst2" "dp1" "dp2" "dp3
}
} else
for (x = 1; x <= staticcount; x++) {
if (dest == staticarray[x,1]) {
print "access-list acl-"staticarray[x,2]" "action" "type" "src1" "src2" "sp1" "sp2" "sp3" "dst1" "dst2" "dp1" "dp2" "dp3
staticmatch="yes"
}
}
if (staticmatch == "no" {
if (suppress != "yes" print "WARNING! No exact static match...assuming outside interface for following line:"
print "access-list acl-outside "action" "type" "src1" "src2" "sp1" "sp2" "sp3" "dst1" "dst2" "dp1" "dp2" "dp3
}
} else
if ($1 == "apply" {
intarray[$3]=$2
dirarray[$3]=$4
} else
if ($1 == "outbound" {
applyacl="yes"
processoutbound()
if (dirarray[listnum] == "outgoing_src" {
print "access-list "listname" "action" "ip" "mask" "p1" "p2" "p3" any"
}
else {
print "access-list "listname" "action" any "ip" "mask" "p1" "p2" "p3
}
}
else
if (applyacl == "yes" {
for (i = 1; i <= aclcount; i++) {
print "access-group acl-"aclarray" in interface "aclarray
}
applyacl="no"
print
}
else print
}
# This function adds the interface to a list of all interfaces that have acls on them.
# It first checks to see if the interface is already in the list
function addtolist(intf) {
for (y = 1; y <= aclcount; y++) {
if (aclarray[y] == intf) return
}
aclcount=aclcount+1
aclarray[aclcount]=intf
}
# This function parses an "outbound" statement and puts the parts in a variable. It keeps track
# of the last action to determine what "except" commands are desired to do.
function processoutbound() {
action=$3
if (action == "permit" except="deny"
if (action == "deny" except="permit"
if (action == "except" {
action=except
if (suppress != "yes" print "WARNING! except line detected, assuming "action" for following command:"
}
listnum=$2
ip=$4
mask=$5
p2=$6
if (p2 == "0" {
p1="\b"
p2="\b"
p2="\b"
}
else {
pnum=split(p2, parray, "-"
if (pnum == 1) {
p1="eq"
p2=parray[1]
p3="\b"
}
else {
p1="range"
p2=parray[1]
p3=parray[2]
}
}
if (NF < 7) { proto="ip" } else proto=$7
if (proto == "0" {proto="ip"}
listname="acl-"intarray[listnum]
addtolist(intarray[listnum])
}
# This function gets the source ip and mask from a conduit statement and increments the index pointer "i"
function getsrc() {
if (i <= NF) {
if ($i == "any" {
src1=$i
i=i+1
src2="\b"
}
else {
src1=$i
i=i+1
src2=$i
i=i+1
}
}
else {
src1="\b"
src2="\b"
}
}
# This function gets the destination ip and mask from a conduit statement.
function getdst() {
if (i <= NF) {
if ($i == "any" {
dst1=$i
i=i+1
dst2="\b"
}
else {
dst1=$i
i=i+1
dst2=$i
i=i+1
}
}
else {
dst1="\b"
dst2="\b"
}
}
# This function gets icmp info from a conduit statment if it exists.
function geticmp() {
if (i <= NF) {
dp1=$i
dp2="\b"
dp3="\b"
}
}
# This function gets the source port info from a conduit statement.
function getsport() {
if (i <= NF) {
if ($i == "eq" {
sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "neq" {
sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "gt" {
sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "lt" {
sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "range" {
sp1=$i
i=i+1
sp2=$i
i=i+1
sp3=$i
i=i+1
}
}
else {
sp1="\b"
sp2="\b"
sp3="\b"
}
}
# This function gets destination port info from a conduit.
function getdport() {
if (i <= NF) {
if ($i == "eq" {
dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "neq" {
dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "gt" {
dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "lt" {
dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "range" {
dp1=$i
i=i+1
dp2=$i
i=i+1
dp3=$i
i=i+1
}
}
else {
dp1="\b"
dp2="\b"
dp3="\b"
}
}
' $TMPCONFIG
rm -Rf $TMPCONFIG
Runs on UNIX with awk. Tested with standard linux and gawk 3.1.0.
#!/bin/sh
#
# Program to convert old conduit and outbound PIX configs to access-lists.
# This program attempts to convert conduits/outbounds to ACLs with the same function. Due to functionality
# differences, this is not always possible. Output will contain warnings if questionable commands are used.
#
# ACLs have an implicit DENY at the end, outbounds do not...THIS IS A HUGE DIFFERENCE and could block traffic!
# Again...verify all work before applying the output to a live PIX!!!!
#
# Written by: Will Morgan CCIE, CISSP
# Date Written: 02-12-02
# Date Modified: 02-14-02
# Version 2.01
# As this was written mostly in awk, it requires awk to run...duh.
#
# To report problems, or to comment email morgwil@hotmail.com
#
# Usage: pixconverter [-s] <file>
# "-s" will suppress WARNING messages
# The following lines parse the command line input for any options
SILENT="no"
while [ $# -gt 0 ]
do
case "$1" in
-s) SILENT="yes";;
*) OLDCONFIG=$1;;
esac
shift
done
TMPDIR=/tmp
TMPCONFIG=$TMPDIR/tmpconf
INTINFO=$TMPDIR/info
# Following lines simply get "apply"s to beginning of file, conduits rely on this for correct processing
cat $OLDCONFIG | grep apply | awk -F "(" '{print $1" "$2}' | awk -F "
" '{print $1 $2}' > $TMPCONFIGcat $OLDCONFIG | grep -v apply >> $TMPCONFIG
awk -v suppress=$SILENT '
BEGIN {
aclcount=0
staticcount=0
}
{
src1="\b"
src2="\b"
sp1="\b"
sp2="\b"
sp3="\b"
dst1="\b"
dst2="\b"
dp1="\b"
dp2="\b"
dp3="\b"
if ($1 == "static"
{staticcount=staticcount+1
staticarray[staticcount,1]=$3
split($2, temparray, ","
split(temparray[2], temparray, "
"staticarray[staticcount,2]=temparray[1]
addtolist(staticarray[staticcount,2])
} else
if ($1 == "conduit"
{applyacl="yes"
action=$2
type=$3
i=4
getdst()
if (type != "icmp"
getdport()getsrc()
if (type != "icmp"
getsport()if (type == "icmp"
geticmp()if (dst1 == "host"
{dest=dst2 }
else dest=dst1
staticmatch="no"
if (dest == "any"
{staticmatch="yes"
for (z = 1; z <= aclcount; z++) {
print "access-list acl-"aclarray[z]" "action" "type" "src1" "src2" "sp1" "sp2" "sp3" "dst1" "dst2" "dp1" "dp2" "dp3
}
} else
for (x = 1; x <= staticcount; x++) {
if (dest == staticarray[x,1]) {
print "access-list acl-"staticarray[x,2]" "action" "type" "src1" "src2" "sp1" "sp2" "sp3" "dst1" "dst2" "dp1" "dp2" "dp3
staticmatch="yes"
}
}
if (staticmatch == "no"
{if (suppress != "yes"
print "WARNING! No exact static match...assuming outside interface for following line:"print "access-list acl-outside "action" "type" "src1" "src2" "sp1" "sp2" "sp3" "dst1" "dst2" "dp1" "dp2" "dp3
}
} else
if ($1 == "apply"
{intarray[$3]=$2
dirarray[$3]=$4
} else
if ($1 == "outbound"
{applyacl="yes"
processoutbound()
if (dirarray[listnum] == "outgoing_src"
{print "access-list "listname" "action" "ip" "mask" "p1" "p2" "p3" any"
}
else {
print "access-list "listname" "action" any "ip" "mask" "p1" "p2" "p3
}
}
else
if (applyacl == "yes"
{for (i = 1; i <= aclcount; i++) {
print "access-group acl-"aclarray" in interface "aclarray
}
applyacl="no"
}
else print
}
# This function adds the interface to a list of all interfaces that have acls on them.
# It first checks to see if the interface is already in the list
function addtolist(intf) {
for (y = 1; y <= aclcount; y++) {
if (aclarray[y] == intf) return
}
aclcount=aclcount+1
aclarray[aclcount]=intf
}
# This function parses an "outbound" statement and puts the parts in a variable. It keeps track
# of the last action to determine what "except" commands are desired to do.
function processoutbound() {
action=$3
if (action == "permit"
except="deny"if (action == "deny"
except="permit"if (action == "except"
{action=except
if (suppress != "yes"
print "WARNING! except line detected, assuming "action" for following command:"}
listnum=$2
ip=$4
mask=$5
p2=$6
if (p2 == "0"
{p1="\b"
p2="\b"
p2="\b"
}
else {
pnum=split(p2, parray, "-"
if (pnum == 1) {
p1="eq"
p2=parray[1]
p3="\b"
}
else {
p1="range"
p2=parray[1]
p3=parray[2]
}
}
if (NF < 7) { proto="ip" } else proto=$7
if (proto == "0"
{proto="ip"}listname="acl-"intarray[listnum]
addtolist(intarray[listnum])
}
# This function gets the source ip and mask from a conduit statement and increments the index pointer "i"
function getsrc() {
if (i <= NF) {
if ($i == "any"
{src1=$i
i=i+1
src2="\b"
}
else {
src1=$i
i=i+1
src2=$i
i=i+1
}
}
else {
src1="\b"
src2="\b"
}
}
# This function gets the destination ip and mask from a conduit statement.
function getdst() {
if (i <= NF) {
if ($i == "any"
{dst1=$i
i=i+1
dst2="\b"
}
else {
dst1=$i
i=i+1
dst2=$i
i=i+1
}
}
else {
dst1="\b"
dst2="\b"
}
}
# This function gets icmp info from a conduit statment if it exists.
function geticmp() {
if (i <= NF) {
dp1=$i
dp2="\b"
dp3="\b"
}
}
# This function gets the source port info from a conduit statement.
function getsport() {
if (i <= NF) {
if ($i == "eq"
{sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "neq"
{sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "gt"
{sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "lt"
{sp1=$i
i=i+1
sp2=$i
i=i+1
sp3="\b"
} else
if ($i == "range"
{sp1=$i
i=i+1
sp2=$i
i=i+1
sp3=$i
i=i+1
}
}
else {
sp1="\b"
sp2="\b"
sp3="\b"
}
}
# This function gets destination port info from a conduit.
function getdport() {
if (i <= NF) {
if ($i == "eq"
{dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "neq"
{dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "gt"
{dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "lt"
{dp1=$i
i=i+1
dp2=$i
i=i+1
dp3="\b"
} else
if ($i == "range"
{dp1=$i
i=i+1
dp2=$i
i=i+1
dp3=$i
i=i+1
}
}
else {
dp1="\b"
dp2="\b"
dp3="\b"
}
}
' $TMPCONFIG
rm -Rf $TMPCONFIG