Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Conduit to Access list converter tools

Unanswered Question
Aug 1st, 2006
User Badges:

We have PIX 515 running 6.3(3) ios with counduit statements. Is there any cisco tool that we can use to convert legacy conduit into access lists with minimum down time?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.kiprawih Tue, 08/01/2006 - 11:44
User Badges:
  • Gold, 750 points or more


There is a tool called The PIX Outbound Conduit Converter (OCC) available to contracted customers from the Cisco.com Software Center PIX directory (registered customers only) .

filename: occ-121.zip

desc: PIX Firewall Outbound Conduit Converter Binary version 1.2.1, for Windows



This tool facilitates the conversion of conduit and outbound commands to Access Control List configurations. However, due to the different nature of these access control methods there may be some changes to the actual functionality and behavior put in place so this must be considered an aid and only a starting point. All configurations converted by the OCC tool must be verified and tested by the network security administrators familiar with the network in question and its security policies before being implemented.


The OCC tool does not support alias and policy nat commands. The OCC tool does not convert configuration combinations of both an exposure of all addresses behind an internal (higher security) interface, and either a default route to the same interface or commands enabling RIP/OSPF.

The Cisco.com Output Interpreter (registered customers only) provides a web interface that also performs the conversion. Ensure word wrapping is off in your terminal client and paste the complete captured output from write terminal or show running-config into Output Interpreter. To use Output Interpreter , you must be a registered user, be logged in, and have JavaScript enabled. The same caveats regarding verification and testing hold true for Output Interpreter conversions.




This Discussion