Cisco Support Community

What is the difference between the access-list and conduit commands applied on PIX Firewall



The conduit command is used in order to permit or deny inbound connections through the PIX Firewall. The conduit command functions with the creation of an exception to the PIX Adaptive Security Algorithm that permits connections from one PIX Firewall network interface to another. This exception is global and applies to all inbound connections from any lower security level interface to any higher security level interface.

PIX Security Appliance release 6.3 is the last release to support the conduit.

The conduit and outbound commands are no longer supported in 7.x code.

Ensure that there are no conduit and outbound commands in the configuration before you upgrade the existing code on the PIX to 7.x code.

If you have conduit or outbound commands configured on the PIX and want to convert those to Access Control Lists (ACLs), complete one of these procedures:

  • Refer to the Output Interpreter tool.

    If you have conduit or outbound statements configured on the PIX and want to convert those to ACLs, use the Output Interpreter tool.  

    Paste the output of the write command into the text box labeled Paste the output into this field, and click Submit.  

    You get the configuration with conduits converted to the ACLs.

  • Use the PIX Outbound Conduit Converter (OCC) tool available at Cisco Downloads. The file name is  

    For example, if the old configuration file with the conduit or outbound statements to be converted to ACLs is oldfile.txt, and the new file with the equivalent ACL statements is newfile.txt, complete these steps:

    1. Extract the occ.exe file to a folder where the configuration that needs to be converted is present. Open the DOS prompt and type this command:      

      occ.exe oldfile.txt > newfile.txt      

      There is a new file in the folder named newfile.txt in which the conduit and outbound statements have been converted to equivalent ACL statements.

    2. Remove the conduit and outbound commands from the existing configuration, and use the access-list commands available in the new configuration. Add them to your existing configuration on the PIX.

    In order to learn the pre-requisites before you change features and the commands before you upgrade the PIX to 7.x code, refer to PIX 500 Security Appliance 6.x to 7.x Software Upgrade Procedure.  Refer to Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.x for the upgrade procedure to upgrade PIX to 7.0 along with the hardware and software requirements.  

Note: If you do not have a large number of conduit statements, convert the conduit and outbound commands to equivalent access-list commands manually in order to be sure that the ACLs that have been created comply with the security policies of your organization.


The access-list and access-group commands are used in order to create Access Control Lists that can be used to permit or deny inbound or outbound connections through the PIX. Access Control Lists can be used in place of both conduit and outbound configurations, which provide consistent and more flexible control of connections in either direction. Access Control Lists allow to filter based upon source and destination addressing and ports and are applied individually to each interface that allow for much more granular and secure control of connections, which pass through the PIX.