Experimenting a few minutes ago, I found a couple of PIX 6.3(3) and 6.3(4) 'name' enhancements that aren't documented. These might have come into effect earlier still; I haven't checked.
Before, a value defined in a 'name' could only be used in the host or network position of a location where an ip and mask pair was expected, such as in
access-list FOO permit udp host MyServer MyISP 255.255.255.200 eq dns
object-group network BAR network-object host MyOtherServer
In particular, using a name in the netmask area was not allowed:
name 255.255.255.0 ClassC access-list FOO permit udp host MyServer MyISP ClassC eq dns
In 6.3(3) and 6.3(4) it is now valid to enter a name instead of a netmask. This is not what the online help indicates, but it works.
When you display the access-list, the name will NOT be displayed in the mask areas.
If, though, you use this in an object-group network, and you display the object, then the name WILL be substituted:
npix(config-network)# show object-group id FOO object-group network FOO network-object 208.215.64.0 Bad64
But if this object is embedded into an ACL, then when you display the ACL and the PIX expands out the object-group, then in the display of the ACL, the mask names will NOT be shown -- only when you display the objects as objects.
Interestingly, names of masks -will- be substituted when showing 'route' statements.
======
I also found that PIX 6.x accepts netmasks that are not CIDR. Before I was under the impression that the masks had to have consequative bits set. Somehow I suspect that some features (e.g., IPSec) don't take kindly to non-consequative bits set in the mask...