PIX 501 copying config from one to another

Discussion in 'Routing & Switching' started by turbolad, Nov 22, 2007.

  1. turbolad

    turbolad Bit Poster

    15
    0
    9
    Hi,

    Wondering if someone can shed some light on this?
    I have a problem where basicaly there is some packet loss between a Cisco PIX 501 and an ADSL Router.
    (the problem being with either a dodgy port on the PIX or the ADSL Modem\Router)

    I have copied the config from the current PIX by using the capture text option in Hypertrerminal.
    Then plugged in the new PIX and pasted the config to it, issued a "write memory" command and rebooted it.
    A show-running config showed the settings had transferred across successfully. Yet it still wouldn't work, the VPN Tunnel did not come up and the PIX was not routing internet traffic from the ADSL Router to the LAN.

    Have I missed something out?
    Does anything need doing with the interfaces.

    Help is as usual appreciated.

    Thanks
     
    Certifications: A+, Net+, Several course completions.
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Pre-shared keys for vpn connections are not displayed by a "sh run" command on a pix. They will be replaced by asterisks in the sh run output. So if you simply copy the config vpn connections will not work. To get a complete configuration you will need to tftp the config off the original pix. Set up a tftp server on your network and upload the config. If you are still having problems then its time for some troubleshooting, but at least you can be sure the config on the new pix is the same as on the old one.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. turbolad

    turbolad Bit Poster

    15
    0
    9
    of course, i didn't think of the vpn passwords...:oops:

    My original plan was to use tftp to copy the config - and I successfully managed to copy the config to a tftp server.
    However I could not get the config to copy back to a pix.

    I read several guides and the commands were never supported by my pix.
    i.e. the tftp start command is not supported?
    PIX Version 6.3(3) - if that helps.
     
    Certifications: A+, Net+, Several course completions.
  4. turbolad

    turbolad Bit Poster

    15
    0
    9
    http://www.petenetlive.com/Tech/Firewalls/Cisco/backuprestore.htm

    I used this guide...which worked for backing up but not for restoring.:)

    A 'copy tftp start' command returns;
    copy capture:<capture-name> tftp://<location>/<pathname> [pcap]
    copy http://[<user>:<password>@]<location>[:<port>]/<pathname>
    flash[:[image | pdm]]
    copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]

    Any ideas?..

    Thannks, Adam
     
    Certifications: A+, Net+, Several course completions.
  5. turbolad

    turbolad Bit Poster

    15
    0
    9
    I've done some testing with the spare pix and this is the only way I can get this to work.

    Copy the config from current pix
    router#write net 192.170.16.11:configname

    Write config to new pix
    router(config)#write erase
    router(config)#reload
    *Go through automated CLI setup Wizard
    router(config)#tftp-server inside 192.170.16.11 /configname
    router(config)#config net
    router(config)#write memory
    router(config)#reload

    Both Pix's are;
    PIX 6.3(3)
    Bios 4.3.200

    Basically, I understand the config net command appends the config and does not overwrite it - which is why I have done a write erase first.

    Should this work OK?
    The PIX is responsible for holding a VPN Tunnel and firewalling Internet traffic.

    Is there anything else i need to do?..
    I may have read somewhere that interfaces may be down afterwards?

    Help appreciated.
     
    Certifications: A+, Net+, Several course completions.
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Yes, that is a good way to copy the config. Just make sure the config on the new pix is identical to the config on the old. Make sure interfaces are not shut down (use show interface). If they are, as soon as you set a mode for the interface it is brought up, e.g setting e1 for autonegotiate will automatically enable the interface. L2 (switch) interfaces are generally automatically up by default.

    Also, generate and save a rsa key for ssh:

    ca gen rsa key 1024 <-- key modulus of 1024

    Save the key:

    ca save all
    wr mem

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. turbolad

    turbolad Bit Poster

    15
    0
    9
    Thanks for your reply Spice_weasel

    Could you elaborate what this command does exactly...

    ca gen rsa key 1024 <-- key modulus of 1024

    and does it need to be done at both ends of the VPN Tunnel?

    Sorry for novice questions...I am completely new to Cisco CLI stuff.
     
    Certifications: A+, Net+, Several course completions.
  8. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    The command ca gen rsa key 1024 creates an RSA key pair. The 1024 indicates the modulus of the key pair. The RSA key pair is used when you SSH to the pix. It also creates a self-signed certificate for SSL connections. You should have a hostname and domain name configured before generating the RSA key pair.

    Basically, it is needed for SSH. You do not need to use the command on any other device. Since SSH is the standard way to connect to the pix remotely (telnet is not secure) you should prepare the pix for SSH.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  9. turbolad

    turbolad Bit Poster

    15
    0
    9
    Thanks for the advice.
     
    Certifications: A+, Net+, Several course completions.

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.