×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Question on FWSM

Unanswered Question
Jan 13th, 2007
User Badges:

Hi,


I have 2 things on the FWSM which I would like to check with you on; I have configured multi contexts and my questions are:


1- In the context mode I have configured a route to my TFTP server and I can reach to it, but on the system mode I cannot ping to it. Now, since the copy commands are mainly in the system context, so I am wondering how can I reach to my TFTP server as long as there are no route configuration in the system context?


2- I configured Telnet 0 0 outside, but still I am not able to telnet to my FWSM from outside, however when configuring Telnet from inside I am able to; is there any restriction on Telnet from outside?


Thanks,

Haitham

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 01/14/2007 - 02:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Haitham


1)Because the system context does not have any interfaces etc. then it uses the admin context for network access. You must make sure you can reach your tftp server from your admin context.


2) Telnet by default is not allowed to the outside interface on pix firewalls. You can either

i) use ssh (putty client is what i use)

ii) use IPSEC


HTH

haithamnofal Sun, 01/14/2007 - 20:30
User Badges:

Hi,


So regarding the first point, I am wondering how will I be able to perform a copy from TFTP to flash since this is only available from the system context?!


Regards,

Haitham



Jon Marshall Mon, 01/15/2007 - 00:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Haitham


Not sure i understand. If you want to copy from tftp to flash you must make sure your system context can contact the tftp server and it does this via the admin context. So you have to ensure your admin context can contact the tftp server. You would only want to copy into flash in the system execution space.


Am i not understanding ?


Forgot to mention last time. You can also use PDM to manage the pix from the outside.


HTH

haithamnofal Mon, 01/15/2007 - 05:17
User Badges:

Jon,


In system config you cannot add routes or assign interfaces and as consequence you cannot ping or copy to a TFTP server and vice versa. On the other hand, the copy command available under each context is limited and does not allow you to do OS upgrade from the context-level!


In the admin context, you cannot perform OS upgrade ... etc.


Hope you got me now.


Thanks,

Haitham



Jon Marshall Mon, 01/15/2007 - 05:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Haitham


I understand what you mean. I think i must be explaining it badly. As you say you cannot assign routes or IP's for context interfaces in system config. The system space uses the admin context for it's network connectivity. So if the admin context can reach the tftp server then the system space should be able to reach the tftp server. See following example taken from one of our 6500 lab switches.


System execution space


SZ-JFH-F00-DTE-FW1# ping 10.228.51.1

No route to host 10.228.51.1.

Usage: ping [if_name]

SZ-JFH-F00-DTE-FW1#


Change to admin context


SZ-JFH-F00-DTE-FW1/admin-ct# ping 10.228.51.1

No route to host 10.228.51.1.

Usage: ping [if_name]

SZ-JFH-F00-DTE-FW1/admin-ct#


So i add a route to the admin context to allow it to reach 10.228.51.1


route outside 0.0.0.0 0.0.0.0 10.181.126.


From admin context


SZ-JFH-F00-DTE-FW1/admin-ct# ping 10.228.51.1

10.228.51.1 response received -- 0ms

10.228.51.1 response received -- 0ms

10.228.51.1 response received -- 0ms

SZ-JFH-F00-DTE-FW1/admin-ct#


And finally change back to system execution space


SZ-JFH-F00-DTE-FW1# ping 10.228.51.1

10.228.51.1 response received -- 10ms

10.228.51.1 response received -- 0ms

10.228.51.1 response received -- 0ms

SZ-JFH-F00-DTE-FW1#


So to upgrade, as long as you can ping the tftp server from system execution space, you would go into system execution space and run your copy commands from there.


HTH

Actions

This Discussion