Question on FWSM

haithamnofal · ‎01-13-2007

Hi,

I have 2 things on the FWSM which I would like to check with you on; I have configured multi contexts and my questions are:

1- In the context mode I have configured a route to my TFTP server and I can reach to it, but on the system mode I cannot ping to it. Now, since the copy commands are mainly in the system context, so I am wondering how can I reach to my TFTP server as long as there are no route configuration in the system context?

2- I configured Telnet 0 0 outside, but still I am not able to telnet to my FWSM from outside, however when configuring Telnet from inside I am able to; is there any restriction on Telnet from outside?

Thanks,

Haitham

Jon Marshall · ‎01-14-2007

Haitham

1)Because the system context does not have any interfaces etc. then it uses the admin context for network access. You must make sure you can reach your tftp server from your admin context.

2) Telnet by default is not allowed to the outside interface on pix firewalls. You can either

i) use ssh (putty client is what i use)

ii) use IPSEC

HTH

haithamnofal · ‎01-14-2007

Hi,

So regarding the first point, I am wondering how will I be able to perform a copy from TFTP to flash since this is only available from the system context?!

Regards,

Haitham

Jon Marshall · ‎01-15-2007

Haitham

Not sure i understand. If you want to copy from tftp to flash you must make sure your system context can contact the tftp server and it does this via the admin context. So you have to ensure your admin context can contact the tftp server. You would only want to copy into flash in the system execution space.

Am i not understanding ?

Forgot to mention last time. You can also use PDM to manage the pix from the outside.

HTH

haithamnofal · ‎01-15-2007

Jon,

In system config you cannot add routes or assign interfaces and as consequence you cannot ping or copy to a TFTP server and vice versa. On the other hand, the copy command available under each context is limited and does not allow you to do OS upgrade from the context-level!

In the admin context, you cannot perform OS upgrade ... etc.

Hope you got me now.

Thanks,

Haitham

Jon Marshall · ‎01-15-2007

Haitham

I understand what you mean. I think i must be explaining it badly. As you say you cannot assign routes or IP's for context interfaces in system config. The system space uses the admin context for it's network connectivity. So if the admin context can reach the tftp server then the system space should be able to reach the tftp server. See following example taken from one of our 6500 lab switches.

System execution space

SZ-JFH-F00-DTE-FW1# ping 10.228.51.1

No route to host 10.228.51.1.

Usage: ping [if_name]

SZ-JFH-F00-DTE-FW1#

Change to admin context

SZ-JFH-F00-DTE-FW1/admin-ct# ping 10.228.51.1

No route to host 10.228.51.1.

Usage: ping [if_name]

SZ-JFH-F00-DTE-FW1/admin-ct#

So i add a route to the admin context to allow it to reach 10.228.51.1

route outside 0.0.0.0 0.0.0.0 10.181.126.

From admin context

SZ-JFH-F00-DTE-FW1/admin-ct# ping 10.228.51.1

10.228.51.1 response received -- 0ms

SZ-JFH-F00-DTE-FW1/admin-ct#

And finally change back to system execution space

SZ-JFH-F00-DTE-FW1# ping 10.228.51.1

10.228.51.1 response received -- 10ms

10.228.51.1 response received -- 0ms

SZ-JFH-F00-DTE-FW1#

So to upgrade, as long as you can ping the tftp server from system execution space, you would go into system execution space and run your copy commands from there.

HTH