01-13-2007 08:28 PM - edited 03-11-2019 02:18 AM
Hi,
I have 2 things on the FWSM which I would like to check with you on; I have configured multi contexts and my questions are:
1- In the context mode I have configured a route to my TFTP server and I can reach to it, but on the system mode I cannot ping to it. Now, since the copy commands are mainly in the system context, so I am wondering how can I reach to my TFTP server as long as there are no route configuration in the system context?
2- I configured Telnet 0 0 outside, but still I am not able to telnet to my FWSM from outside, however when configuring Telnet from inside I am able to; is there any restriction on Telnet from outside?
Thanks,
Haitham
01-14-2007 02:46 AM
Haitham
1)Because the system context does not have any interfaces etc. then it uses the admin context for network access. You must make sure you can reach your tftp server from your admin context.
2) Telnet by default is not allowed to the outside interface on pix firewalls. You can either
i) use ssh (putty client is what i use)
ii) use IPSEC
HTH
01-14-2007 08:30 PM
Hi,
So regarding the first point, I am wondering how will I be able to perform a copy from TFTP to flash since this is only available from the system context?!
Regards,
Haitham
01-15-2007 12:07 AM
Haitham
Not sure i understand. If you want to copy from tftp to flash you must make sure your system context can contact the tftp server and it does this via the admin context. So you have to ensure your admin context can contact the tftp server. You would only want to copy into flash in the system execution space.
Am i not understanding ?
Forgot to mention last time. You can also use PDM to manage the pix from the outside.
HTH
01-15-2007 05:17 AM
Jon,
In system config you cannot add routes or assign interfaces and as consequence you cannot ping or copy to a TFTP server and vice versa. On the other hand, the copy command available under each context is limited and does not allow you to do OS upgrade from the context-level!
In the admin context, you cannot perform OS upgrade ... etc.
Hope you got me now.
Thanks,
Haitham
01-15-2007 05:43 AM
Haitham
I understand what you mean. I think i must be explaining it badly. As you say you cannot assign routes or IP's for context interfaces in system config. The system space uses the admin context for it's network connectivity. So if the admin context can reach the tftp server then the system space should be able to reach the tftp server. See following example taken from one of our 6500 lab switches.
System execution space
SZ-JFH-F00-DTE-FW1# ping 10.228.51.1
No route to host 10.228.51.1.
Usage: ping [if_name]
SZ-JFH-F00-DTE-FW1#
Change to admin context
SZ-JFH-F00-DTE-FW1/admin-ct# ping 10.228.51.1
No route to host 10.228.51.1.
Usage: ping [if_name]
SZ-JFH-F00-DTE-FW1/admin-ct#
So i add a route to the admin context to allow it to reach 10.228.51.1
route outside 0.0.0.0 0.0.0.0 10.181.126.
From admin context
SZ-JFH-F00-DTE-FW1/admin-ct# ping 10.228.51.1
10.228.51.1 response received -- 0ms
10.228.51.1 response received -- 0ms
10.228.51.1 response received -- 0ms
SZ-JFH-F00-DTE-FW1/admin-ct#
And finally change back to system execution space
SZ-JFH-F00-DTE-FW1# ping 10.228.51.1
10.228.51.1 response received -- 10ms
10.228.51.1 response received -- 0ms
10.228.51.1 response received -- 0ms
SZ-JFH-F00-DTE-FW1#
So to upgrade, as long as you can ping the tftp server from system execution space, you would go into system execution space and run your copy commands from there.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide