Solved: Re: Migrating to new ISP

cbonthron · ‎09-28-2006

I am planning to switch my ISP in October. My biggest headache will be reconfiguring my ACLs and all of my numerous static routes I've setup on my PIX 515E-R firewall. Is there an easy way to do this? Can I save the config, do a find and replace on our public IPs and then somehow replace the old config with the new modified one? I have about 150 lines of ACLs and about 60 static routed that need to be modified. I'm of course trying to keep this as simple and problem free as possible with the least amount of disruption to my staff and clients.

Or do I need to go in and remove then add each one line by line in PDM or via telnet?

Any input would be most appreciated

Patrick Iseli · ‎09-28-2006

If you do not have to much lines, and your line buffer in the terminal emultor is high enough >500, then you can paste all the lines in one shot. You need to see if there is an error message if you paste to much at a time you might miss it. But his is less dangerous in removing than in adding lines.

I suggest you to do this in blocks of 15 lines so you can easy discover errors if the command for some reason is not accepted.

Yes, you can do this by using telnet but I recommend you to do this in the serial port to be save. Just in case you loose the telnet session.

sincerely

Patrick

View solution in original post

Patrick Iseli · ‎09-28-2006

You can save the copy of the config by using TFTP

Server.

write net [[server_ip]:[filename]]

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1027782

Free TFTP Software:

http://support.3com.com/software/utilities_for_windows_32_bit.htm

You can also drag and drop the output of the command "wr t" or "sh runn", in a ssh or telnet session into a text application as Wordpad and save it on the disk.

After that simply replace the old with the new IPs but keep in mind that you need to remove the old access-lines and statics and nat before you can recopy the new ones.

example:

no access-list outside tcp any eq 1.1.1.1 eq http

access-list outside tcp any eq 2.2.2.1 eq http

Do not forget after changing the whole config to do a:

wr mem

clear arp

clear xlate

sincerely

Patrick

cbonthron · ‎09-28-2006

Thanks Patrick.

Getting my config isn't the problem for me, just how I'm going to update each line in it.

So my next question is:

Can I strip out all lines that aren't changing in my config, take the remaining lines, append a 'no' to the start of them, load that batch of lines using a telnet session, and then load the modified new batch of lines via telnet? Or is it recommended to do the change line by line?

Patrick Iseli · ‎09-28-2006

If you do not have to much lines, and your line buffer in the terminal emultor is high enough >500, then you can paste all the lines in one shot. You need to see if there is an error message if you paste to much at a time you might miss it. But his is less dangerous in removing than in adding lines.

I suggest you to do this in blocks of 15 lines so you can easy discover errors if the command for some reason is not accepted.

Yes, you can do this by using telnet but I recommend you to do this in the serial port to be save. Just in case you loose the telnet session.

sincerely

Patrick

ethiel · ‎09-28-2006

Another option to consider would be a "configure net" command. You could write the config to TFTP, edit the file, then when you are ready you can do a "config net" to copy from TFTP to running config. More details are here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1027824

As Patrick mentioned, you do run the risk of typos missing some commands, but I use this regularly on routers to do cutovers.

-Eric

cbonthron · ‎09-29-2006

This sounds like a good option too.

I assume I need to do this through the console port in case the new configuration messes up and I can't get a connection through a telnet session. Do I need to strip anything out of my config that might mess things up? I'm thinking of lines like:

PIX Version 6.3(3)

Cryptochecksum:xxxx

etc.

Or does the PIX just ignore them, or even use them?

Should I have my old config written there just in case the new one screws up?

ethiel · ‎09-29-2006

Well, hopefully your inside interface won't be changing at the same time, so you should not lose your connection. If it is changing, you may lose your connection to the TFTP server mid-configuration.

When I do a configure net, I always keep it as simple as possible. I remove anything that is not changing to minimize how long it takes to apply.

I don't remember if anyone else mentioned this, but yet another option would be if you have a failover pair, you could manually fail over to the secondary, then disconnect your primary from the network and test the script to see if it works as you expect. Once you are done, just reload without saving the new config and you can re-insert you primary and fail back (or let the secondary run for a bit).

As for your questions, yes, I _always_ write the working config before putting on new config. That way I can reboot if I need to revert to the old config. And I try to use the console when possible. An exception would be if you are going to manually paste the script in. I have had many more buffer problems on the console than telnet/ssh, so I would recommend if you go that route that you be near the console, but actually paste your script in via telnet or ssh.

-Eric