Many thanks for your reply, can you tell if there is a way to change the offline configuration except by NOTEPAD ?

If i copy my new file on the PIX, how can i use the old one if there were a trouble after ?

Another question is maybe stupid but what's the difference in V7 between running and startup because i don't see ASDM location and groups ?

Thanks

Hi,

Q: Many thanks for your reply, can you tell if there is a way to change the offline configuration except by NOTEPAD ?

A: As far as I am concerned, that's the way you do it in offline mode (can use any word processing apps such as wordpad, MSWord)

Q: If i copy my new file on the PIX, how can i use the old one if there were a trouble after ?

A: Normally, you can always load the old config file using the same tftp/ftp/http method. If you specify your firewall to load startup config automatically from a tftp server, then you probably need to copy your old config, and rename it to a same file name that you load automatically via tftp.

But in worst case scenario, you need to console in and modify the config from there, e.g copy & paste fr old config.

Q: Another question is maybe stupid but what's the difference in V7 between running and startup because i don't see ASDM location and groups ?

A: Startup Config - default loaded config file by firewall everytime you power-on or restart the box.

Normally, whatever changes you've made to the running config and later saved it via "write mem" command, it will be saved to/as startup-config.

Running Config - active config used by firewall after you power-on the unit. Any changes you made will immediately take effect as long as your do not power-off your firewall, but if you don't saved this config (using write mem), all changes will be gone. If you saved it, it will become your startup config.

Hope this help... pls rate if it does.

Rgds,

AK

sorry for the delay i will rate your posts but can you just tell me how in the startup config i have names and asdm with the interface they belong and in the running configuration i don't save, my problem is if i make my modification in the runnig the hosts i will move from an interface will be assigned on which interface ? or if you want i can explain what i just want to do ? i want to use vlan's on an interface and at the moment there is a conifugration with no vlan's on this one so i just want to migrate the physical configuration on an virtual (same physical) without changing anything IP's, rules, routes, nat and other.

Can you give me maybe the easy way to do that ??

Hi,

Q. can you just tell me how in the startup config i have names and asdm with the interface they belong and in the running configuration i don't save, my problem is if i make my modification in the runnig the hosts i will move from an interface will be assigned on which interface ?

A: You can maintain the names, but for the asdm location, if they still belongs to the same interface and using the same name, I think you don't have to do anything. Can you share your config so that I can understand better your config?

Q. or if you want i can explain what i just want to do ? i want to use vlan's on an interface and at the moment there is a conifugration with no vlan's on this one so i just want to migrate the physical configuration on an virtual (same physical) without changing anything IP's, rules, routes, nat and other.

Can you give me maybe the easy way to do that ??

A: With v7.x, you can create sub-interface and associate individual sub-interface with Vlan.

So, if you need to move your segment/vlan that currently used Firewall physical interface, you can use Notepad to predefine your config. But in this case, you need to put/migrate the existing segment as new VLAN (same IP, etc) in the switch connected to Firewall, AND configure the switch port connected to Firewall as trunk with Dot1Q encap. Make sure you only allow the new VLAN to pass through, or you can simply allow all at the beginning.

Example:-

*Before:

interface Ethernet0/0

description :: Link to InternetRouter

nameif outside

security-level 0

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/1

description :: Secure Inside Segment

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0 ---> connect to switch in flat segment or no VLAN.

*After:

interface Ethernet0/0

description :: Link to InternetRouter

nameif outside

security-level 0

ip address 192.168.100.1 255.255.255.0

!

interface gigabitethernet0/1

no ip address

!

interface gigabitethernet0/1.1

description :: Secure Inside Segment

vlan 100

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0 ---> segment now defined as VLAN100.

no shutdown

*use 'no' command to remove the sub-interface.

Rgds,

AK

i understant what you mean but before creating the subinterface with the same name i will have to make a NO IP ADDRESS and NO NAMEIF (on the physical) to be able to create my subinterface and where i want to be sure is does the pix remove all lines with this NAMEIF (route, static, acl, asdm) when i will do a NO NAMEIF or does it let orphans lines for example my current interface is :

nameif : DMZ_PUB

Ip address : 10.60.0.1 255.255.0.0 standby 10.60.0.2

name 10.60.2.2 INTRANET_SERVER

asdm location INTRANET_SERVER 255.255.255.255 DMZ_PUB

regards,

YB

Someone can help me on this ?