Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
3
Replies

tftp a pix config from a standalone pix to a pix with failover?

dleduc
Level 1
Level 1

‎10-03-2005 06:19 PM

I have picked up on an existing problem where my client has a working 515 pix with about 20 tunnels and internal servers with appropriate ACL's. They want to migrate this config to a new redundant pair of Pix 515 firewalls. They had already attempted this and manually configured the 515E's, tried to cut it over and it failed, the info I got was that some tunnels did not come up. My question is can I TFTP the working standalone pix configuration to my laptop, add the failover commands to the tftp'd file and then TFTP the edited file with the failover commands to the primary pix in the failover environment? Will this have an adverse affect on the existing primary or standby configuration? I have a very limited cutover window time so I am trying to cut over as cleanly as possible. Thanks in advance for suggestions.

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎10-03-2005 07:50 PM

You could certainly tftp the config off one box ("write net" command) and then tftp it back onto another ("config net" command).

To be honest I'd simply open Telnet windows to both PIX's and just copy/paste the config over, that'd be a lot easier than having to worry about TFTP'ing it off. You can copy/paste the existing 515 config off to your PC now and add the failover stuff, then on the night simply cut/paste it into the new device.

As for having an adverse effect on the existing configuration, it depends on what's already configured. When you do a "config net" it is the same as entering the commands from the CLI, so tftp'ing or cut/pasting the config straight into the CLI will produce the same results. The rules are as follows:

- If the new command is identical to an existing command in the current configuration, it is ignored.

- If the new command is an additional instance of an existing command, such as if you already have one telnet command for IP address 10.2.3.4 and the tftp configuration has a telnet command for 10.7.8.9, then both commands appear in the current configuration.

- If the new command redefines an existing command, the command overwrites the command in the current configuration in RAM. For example, if you have the "hostname ram" command in the current configuration and the "hostname tftp" command on your tftp server, the command in the configuration becomes "hostname tftp" and the command line prompt changes to match the new hostname when that command is read from tftp.

0 Helpful

dleduc
Level 1
Level 1
In response to gfullage

‎10-04-2005 04:26 AM

Thanks, I was hoping to use the TFTP method because from what I understand the isakmp keys can be tftp'd from one pix to another even though the config shows the keys as "*******". So if that is true then I know the proper keys are being configured on the new pix and it will eliminate key mismatch as a possible problem. Just an FYI the running pix and the new active/standby pix unit are all version 6.34. Do the keys also gets transferred correctly using cut and paste from one pix to another?

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to dleduc

‎10-04-2005 07:28 AM

Little correction, when you transfer the config file of the PIX via TFTP you will see all the VPN Pre-shared key and local user accounts Passwords in cleartext !!!

sincerely

Patrick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents