Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

tftp a pix config from a standalone pix to a pix with failover?

I have picked up on an existing problem where my client has a working 515 pix with about 20 tunnels and internal servers with appropriate ACL's. They want to migrate this config to a new redundant pair of Pix 515 firewalls. They had already attempted this and manually configured the 515E's, tried to cut it over and it failed, the info I got was that some tunnels did not come up. My question is can I TFTP the working standalone pix configuration to my laptop, add the failover commands to the tftp'd file and then TFTP the edited file with the failover commands to the primary pix in the failover environment? Will this have an adverse affect on the existing primary or standby configuration? I have a very limited cutover window time so I am trying to cut over as cleanly as possible. Thanks in advance for suggestions.

3 REPLIES
Cisco Employee

Re: tftp a pix config from a standalone pix to a pix with failov

You could certainly tftp the config off one box ("write net" command) and then tftp it back onto another ("config net" command).

To be honest I'd simply open Telnet windows to both PIX's and just copy/paste the config over, that'd be a lot easier than having to worry about TFTP'ing it off. You can copy/paste the existing 515 config off to your PC now and add the failover stuff, then on the night simply cut/paste it into the new device.

As for having an adverse effect on the existing configuration, it depends on what's already configured. When you do a "config net" it is the same as entering the commands from the CLI, so tftp'ing or cut/pasting the config straight into the CLI will produce the same results. The rules are as follows:

- If the new command is identical to an existing command in the current configuration, it is ignored.

- If the new command is an additional instance of an existing command, such as if you already have one telnet command for IP address 10.2.3.4 and the tftp configuration has a telnet command for 10.7.8.9, then both commands appear in the current configuration.

- If the new command redefines an existing command, the command overwrites the command in the current configuration in RAM. For example, if you have the "hostname ram" command in the current configuration and the "hostname tftp" command on your tftp server, the command in the configuration becomes "hostname tftp" and the command line prompt changes to match the new hostname when that command is read from tftp.

New Member

Re: tftp a pix config from a standalone pix to a pix with failov

Thanks, I was hoping to use the TFTP method because from what I understand the isakmp keys can be tftp'd from one pix to another even though the config shows the keys as "*******". So if that is true then I know the proper keys are being configured on the new pix and it will eliminate key mismatch as a possible problem. Just an FYI the running pix and the new active/standby pix unit are all version 6.34. Do the keys also gets transferred correctly using cut and paste from one pix to another?

Re: tftp a pix config from a standalone pix to a pix with failov

Little correction, when you transfer the config file of the PIX via TFTP you will see all the VPN Pre-shared key and local user accounts Passwords in cleartext !!!

sincerely

Patrick

145
Views
0
Helpful
3
Replies
CreatePlease to create content