«

We picked up another PIX and wanted to use it instead of the unit we have.
What is the best way to use our Current Config and copy over to the new PIX.
The new PIX will replace the old one and the old unit will become a spare.

Both are running the same IOS.

Thank you.
Scott<-

In article <W7%zh.21557$ >,
Scott Townsend <scott-i@.-N0-SPAMplease.enm.com> wrote:
>We picked up another PIX and wanted to use it instead of the unit we have.
>What is the best way to use our Current Config and copy over to the new PIX.
>The new PIX will replace the old one and the old unit will become a spare.

>Both are running the same IOS.

tftp the config up to a tftp server, modify the internal IP address
in the uploaded copy, and then tftp the modified config down to the
other machine. When you have finished testing, change the IP address
on both boxes.

In order to tftp up, configure the "tftp-server" settings, and
then go into configuration mode and "write net". Or in PIX 7,
you should be able to use the exec-level "copy" command instead.

Thanks, I'll give this a try today...

So does this also move over all of the Certificates for the unit too, or do
I need to get new ones fro the CA? I'm concerned about the Certs as we also
use it for IPSec VPN and also have a few other PTP VPNs.

Thanks,
Scott<-
"Walter Roberson" <> wrote in message
news:L51Ah.948816$R63.468243@pd7urf1no...
> In article <W7%zh.21557$ >,
> Scott Townsend <scott-i@.-N0-SPAMplease.enm.com> wrote:
>>We picked up another PIX and wanted to use it instead of the unit we have.
>>What is the best way to use our Current Config and copy over to the new
>>PIX.
>>The new PIX will replace the old one and the old unit will become a spare.
>
>>Both are running the same IOS.
>
> tftp the config up to a tftp server, modify the internal IP address
> in the uploaded copy, and then tftp the modified config down to the
> other machine. When you have finished testing, change the IP address
> on both boxes.
>
> In order to tftp up, configure the "tftp-server" settings, and
> then go into configuration mode and "write net". Or in PIX 7,
> you should be able to use the exec-level "copy" command instead.
>

In article <5ZFAh.76318$> ,
Scott Townsend <scott-i@.-N0-SPAMplease.enm.com> wrote:
>So does this also move over all of the Certificates for the unit too, or do
>I need to get new ones fro the CA? I'm concerned about the Certs as we also
>use it for IPSec VPN and also have a few other PTP VPNs.

Good question; tftp'ing the configuration will NOT move certificates.

In PIX 6, there is no way to import certificates or RSA keys,
except that I would expect that connecting in a failover configuration
would allow key synchronization.

In PIX 7, I've lost track of the 'ca' commands, so I don't know
what can be done.

* Walter Roberson wrote:
> Good question; tftp'ing the configuration will NOT move certificates.

PIX7 contains the keys and certificates in the config. tftp is enough.