Cisco PIX 501 Config Question

Discussion in 'Cisco' started by Mike Morgan, Apr 19, 2004.

  1. Mike Morgan

    Mike Morgan Guest

    All,

    I just got my first 501 early last week and have spent many hours
    configuring it with the PDM for a rather specialized application. Once
    I got the hang of the PDM it was fairly easy, but time-consuming, to get
    it working properly. I expect to have to configure 20 - 30 more of
    these. Most of the time the only changes will be IP addresses, subnets
    and hostnames.

    I am fairly familiar with the Cisco CLI having configed over 50 Cisco
    1600s and 2600s. I had a default config for each model and would edit
    the config for the individual location and then tftp the file to the
    startup-config or just paste it from config terminal.

    This does not seem to be an option with the 501. It does not seem to
    have a startup-config, nor does it seem to have a way to blow away the
    config and overwrite it with a new one. All I can do is set the config
    back to the default and overwriting this does not yield the exact config
    I want.

    Any suggestions?

    Thanks,

    Mike

    Please reply to mmorgan-at-teampcs.com
     
    Mike Morgan, Apr 19, 2004
    #1
    1. Advertising

  2. In article <>,
    Mike Morgan <> wrote:
    :I am fairly familiar with the Cisco CLI having configed over 50 Cisco
    :1600s and 2600s. I had a default config for each model and would edit
    :the config for the individual location and then tftp the file to the
    :startup-config or just paste it from config terminal.

    :This does not seem to be an option with the 501. It does not seem to
    :have a startup-config, nor does it seem to have a way to blow away the
    :config and overwrite it with a new one. All I can do is set the config
    :back to the default and overwriting this does not yield the exact config
    :I want.

    You are correct that the PIX series has nothing equivilent to
    'startup-config', and no direct way of overwriting a config with
    a new one. As you have likely discovered, each line of a file that
    you tftp in is processed almost as if you had typed the command manually
    in to the CLI [there are some very subtle differences not worth mentioning
    now.]

    In practice, what you need to do is to cheat slightly on what Cisco
    -officially- supports. Officially, Cisco only supports configuration
    files that could have been written out by "write net" -- i.e.,
    configuration files essentially without comments and without "no" or
    "clear" commands. Officially.

    In reality, as long as you don't try to change the IP address of the
    interface you are tftp'ing through, or change the routing to the tftp
    server, comments and "no" commands and "clear" commands work fine
    in files being tftp'd in. So if there's something in the default
    configuration you need to change, feel free to put the appropriate
    "no" or "clear" command in the file, so that at each point you
    are comfortable that you know what the state of the PIX is... and then
    write in the new state you want.


    The very first time you work with any individual PIX, you will need
    to assign a useful IP address to the interface you will tftp through,
    and if you happen not to be tftp'ing through the 'inside' interface,
    you will need to use the tftp-server command. Once you have filled
    out a complete tftp-server command, then from "config terminal" mode,
    a plain "config net" command will work. Later on, as you work on revised
    versions of the configuration, you will likely find it handy to know
    that the "config net" command can take parameters naming the server
    and exact file to load at that point -- saves having to go back and
    manually put in a new tftp-server command to name a different file.
    But the "config net" command does not offer a way to select an interface.


    As you mention working with the 501, my reference to selecting the proper
    interface likely won't be of much importance to you. It's really only
    of much importance when you have PIX with multiple interface, in which
    case it might happen that your tftp server is not behind "ethernet1"
    (the default) -- for example, for our 525, our tftp server is behind
    one of our gigabit interfaces, which the PIX would never think to default
    to even if we physically removed the 10/100 interfaces.
    --
    I've been working on a kernel
    All the livelong night.
    I've been working on a kernel
    And it still won't work quite right. -- J. Benson & J. Doll
     
    Walter Roberson, Apr 19, 2004
    #2
    1. Advertising

  3. Mike Morgan

    Mike Morgan Guest

    Thank you, Walter. Very good advice. I tried the config net command, with an
    edited config file, but it kept getting rejected because the checksum did not
    match. Deleting the checksum from the edited config file did no good.

    I think that I will just paste the edited config at config t and, as you
    advise, determine what arguments in the default config have to be cleared or
    no'd.

    Mike

    Walter Roberson wrote:

    > In article <>,
    > Mike Morgan <> wrote:
    > :I am fairly familiar with the Cisco CLI having configed over 50 Cisco
    > :1600s and 2600s. I had a default config for each model and would edit
    > :the config for the individual location and then tftp the file to the
    > :startup-config or just paste it from config terminal.
    >
    > :This does not seem to be an option with the 501. It does not seem to
    > :have a startup-config, nor does it seem to have a way to blow away the
    > :config and overwrite it with a new one. All I can do is set the config
    > :back to the default and overwriting this does not yield the exact config
    > :I want.
    >
    > You are correct that the PIX series has nothing equivilent to
    > 'startup-config', and no direct way of overwriting a config with
    > a new one. As you have likely discovered, each line of a file that
    > you tftp in is processed almost as if you had typed the command manually
    > in to the CLI [there are some very subtle differences not worth mentioning
    > now.]
    >
    > In practice, what you need to do is to cheat slightly on what Cisco
    > -officially- supports. Officially, Cisco only supports configuration
    > files that could have been written out by "write net" -- i.e.,
    > configuration files essentially without comments and without "no" or
    > "clear" commands. Officially.
    >
    > In reality, as long as you don't try to change the IP address of the
    > interface you are tftp'ing through, or change the routing to the tftp
    > server, comments and "no" commands and "clear" commands work fine
    > in files being tftp'd in. So if there's something in the default
    > configuration you need to change, feel free to put the appropriate
    > "no" or "clear" command in the file, so that at each point you
    > are comfortable that you know what the state of the PIX is... and then
    > write in the new state you want.
    >
    > The very first time you work with any individual PIX, you will need
    > to assign a useful IP address to the interface you will tftp through,
    > and if you happen not to be tftp'ing through the 'inside' interface,
    > you will need to use the tftp-server command. Once you have filled
    > out a complete tftp-server command, then from "config terminal" mode,
    > a plain "config net" command will work. Later on, as you work on revised
    > versions of the configuration, you will likely find it handy to know
    > that the "config net" command can take parameters naming the server
    > and exact file to load at that point -- saves having to go back and
    > manually put in a new tftp-server command to name a different file.
    > But the "config net" command does not offer a way to select an interface.
    >
    > As you mention working with the 501, my reference to selecting the proper
    > interface likely won't be of much importance to you. It's really only
    > of much importance when you have PIX with multiple interface, in which
    > case it might happen that your tftp server is not behind "ethernet1"
    > (the default) -- for example, for our 525, our tftp server is behind
    > one of our gigabit interfaces, which the PIX would never think to default
    > to even if we physically removed the 10/100 interfaces.
    > --
    > I've been working on a kernel
    > All the livelong night.
    > I've been working on a kernel
    > And it still won't work quite right. -- J. Benson & J. Doll
     
    Mike Morgan, Apr 20, 2004
    #3
  4. In article <>,
    Mike Morgan <> wrote:
    :Thank you, Walter. Very good advice. I tried the config net command, with an
    :edited config file, but it kept getting rejected because the checksum did not
    :match. Deleting the checksum from the edited config file did no good.

    I have never -ever- a PIX check the checksum. I routinely "config net"
    with files that I have not updated the checksum for. Sure, I get
    messages about the checksum having changed, but the magic "Config OK"
    still comes up.

    If you are getting a "Config FAIL" then there's a problem with the
    file you are tftp'ing in. The checksum line is just a comment as
    far as "config net" is concerned.


    Just to check -- you aren't editting the file on Windows, are you?
    If you are, then there could be a ^Z that the Windows editor believes
    marks the end of file, followed by garbage data that will get
    transferred along because tftp send in binary, ^Z and all.
    --
    Are we *there* yet??
     
    Walter Roberson, Apr 20, 2004
    #4
  5. Mike Morgan

    Martin Kayes Guest

    "Mike Morgan" <> wrote in message news:...
    > All,
    >
    > I just got my first 501 early last week and have spent many hours
    > configuring it with the PDM for a rather specialized application. Once
    > I got the hang of the PDM it was fairly easy, but time-consuming, to get
    > it working properly. I expect to have to configure 20 - 30 more of
    > these. Most of the time the only changes will be IP addresses, subnets
    > and hostnames.
    >
    > I am fairly familiar with the Cisco CLI having configed over 50 Cisco
    > 1600s and 2600s. I had a default config for each model and would edit
    > the config for the individual location and then tftp the file to the
    > startup-config or just paste it from config terminal.
    >
    > This does not seem to be an option with the 501. It does not seem to
    > have a startup-config, nor does it seem to have a way to blow away the
    > config and overwrite it with a new one. All I can do is set the config
    > back to the default and overwriting this does not yield the exact config
    > I want.
    >
    > Any suggestions?
    >
    > Thanks,
    >
    > Mike
    >
    > Please reply to mmorgan-at-teampcs.com
    >
    >


    Hi Mike,

    Another way would be to do a 'write erase' which will clear the default config then you can paste in a text file via the console.

    Regards,

    Martin
     
    Martin Kayes, Apr 22, 2004
    #5
  6. Mike Morgan

    Mike Morgan Guest

    Would that be "write erase mem" or "write erase terminal"?

    Martin Kayes wrote:

    > "Mike Morgan" <> wrote in message news:...
    > > All,
    > >
    > > I just got my first 501 early last week and have spent many hours
    > > configuring it with the PDM for a rather specialized application. Once
    > > I got the hang of the PDM it was fairly easy, but time-consuming, to get
    > > it working properly. I expect to have to configure 20 - 30 more of
    > > these. Most of the time the only changes will be IP addresses, subnets
    > > and hostnames.
    > >
    > > I am fairly familiar with the Cisco CLI having configed over 50 Cisco
    > > 1600s and 2600s. I had a default config for each model and would edit
    > > the config for the individual location and then tftp the file to the
    > > startup-config or just paste it from config terminal.
    > >
    > > This does not seem to be an option with the 501. It does not seem to
    > > have a startup-config, nor does it seem to have a way to blow away the
    > > config and overwrite it with a new one. All I can do is set the config
    > > back to the default and overwriting this does not yield the exact config
    > > I want.
    > >
    > > Any suggestions?
    > >
    > > Thanks,
    > >
    > > Mike
    > >
    > > Please reply to mmorgan-at-teampcs.com
    > >
    > >

    >
    > Hi Mike,
    >
    > Another way would be to do a 'write erase' which will clear the default config then you can paste in a text file via the console.
    >
    > Regards,
    >
    > Martin
     
    Mike Morgan, Apr 23, 2004
    #6
  7. Mike Morgan

    Martin Kayes Guest

    Neither, the PIX simply uses 'write erase' to clear the saved config.

    It is a well documented command

    "Mike Morgan" <> wrote in message news:...
    > Would that be "write erase mem" or "write erase terminal"?
    >
    > Martin Kayes wrote:
    >
    > > "Mike Morgan" <> wrote in message news:...
    > > > All,
    > > >
    > > > I just got my first 501 early last week and have spent many hours
    > > > configuring it with the PDM for a rather specialized application. Once
    > > > I got the hang of the PDM it was fairly easy, but time-consuming, to get
    > > > it working properly. I expect to have to configure 20 - 30 more of
    > > > these. Most of the time the only changes will be IP addresses, subnets
    > > > and hostnames.
    > > >
    > > > I am fairly familiar with the Cisco CLI having configed over 50 Cisco
    > > > 1600s and 2600s. I had a default config for each model and would edit
    > > > the config for the individual location and then tftp the file to the
    > > > startup-config or just paste it from config terminal.
    > > >
    > > > This does not seem to be an option with the 501. It does not seem to
    > > > have a startup-config, nor does it seem to have a way to blow away the
    > > > config and overwrite it with a new one. All I can do is set the config
    > > > back to the default and overwriting this does not yield the exact config
    > > > I want.
    > > >
    > > > Any suggestions?
    > > >
    > > > Thanks,
    > > >
    > > > Mike
    > > >
    > > > Please reply to mmorgan-at-teampcs.com
    > > >
    > > >

    > >
    > > Hi Mike,
    > >
    > > Another way would be to do a 'write erase' which will clear the default config then you can paste in a text file via the console.
    > >
    > > Regards,
    > >
    > > Martin

    >
     
    Martin Kayes, Apr 23, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Binner

    Cisco PIX 501 NAT config issue

    Binner, Oct 5, 2004, in forum: Cisco
    Replies:
    3
    Views:
    3,015
    Martin Bilgrav
    Oct 7, 2004
  2. Andre
    Replies:
    7
    Views:
    743
    Andre
    Feb 20, 2005
  3. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    661
    Walter Roberson
    May 20, 2006
  4. ciscokid

    Cisco pix 501 config

    ciscokid, Sep 12, 2008, in forum: Hardware
    Replies:
    0
    Views:
    1,163
    ciscokid
    Sep 12, 2008
  5. xvpnx
    Replies:
    0
    Views:
    455
    xvpnx
    Jan 25, 2009
Loading...

Share This Page