PIX config on TFTP

Discussion in 'Cisco' started by Mirek, Apr 8, 2004.

  1. Mirek

    Mirek Guest


    Simple question.
    I don't know who to load my configuration which is stored on tftp server to
    my pix firewall?
    I'm using 6.1(4) software.
    Please help.

    Mirek, Apr 8, 2004
    1. Advertisements

  2. :Simple question.
    :I don't know who to load my configuration which is stored on tftp server to
    :my pix firewall?
    :I'm using 6.1(4) software.

    The official instructions are that you start by 'erase config',
    then you configure an ip address for the interface you want to use,
    then you configure a 'tftp-server' reflecting the host and filename.
    Then, that all having been set up, you config net from within
    'config terminal' mode.

    That's the official instructions, and the only method *supported*
    by Cisco.

    In reality, the 'erase config' step can usually completely avoided,
    but because anything you tftp in *adds* to your existing configuration,
    you have to put appropriate 'clear' and 'no' statements in your master
    configuration to get everything into the right state. It's fast and easy
    once it's set up.
    Walter Roberson, Apr 8, 2004
    1. Advertisements

  3. conf net IP:/file.cfg

    Have any tftp file there, partial or complete
    lines are ignored if they are the same
    lines with no-prefixed are removed

    works super with 6.3.3 and my guess is the same for 6.1.4
    Martin Bilgrav, Apr 8, 2004
  4. Mirek

    Mirek Guest

    U're the best

    Mirek, Apr 8, 2004
  5. :conf net IP:/file.cfg

    You need to have set up a tftp-server command first, as otherwise
    it will make nasty assumptions about the interface to use. That's the
    only -real- function of the tftp-server command, IMHO: it's the only
    place you can set the interface.

    :Have any tftp file there, partial or complete

    You must not have read the details of my postings on the subject ;-)

    The inputs accepted for tftp files are slightly different than those
    accepted for typing in commands. Generally speaking, you need to use
    complete commands in the tftp file: the command completion for
    tftp is -different- than the command completion for interactive commands.
    There are a few commands which are not accepted via tftp. And
    you can tftp in a line that contains a question-mark (e.g., in
    a remark or in an isakmp key), which you can't do interactively.

    :lines are ignored if they are the same

    ACL lines are ignored if they duplicate an existing ACL line. Some
    of the other lines will, if duplicated, result in errors that lead to
    you being told the tftp failed.

    :lines with no-prefixed are removed

    Unless, that is, it's a "no ip address" on the interface you're
    tftp'ing through, or unless you manage to turn off the rip passive
    listener that was providing the route to the tftp server.
    There is a way around these problems, which I've documented in previous

    So.... you cannot, in fact, use "any tftp file, partial or complete":
    you have to be a bit careful about what's in your tftp file. Once
    you have the little tricks down, though, it sure is a useful technique!
    Walter Roberson, Apr 9, 2004
  6. Not sure about that, Walter - But you may be right...

    By partial I mean not fully listed config file, fx you can have just a file
    containing a ACL
    And yes you need to use full commands, but this is in general a good idea on
    the PIX's

    Martin Bilgrav
    Martin Bilgrav, Apr 10, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.