0

I recently backed up our current PIX config to our TFTP server. We're getting a second internet connection and as such, we ordered the same PIX device as the one in production. So, what we want to do is make the necessary IP changes in the backed up config for the new PIX, and then copy it over to the new device. How can we do this?

Citizen Chin
  • 532
  • 2
  • 12
  • 21

2 Answers2

3

If it's running PIX 6.x software or earlier, you have to do it the old-fashioned way: copy and paste. PIX 6.x and earlier will let you write net to copy to TFTP, but the copy command has no way to pull it back in from TFTP. You'll need to copy and paste the configuration into a console, telnet, or SSH session.

If it's a 515 or higher running 7.x or 8.x, you can use the copy command as you would with IOS:

copy tftp://ip.or.host.here/config-file startup-config

Then reboot the PIX for it to load the saved config.

James Sneeringer
  • 6,835
  • 24
  • 27
1

James's answer is 100% correct, but I'm a bit confused as to why you're getting a 2nd PIX:

  • If you're getting two ISP connections to the same site, 2 PIXes aren't always necessary. A single PIX should be capable of handling more than just a single ISP; most example configurations assume just an inside and outside interface but there's nothing stopping you from configuring something like outside-1 and outside-2 for two different links. The PIX isn't a great router however, so you'll find you're limited in how you can direct your inbound and outbound traffic over both links simultaneously compared to a real router.
  • If you're getting a 2nd PIX to act as a redundant backup, you should look at setting up a failover configuration rather than copying the configuration manually to the 2nd PIX as a spare. In a proper failover setup, the devices will propagate future configuration changes w/o you needing to remember to apply them to both, and it will automatically switch over to the standby unit without intervention.
  • If you're looking at building out a 2nd physical site with a similar configuration to the first, then getting another PIX makes sense.
natacado
  • 3,367
  • 29
  • 27
  • Agreed, your suggestions would make sense for a 515 or larger PIX, which is the minimum platform for more than two physical interfaces, and also the minimum for failover support. Short of that, he could still run dot1q on a 506/506e, but without knowing his network topology, I can't say whether that would be appropriate. – James Sneeringer Oct 07 '09 at 15:18