• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

PIX v6 Restore

Jesus Im pulling my frikkin hair out :(

Ive got a backed up copy of a PIX config - I want to  R E S T O R E it back to the PIX, its in a tftp server -

I DONT! want to merge it with anything the config on the PIX is BAD I want to overwrirte the config

Ive done this umpteen times before but its not working :(

whats the command I need

tftp server is at 10.10.0.3 filename is startup


Note Restore the whole thing copy tftp start wont work its 6.3(5)
0
Pete Long
Asked:
Pete Long
  • 11
  • 4
  • 2
2 Solutions
 
grbladesCommented:
How about doing it the basic way :-

write erase
  - reboot the pix
  - connect via console cable
  - paste the new config in over the console connection
0
 
Pete LongConsultantAuthor Commented:
cause Im 100 miles away :(
0
 
Pete LongConsultantAuthor Commented:
Backgroud

I put a 506E a long time ago with a site to site to my office for support - all worked fine

Yesterday they wanted some VPN clients setting up for remote access I was on site and set them up - they worked fine

Today Im back in the office and the site to site no longer works - I manually remooved all the VPN stuff and re-did the site to site, it worked - I added back the Client VPNs - the site to site stops working.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Pete LongConsultantAuthor Commented:
I built the site to site from command line............................

access-list 101 permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list 102 permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set USEME esp-3des esp-sha-hmac
crypto map coniston 10 ipsec-isakmp
crypto map coniston 10 match address 102
crypto map coniston 10 set pfs group2
crypto map coniston 10 set peer 123.123.123.123
crypto map coniston 10 set transform-set USEME
crypto map coniston interface outside
isakmp enable outside
isakmp key 12345678901234567890asdfg address 123.123.123.123 netmask 255.255.255.225
isakmp identity address
isakmp keepalive 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

I did the Client VPN's from the PDM - heres the two together



name 10.10.0.3 Server
access-list 101 permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.10.0.0 255.255.0.0 10.30.0.0 255.255.255.0
access-list 102 permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list RemoteVPN_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any
access-list outside_cryptomap_dyn_20 permit ip any 10.30.0.0 255.255.255.0
ip local pool NewPool 10.30.0.1-10.30.0.254
nat (inside) 0 access-list 101
crypto ipsec transform-set USEME esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map coniston 10 ipsec-isakmp
crypto map coniston 10 match address 102
crypto map coniston 10 set pfs group2
crypto map coniston 10 set peer 123.123.123.123
crypto map coniston 10 set transform-set USEME
crypto map coniston 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map coniston client authentication LOCAL
crypto map coniston interface outside
isakmp enable outside
isakmp key 12345678901234567890asdfg address 123.123.123.123 netmask 255.255.255.225
isakmp identity address
isakmp keepalive 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup RemoteVPN address-pool NewPool
vpngroup RemoteVPN dns-server Server
vpngroup RemoteVPN wins-server Server
vpngroup RemoteVPN default-domain site.dom
vpngroup RemoteVPN split-tunnel RemoteVPN_splitTunnelAcl
vpngroup RemoteVPN idle-time 1800
vpngroup RemoteVPN password 01234567890123456789asdfg
username user password xxxxxxxxxxxxxxxxx encrypted privilege 15


Why is the second one breaking the first one?
0
 
grbladesCommented:
I am doing basically what you want to do and my configuration is practically identical. However I dont have the equivilent of this line :-
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Also for this configuration item :-
crypto map coniston 10 set peer 123.123.123.123
Am I correct in remembering that you can also specify a no-xauth option or something similar?
0
 
Pete LongConsultantAuthor Commented:
>>Am I correct in remembering that you can also specify a no-xauth option or something similar?

I dont but If I did would that not go in the end of

isakmp key 12345678901234567890asdfg address 123.123.123.123 netmask 255.255.255.225

Ive never specified that for this site to site and its worked for over a year?



>>crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

pdm put all that gubbins in Ive got the site to site working again Ill set the vpn clients to use esp-sha hang on...........
0
 
Pete LongConsultantAuthor Commented:
taking that line out made no difference :(

I can do one or the other but not both which it what I have to do :(
0
 
Pete LongConsultantAuthor Commented:
Everytime I fek it up I have to remove every line one by one - hence my original question
yes I know I can not save it and reboot it but this is a production firewall I cant keep bouncing it
0
 
grbladesCommented:
I found http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml and the no-xauth does indeed go at the end of the isakmp line.
I was thinking that perhaps 'crypto map coniston client authentication LOCAL' turned on XAUTH and the pix was trying to use it for lan-lan connections aswell.
That said I dont have the option either and it is all working fine for me. I do remember lrmoore mentioning adding the option in a similar situation once though so perhaps there is a bug or some other issue which requires it sometimes.
0
 
Pete LongConsultantAuthor Commented:
>>'crypto map coniston client authentication LOCAL'

This is the authentication for the VPN clients - prompts them for username and password from the client

Im admitting defeat - Ill for ward 3389 from my IP to theri server for remote support - ive racked my brains and configs and i dont have another pixv6 client that Im doing both with
0
 
grbladesCommented:
Last resort - send lrmoore an email :)
0
 
Pete LongConsultantAuthor Commented:
LOL - Aye :)

Ive got the clients working and forwarded RDP for now, lrmoore will probably scan the Q some point today - lets see if he can shed any light on it
0
 
lrmooreCommented:
In your copy of the config that resides on the TFP server, add this to the top of it:
 clear config all

>isakmp key <key> address 123.123.123.123 netmask 255.255.255.225  no- xauth no-config-mode

I think that by adding in the client authentication, you now need the no-xauth on the isamp key line with the remote site...

0
 
Pete LongConsultantAuthor Commented:
Mmmm OK - I'll give it a shot tommorow when Im back in the office

Any thoughts on the restore question - cause thats doing my head right in  - Im sure Ive rolled mu pix 501 at home back to previous configs - just cant remmeber how i did it :(
0
 
lrmooreCommented:
Add this one line to the top of the archived config

    clear config all

That will completely wipe out what is already there and replace with the rest of the config instead of merging them....
0
 
Pete LongConsultantAuthor Commented:
Ahhh - Tip Top

Cheers m8

Havnt had a chance to give it a try today  -Ive been tied up trying to get Windows Deployment Services working, And Im out putting an AIO in all day tommorow so I might not get a chance to close this out till next week :(
0
 
Pete LongConsultantAuthor Commented:
----sorry for the late follow up

Tried that and the client to gateway connections broke :( As its only for remote support and I can get in anyway Im going to admit defeat :(

Cheers guys

Pete
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 11
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now