• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1918
  • Last Modified:

clearing a PIX config to TFTP new config

I'm attempting to delete a config for a 506E PIX running 6.3(4) and grab a new config from a tftp server because the device is being repositioned to another office (scripts are very similar).  I followed
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21984010.html 
but the "clear config all " doesn't seem to clear everything and instead does a partial merge.  How do I really, REALLY clear it?  

These are the console errors I get:

Config Error -- clear configuration all
Encrypted password is of incorrect length
invalid telnet password 'xxxxxxxxxxx':  must be exactly 16 bytes long
Config Error -- passwd xxxxxxxxx encrypted
ACE not added. Possible duplicate entry
ACE not added. Possible duplicate entry
ERROR: entry for address/mask = 192.168.5.0/255.255.255.0 exists
Interface address is not on same subnet as DHCP pool
global for this range already exists
ERROR: Duplicate NAT entry
ERROR: fail to insert nat entry
.A pre-shared key for address 12.126.232.134 netmask 255.255.255.255 already exists!
Error: Key insert failed.
ERROR: entry for address/mask = 192.168.5.0/255.255.255.0 exists

Config Failed
tftp: Unspecified Error
0
thefumbler
Asked:
thefumbler
  • 2
1 Solution
 
lrmooreCommented:
>clear configuration all
It is not "configuration" but rather "configure"
i.e.   clear configure all
This resets to defaults, so you have to re-arrange your config just a little and change dhcpd first.
Also, remember to edit the config to include actual passwords, and not the **** placeholders in the copied config.
NO:
 enable password <password> encrypted
 passwd <password> encrypted

YES (leave off word "encrypted")
 
clear configure all
no dhcpd enable inside
no dhcpd address 192.168.1.2-192.168.1.254 inside
!
enable password <password>
passwd <password>

! begin the rest of the actual config here:

0
 
thefumblerAuthor Commented:
That worked much better, thanks lrmoore.  Only 2 console messages this time but they seem minor...
#1 -Cannot select private key
#2 -outside interface address added to PAT pool

For #1, I figured I should generate a new key and used "ca generate rsa 512" to do so.   Using 'show ca mypubkey rsa' a key now appears.   Is that correct?   I have half a sense, but what is it used for?

And I bet the #2 line is just informational as the script was being processed, right?
0
 
lrmooreCommented:
Yes to both. Generating a new rsa key will allow you to use ssh to access the PIX. #2 is just informational - correct.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now