Built-in installer can use command scp to copy generated configuration to the firewall and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The firewall should be configured with ssh v2 and scp server.
To use this method, turn on checkbox in the tab "Installer" of the "advanced settings" dialog of the PIX firewall. Since this option is configured separately for each firewall object, you can have a mix of installation methods if some firewalls do not support scp.
To configure scp on the PIX firewall you need to do the following:
Create RSA keys
enable ssh v2 using command "ssh version 2" in configuration mode
enable scp using command "ssh scopy enable" in configuration mode
make sure user account used to copy configuration has "privilege 15": "username fwadmin password XXXXXXX privilege 15"
To troubleshoot when scp is not working:
Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw firewall:flash:file.fw"
check that ssh and scopy are enabled on the firewall
check that user account has privilege 15
Use command "debug ssh 10" on PIX to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem
Note that when fwbuilder uses command "copy file.fw running-config" to activate uploaded policy, the firewall does not print it. If there are errors, they are printed but the lines they refer to are not printed. Some configuration lines trigger lines because they try to configure things that are already configured, such as some parameters of interfaces, global pools etc.
Generated PIX configuration will include commands that enable ssh v2 and enable scopy if this option is turned on to make sure they stay enabled after configuration is reloaded from the file.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.