Saturday, 7 February 2015

One step back, four steps forward

I finished setting up the pix525 today - I've been having problems getting nfs file sharing to work. It turns out that whereas for years and years I've been putting 

/home/drsolly/shared 10.*.*.*(rw,async)

in my exports file, and I thought it was working, what was actually working was the other line

/home/drsolly/shared *,async)

And the correct syntax for the first line is


It's been working fine before, because I had my DNS working. But on my lan lab setup, I haven't got DNS yet. So it tried to use the IP address line, and that didn't work. Once I corrected that mistake, there was much rejoicing in the lan lab.

Next, I created my regression tests. It's so that after I make some changes, I can very quickly verify that everything that should be allowed, is allowed, and everything that should be denied, is denied. So I tested my regression tests, and they tested OK, so now the next step.

I downed the pix525, and carefully extracted one of the four-port network cards. Then I powered it up again and checked that it still worked.

Then I opened up the pix515e failover unit that I have, and put the network card in. This is because as it stands, it only has two ports, inside and outside, and I'm using three. But ... it rejected it! Even though it looks exactly like the one in the pix515E that does have a card, it doesn't work in the pix515efo.

I was sold these as a working pair; main unit and failover. But they couldn't be used that way. Oh well. It means that I'll just use the pix515e as my main firewall, and if that should ever fail, I'll just plug in the pix525 until I can either fix the 515e, or get a replacement. I'm not bothered; I've been using three pixes for several years, and in all that time, I haven't had a single failure.

So next, I tried to install the lovely lovely user interface in the pix515e. I tried a couple of version of asdm, and a couple of versions of pdm, all to no avail. Well, I wasn't really expecting this to fly, and it's not too awful. In working with the 525 and the user interface, I've learned a lot about how the command line works, so I can make small changes to the 515 that way. Although in my experience, that isn't needed very often. And if I need to do big changes, I can do them on the 525, test them, then copy them to the 515e.

While the 525 was up, I copied the configuration to my tftp server. With the 515e running, I copied that configuration to the 515e, and it worked! So I ran my regression tests, and everything was tickety-boo.

Something I've learned here - I've been using pixes for 15 years or so, and in all that time, I never really understood them. I found things that worked, and used those, and found things that didn't, and avoided those. But it was all hit-and-miss; I'd try things until something worked. Now I feel that I understand them a lot better, and I know why I need things (most of the time). It isn't just a magic incantation any more.

I've also discovered why my Samba shares weren't always working (the extra <cr> in the credentials file), how to write nfs exports files, why you can use ftp through a pix and a few other things unrelated to firewalls.

No comments:

Post a Comment