PIX 535升级为PIX OS 701.docx

1、PIX 535升级为PIX OS 701PIX 535升级为PIX OS 7.01PIX OS7.01的确系个好嘢！見詳細內容1、先看这里有没有合适的：查看原来的版本，看内存等等是否符合升级要求，535-UR要1G内存才能升级。pixfirewall# sh ver Cisco PIX Firewall Version 6.3(4)Cisco PIX Device Manager Version 3.0(1)Compiled on Fri 02-Jul-04 00:07 by morleepixfirewall up 8 days 0 hoursHardware: PIX-535, 1024

2、MB RAM, CPU Pentium III 1000 MHzFlash i28F640J5 0x300, 16MBBIOS Flash DA28F320J5 0xfffd8000, 128KBEncryption hardware device : VAC+ (Crypto5823 revision 0x1)0: gb-ethernet0: address is 000e.0c6b.96d0, irq 2551: gb-ethernet1: address is 000e.0c6b.96cf, irq 2552: ethernet0: address is 000e.0c5f.a3f0,

3、irq 2553: ethernet1: address is 000e.0c5f.a349, irq 255Licensed Features:Failover: EnabledVPN-DES: EnabledVPN-3DES-AES: EnabledMaximum Physical Interfaces: 10Maximum Interfaces: 24Cut-through Proxy: EnabledGuards: EnabledURL-filtering: EnabledInside Hosts: UnlimitedThroughput: UnlimitedIKE peers: Un

4、limitedThis PIX has an Unrestricted (UR) license.Serial Number: XXXXXXXXXRunning Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Configuration last modified by enable_15 at 00:55:28.017 UTC Tue Jun 7 20052、检查一下flash能不能访问：pixfirewall# sh flashflash file system: version:3 magic:0x12345679 file

5、 0: origin: 0 length:1966136 file 1: origin: 2097152 length:1975 file 2: origin: 0 length:0 file 3: origin: 2228224 length:3126944 file 4: origin: 0 length:0 file 5: origin: 8257536 length:3083、检查原来的配置，保存之pixfirewall# sh ru4、检查一下PIX上的interface，查看其工作状态：pixfirewall# sh int interface gb-ethernet0 outsi

6、de is up, line protocol is upinterface gb-ethernet1 inside is up, line protocol is upinterface ethernet0 inf3 is administratively down, line protocol is upinterface ethernet1 inf4 is administratively down, line protocol is down5、我在这里先配了一个FE口测试与终端的连通性，以便确保等一阵可以用TFTPpixfirewall(config)# ip address inf

7、3 10.32.2.79 255.255.255.0 pixfirewall(config)# exitpixfirewall# pixfirewall# ping 10.32.2.78 10.32.2.78 response received - 0ms 10.32.2.78 response received - 0ms 10.32.2.78 response received - 0ms6、好了，重启PIX，准备升级。 这是启动的画面，比较多字符。 按esc中断FLASH引导，进入monitor模式下。Wait. PCI Device Table.Bus Dev Func VendID

8、DevID Class Irq00 00 00 1166 0008 Host Bridge 00 00 01 1166 0008 Host Bridge 00 00 02 1166 0006 Host Bridge 00 00 03 1166 0006 Host Bridge 00 01 00 8086 1229 Ethernet 25500 02 00 8086 1229 Ethernet 25500 0F 00 1166 0200 ISA Bridge 00 0F 01 1166 0211 IDE Controller 00 0F 02 1166 0220 Serial Bus 7101

9、0B 00 14E4 5823 Co-Processor 25502 06 00 8086 1001 Ethernet 25502 07 00 8086 1001 Ethernet 255Cisco Secure PIX Firewall Embedded BIOS Version 4.3Cisco PIX-535+-+| System BIOS Configuration, (C) 2000 General Software, Inc. |+-+-+| System CPU : Pentium III | Low Memory : 637KB | Coprocessor : Enabled

10、| Extended Memory : 1023MB | Embedded BIOS Date : 11/28/00 | Serial Ports 1-2 : 03F8 02F8 |+-+-+Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:34 PST 2001Platform PIX-535Flash=i28F640J5 0x300Use BREAK or ESC to interrupt flash boot.Use SPACE to begin flash boot immediately.Flash boot inte

11、rrupted. 0: i8255X PCI(bus:0 dev:2 irq:255)1: i8255X PCI(bus:0 dev:1 irq:255)Ethernet auto negotiation timed out.Ethernet port 1 could not be initialized.Use ? for help.monitor Invalid or incorrect command. Use help for help.7、查看在monitor下可用的interface，肯定就是那两个FE口了。monitor interface0: i8255X PCI(bus:0

12、dev:2 irq:255)1: i8255X PCI(bus:0 dev:1 irq:255)8、这里我选用第一个fe口，就是刚才测试过的那个口monitor interface 00: i8255X PCI(bus:0 dev:2 irq:255)1: i8255X PCI(bus:0 dev:1 irq:255)Using 0: i82559 PCI(bus:0 dev:2 irq:255), MAC: 000e.0c5f.a3f09、配上接口地址，TFTP服务器地址等等，开始TFTP下载新版PIXOS。monitor address 10.32.2.79address 10.32.2.

13、79monitor server 10.32.2.78server 10.32.2.78monitor ping 10.32.2.78Sending 5, 100-byte 0x7970 ICMP Echoes to 10.32.2.78, timeout is 4 seconds:!Success rate is 100 percent (5/5)monitor file pix701.binfile pix701.binmonitor tftptftp pix701.bin10.32.2.78.Received 5124096 bytesCisco PIX Security Applian

14、ce admin loader (3.0) #0: Thu Mar 31 14:03:05 PST 2005#1024MB RAM10、下载完之后，PIX直接用新版PIXOS启动了。Total NICs found: 4mcwa i82559 Ethernet at irq 255 MAC: 000e.0c5f.a349mcwa i82559 Ethernet at irq 255 MAC: 000e.0c5f.a3f0BIOS Flash=DA28F320J5 0xD8000i82543 rev02 Gigabit Ethernet irq255 dev 6 index 01 MAC: 00

15、0e.0c6b.96cfi82543 rev02 Gigabit Ethernet irq255 dev 7 index 00 MAC: 000e.0c6b.96d0Old file system detected. Attempting to save data in flash11、这里是检查整理一遍FLASH，并把原来的PIXOS映像存成image_old.binInitializing flashfs.flashfs7: Checking block 0.block number was (-10627)flashfs7: erasing block 0.done.flashfs7:

16、Checking block 125.block number was (-1)flashfs7: erasing block 125.done.flashfs7: 0 files, 1 directoriesflashfs7: 0 orphaned files, 0 orphaned directoriesflashfs7: Total bytes: 16128000flashfs7: Bytes used: 1024flashfs7: Bytes available: 16126976flashfs7: flashfs fsck took 161 seconds.flashfs7: Ini

17、tialization complete.Saving the configuration!Saving a copy of old configuration as downgrade.cfg!Saved the activation key from the flash imageSaved the default firewall mode (single) to flashThe version of image file in flash is not bootable in the current version ofsoftware.Use the downgrade comma

18、nd first to boot older version of software.The file is being saved as image_old.bin anyway.!Upgrade process completeNeed to burn loader.Erasing sector 0.OKBurning sector 0.OKLicensed features for this platform:Maximum Physical Interfaces : 14 Maximum VLANs : 200 Inside Hosts : Unlimited Failover : A

19、ctive/ActiveVPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : Unlimited This platform has an Unrestricted (UR) license.12、继续引导：Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

20、 - . . | | | | .| |. .| |. .:| | |:.:| | |:. C i s c o S y s t e m s -Cisco PIX Security Appliance Software Version 7.0(1) * Warning * This product contains cryptographic features and is subject to United States and local country laws governing, import, export, transfer, and use. Delivery of Cisco c

21、ryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. I

22、f you are unable to comply with U.S. and local laws, return the enclosed items immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: If you require further assistance please contact us by sending email to export. * Warning *Copyright (c) 1996-2005 by Cisco Syste

23、ms, Inc. Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSo

24、ftware clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706ERROR: This command is no longer needed. The LOCAL user database is always enabled.* Output from config line 59, aaa-server LOCAL protoco.ERROR: This command is no longer needed. The floodguard feature is always enabled.* Output from config line 64, floodguard enable13、转换一些配置Cryptochecksum(unchanged):