1、先查看原來的版本,看內存等等是否符合升級要求.
2、檢查一下flash能不能訪問:
CODE
pixfirewall# sh flash
flash file system: version:3 magic:0x12345679
file 0: origin: 0 length:1966136
file 1: origin: 2097152 length:1975
file 2: origin: 0 length:0
file 3: origin: 2228224 length:3126944
file 4: origin: 0 length:0
file 5: origin: 8257536 length:308
3、檢查原來的配置,保存
CODE
pixfirewall# sh run
pixfirewall# wr
4、檢查一下PIX上的interface,查看其工作狀態:
CODE
pixfirewall# sh int
interface gb-ethernet0 "outside" is up, line protocol is up
…………
interface gb-ethernet1 "inside" is up, line protocol is up
…………
interface ethernet0 "inf3" is administratively down, line protocol is up
…………
interface ethernet1 "inf4" is administratively down, line protocol is down
…………
5、我在這裏先配了一個FE口測試與終端的連通性,以便確保等一陣可以用TFTP
CODE
pixfirewall(config)# ip address inf3 10.32.2.79 255.255.255.0
pixfirewall(config)# exit
pixfirewall#
pixfirewall# ping 10.32.2.78
10.32.2.78 response received -- 0ms
10.32.2.78 response received -- 0ms
10.32.2.78 response received -- 0ms
注意:由於pix634版本不支持直接刪除flash中的文件,所以我們必須從monitor模式下升級。
6、好了,重啓PIX,準備升級。
這是啓動的畫面,比較多字符。
按esc中斷FLASH引導,進入monitor模式下。
CODE
Wait.....
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 1166 0008 Host Bridge
00 00 01 1166 0008 Host Bridge
00 00 02 1166 0006 Host Bridge
00 00 03 1166 0006 Host Bridge
00 01 00 8086 1229 Ethernet 255
00 02 00 8086 1229 Ethernet 255
00 0F 00 1166 0200 ISA Bridge
00 0F 01 1166 0211 IDE Controller
00 0F 02 1166 0220 Serial Bus 71
01 0B 00 14E4 5823 Co-Processor 255
02 06 00 8086 1001 Ethernet 255
02 07 00 8086 1001 Ethernet 255
Cisco Secure PIX Firewall Embedded BIOS Version 4.3
Cisco PIX-535
+------------------------------------------------------------------------------+
| System BIOS Configuration, (C) 2000 General Software, Inc. |
+---------------------------------------+--------------------------------------+
| System CPU : Pentium III | Low Memory : 637KB |
| Coprocessor : Enabled | Extended Memory : 1023MB |
| Embedded BIOS Date : 11/28/00 | Serial Ports 1-2 : 03F8 02F8 |
+---------------------------------------+--------------------------------------+
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:34 PST 2001
Platform PIX-535
Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:2 irq:255)
1: i8255X @ PCI(bus:0 dev:1 irq:255)
Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
monitor>
Invalid or incorrect command. Use 'help' for help.
7、查看在monitor下可用的interface,肯定就是那兩個FE口了。
CODE
monitor> interface
0: i8255X @ PCI(bus:0 dev:2 irq:255)
1: i8255X @ PCI(bus:0 dev:1 irq:255)
8、這裏我選用第一個fe口,就是剛纔測試過的那個口
CODE
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:2 irq:255)
1: i8255X @ PCI(bus:0 dev:1 irq:255)
Using 0: i82559 @ PCI(bus:0 dev:2 irq:255), MAC: 000e.0c5f.a3f0
9、配上接口地址,TFTP服務器地址等等,開始TFTP下載新版PIXOS。
CODE
monitor> address 10.32.2.79
address 10.32.2.79
monitor> server 10.32.2.78
server 10.32.2.78
monitor> ping 10.32.2.78
Sending 5, 100-byte 0x7970 ICMP Echoes to 10.32.2.78, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> file pix701.bin
file pix701.bin
monitor> tftp
tftp ...........................
…………
Received 5124096 bytes
Cisco PIX Security Appliance admin loader (3.0) #0: Thu Mar 31 14:03:05 PST 2005
####################################################
……
1024MB RAM
10、下載完之後,PIX直接用新版PIXOS啓動了。
CODE
Total NICs found: 4
mcwa i82559 Ethernet at irq 255 MAC: 000e.0c5f.a349
mcwa i82559 Ethernet at irq 255 MAC: 000e.0c5f.a3f0
BIOS Flash=DA28F320J5 @ 0xD8000
i82543 rev02 Gigabit Ethernet @ irq255 dev 6 index 01 MAC: 000e.0c6b.96cf
i82543 rev02 Gigabit Ethernet @ irq255 dev 7 index 00 MAC: 000e.0c6b.96d0
Old file system detected. Attempting to save data in flash
11、這裏是檢查整理一遍FLASH,並把原來的PIXOS映像存成image_old.bin
CODE
Initializing flashfs...
flashfs[7]: Checking block 0...block number was (-10627)
…………
flashfs[7]: erasing block 0...done.
flashfs[7]: Checking block 125...block number was (-1)
flashfs[7]: erasing block 125...done.
flashfs[7]: 0 files, 1 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 16128000
flashfs[7]: Bytes used: 1024
flashfs[7]: Bytes available: 16126976
flashfs[7]: flashfs fsck took 161 seconds.
flashfs[7]: Initialization complete.
Saving the configuration
!
Saving a copy of old configuration as downgrade.cfg
!
Saved the activation key from the flash image
Saved the default firewall mode (single) to flash
The version of image file in flash is not bootable in the current version of
software.
Use the downgrade command first to boot older version of software.
The file is being saved as image_old.bin anyway.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
……
Upgrade process complete
Need to burn loader....
Erasing sector 0...[OK]
Burning sector 0...[OK]
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
***-DES : Enabled
***-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
*** Peers : Unlimited
This platform has an Unrestricted (UR) license.
12、繼續引導:
CODE
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
--------------------------------------------------------------------------
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
--------------------------------------------------------------------------
Cisco PIX Security Appliance Software Version 7.0(1)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to .
******************************* Warning *******************************
Copyright (c) 1996-2005 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
ERROR: This command is no longer needed. The LOCAL user database is always enabled.
*** Output from config line 59, "aaa-server LOCAL protoco..."
ERROR: This command is no longer needed. The 'floodguard' feature is always enabled.
*** Output from config line 64, "floodguard enable"
13、轉換一些配置
CODE
Cryptochecksum(unchanged): a24fcf17 7e777a56 ca8e0420 377bb244
INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol http 80' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands
13、這裏的warning說得很清楚,呵呵,不要以爲啓動成功就認爲升級完成了,其實只完成一半。
CODE
************************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** **
** **
** ----> Current image running from RAM only! <---- **
** **
** When the PIX was upgraded in Monitor mode the boot image was not **
** written to Flash. Please issue "copy tftp: flash:" to load and **
** save a bootable image to Flash. Failure to do so will result in **
** a boot loop the next time the PIX is reloaded. **
** **
************************************************************************
Type help or '?' for a list of available commands.
14、啓動完成,看看有沒有什麼新變化
CODE
pixfirewall> en
Password:
pixfirewall# sh run
: Saved
:
PIX Version 7.0(1)
names
!
interface GigabitEthernet0
speed 1000
nameif intf2
security-level 4
no ip address
!
interface GigabitEthernet1
speed 1000
nameif intf3
security-level 6
no ip address
!
interface Ethernet0
shutdown
nameif outside
security-level 0
no ip address
!
interface Ethernet1
shutdown
nameif inside
security-level 100
no ip address
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
ftp mode passive
pager lines 24
mtu intf2 1500
mtu intf3 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface intf2
monitor-interface intf3
monitor-interface outside
monitor-interface inside
asdm history enable
arp timeout 14400
nat-control
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
no sysopt connection permit-ipsec
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:a24fcf177e777a56ca8e0420377bb244
: end
15、配置上的變化已經從CISCO文檔得知了,但親眼看到還是令人眼前一亮。
再來檢查一下版本等等信息。
CODE
pixfirewall# sh ver
Cisco PIX Security Appliance Software Version 7.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
pixfirewall up 21 secs
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: GigabitEthernet0 : media index 0: irq 255
1: Ext: GigabitEthernet1 : media index 1: irq 255
2: Ext: Ethernet0 : media index 0: irq 255
3: Ext: Ethernet1 : media index 1: irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
***-DES : Enabled
***-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
*** Peers : Unlimited
This platform has an Unrestricted (UR) license.
16、這下查看flash看得明白了。
CODE
pixfirewall# sh flash
Directory of flash:/
4 -rw- 1975 01:52:34 Jun 07 2005 downgrade.cfg
7 -rw- 1966136 01:53:02 Jun 07 2005 image_old.bin
16128000 bytes total (14154752 bytes free)
17、還有一件很重要的事:將新版PIX0S下載到FLASH裏。
CODE
pixfirewall# conf t
pixfirewall(config)# int e0
pixfirewall(config-if)# ip add 10.32.2.79 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# end
pixfirewall# ping 10.32.2.78
Sending 5, 100-byte ICMP Echos to 10.32.2.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
pixfirewall# copy tftp flash
Address or name of remote host []? 10.32.2.78
Source filename []? pix701.bin
Destination filename [img]? pix701.bin
Accessing tftp://10.32.2.78/pix701.bin...!!!!!!!!!!
…………
Writing file flash:pix701.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
……
17、檢查FLASH,改寫BOOTVAR,存盤
CODE
pixfirewall# sh flash:
Directory of flash:/
4 -rw- 1975 01:52:34 Jun 07 2005 downgrade.cfg
7 -rw- 1966136 01:53:02 Jun 07 2005 image_old.bin
9 -rw- 5124096 01:56:59 Jun 07 2005 pix701.bin
16128000 bytes total (9030144 bytes free)
pixfirewall# conf t
pixfirewall(config)# boot system flash:pix701.bin
INFO: Converting flash:pix701.bin to flash:/pix701.bin
pixfirewall(config)# end
pixfirewall# wr
Building configuration...
Cryptochecksum: 2b4bf78b 4f0a95ed b8ef276f 6974c7d6
1852 bytes copied in 0.540 secs
[OK]
pixfirewall# sh bootvar
BOOT variable = flash:/pix701.bin
Current BOOT variable = flash:/pix701.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
18、再重啓一次,就大功告成。
CODE
pixfirewall# reload
Proceed with reload? [confirm]
pixfirewall#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Rebooting....