| 网站地图 |
CopyRight © 2004-2007 软讯网络 All Rigths Reserved.
PIX OS7.01的确系个好嘢!!
見詳細內容……
1、先看这里有没有合适的:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.htm
查看原来的版本,看内存等等是否符合升级要求,535-UR要1G内存才能升级。
pixfirewall# sh ver
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Fri 02-Jul-04 00:07 by morlee
pixfirewall up 8 days 0 hours
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: gb-ethernet0: address is 000e.0c6b.96d0, irq 255
1: gb-ethernet1: address is 000e.0c6b.96cf, irq 255
2: ethernet0: address is 000e.0c5f.a3f0, irq 255
3: ethernet1: address is 000e.0c5f.a349, irq 255
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 10
Maximum Interfaces: 24
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.
Serial Number: XXXXXXXXX
Running Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration last modified by enable_15 at 00:55:28.017 UTC Tue Jun 7 2005
2、检查一下flash能不能访问:
pixfirewall# sh flash
flash file system: version:3 magic:0x12345679
file 0: origin: 0 length:1966136
file 1: origin: 2097152 length:1975
file 2: origin: 0 length:0
file 3: origin: 2228224 length:3126944
file 4: origin: 0 length:0
file 5: origin: 8257536 length:308
3、检查原来的配置,保存之
pixfirewall# sh ru
4、检查一下PIX上的interface,查看其工作状态:
pixfirewall# sh int
interface gb-ethernet0 "outside" is up, line protocol is up
…………
interface gb-ethernet1 "inside" is up, line protocol is up
…………
interface ethernet0 "inf3" is administratively down, line protocol is up
…………
interface ethernet1 "inf4" is administratively down, line protocol is down
…………
5、我在这里先配了一个FE口测试与终端的连通性,以便确保等一阵可以用TFTP
pixfirewall(config)# ip address inf3 10.32.2.79 255.255.255.0
pixfirewall(config)# exit
pixfirewall#
pixfirewall# ping 10.32.2.78
10.32.2.78 response received -- 0ms
10.32.2.78 response received -- 0ms
10.32.2.78 response received -- 0ms
6、好了,重启PIX,准备升级。
这是启动的画面,比较多字符。
按esc中断FLASH引导,进入monitor模式下。
Wait.....
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 1166 0008 Host Bridge
00 00 01 1166 0008 Host Bridge
00 00 02 1166 0006 Host Bridge
00 00 03 1166 0006 Host Bridge
00 01 00 8086 1229 Ethernet 255
00 02 00 8086 1229 Ethernet 255
00 0F 00 1166 0200 ISA Bridge
00 0F 01 1166 0211 IDE Controller
00 0F 02 1166 0220 Serial Bus 71
01 0B 00 14E4 5823 Co-Processor 255
02 06 00 8086 1001 Ethernet 255
02 07 00 8086 1001 Ethernet 255
Cisco Secure PIX Firewall Embedded BIOS Version 4.3
Cisco PIX-535
+------------------------------------------------------------------------------+
| System BIOS Configuration, (C) 2000 General Software, Inc. |
+---------------------------------------+--------------------------------------+
| System CPU : Pentium III | Low Memory : 637KB |
| Coprocessor : Enabled | Extended Memory : 1023MB |
| Embedded BIOS Date : 11/28/00 | Serial Ports 1-2 : 03F8 02F8 |
+---------------------------------------+--------------------------------------+
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:34 PST 2001
Platform PIX-535
Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:2 irq:255)
1: i8255X @ PCI(bus:0 dev:1 irq:255)
Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
monitor>
Invalid or incorrect command. Use 'help' for help.
7、查看在monitor下可用的interface,肯定就是那两个FE口了。
monitor> interface
0: i8255X @ PCI(bus:0 dev:2 irq:255)
1: i8255X @ PCI(bus:0 dev:1 irq:255)
8、这里我选用第一个fe口,就是刚才测试过的那个口
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:2 irq:255)
1: i8255X @ PCI(bus:0 dev:1 irq:255)
Using 0: i82559 @ PCI(bus:0 dev:2 irq:255), MAC: 000e.0c5f.a3f0
9、配上接口地址,TFTP服务器地址等等,开始TFTP下载新版PIXOS。
monitor> address 10.32.2.79
address 10.32.2.79
monitor> server 10.32.2.78
server 10.32.2.78
monitor> ping 10.32.2.78
Sending 5, 100-byte 0x7970 ICMP Echoes to 10.32.2.78, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> file pix701.bin
file pix701.bin
monitor> tftp
tftp pix701.bin@10.32.2.78...........................
…………
Received 5124096 bytes
Cisco PIX Security Appliance admin loader (3.0) #0: Thu Mar 31 14:03:05 PST 2005
####################################################
……
1024MB RAM
10、下载完之后,PIX直接用新版PIXOS启动了。
Total NICs found: 4
mcwa i82559 Ethernet at irq 255 MAC: 000e.0c5f.a349
mcwa i82559 Ethernet at irq 255 MAC: 000e.0c5f.a3f0
BIOS Flash=DA28F320J5 @ 0xD8000
i82543 rev02 Gigabit Ethernet @ irq255 dev 6 index 01 MAC: 000e.0c6b.96cf
i82543 rev02 Gigabit Ethernet @ irq255 dev 7 index 00 MAC: 000e.0c6b.96d0
Old file system detected. Attempting to save data in flash
11、这里是检查整理一遍FLASH,并把原来的PIXOS映像存成image_old.bin
Initializing flashfs...
flashfs[7]: Checking block 0...block number was (-10627)
…………
flashfs[7]: erasing block 0...done.
flashfs[7]: Checking block 125...block number was (-1)
flashfs[7]: erasing block 125...done.
flashfs[7]: 0 files, 1 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 16128000
flashfs[7]: Bytes used: 1024
flashfs[7]: Bytes available: 16126976
flashfs[7]: flashfs fsck took 161 seconds.
flashfs[7]: Initialization complete.
Saving the configuration
!
Saving a copy of old configuration as downgrade.cfg
!
Saved the activation key from the flash image
Saved the default firewall mode (single) to flash
The version of image file in flash is not bootable in the current version of
software.
Use the downgrade command first to boot older version of software.
The file is being saved as image_old.bin anyway.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
……
Upgrade process complete
Need to burn loader....
Erasing sector 0...[OK]
Burning sector 0...[OK]
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
12、继续引导:
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
--------------------------------------------------------------------------
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
--------------------------------------------------------------------------
Cisco PIX Security Appliance Software Version 7.0(1)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Copyright (c) 1996-2005 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
ERROR: This command is no longer needed. The LOCAL user database is always enabled.
*** Output from config line 59, "aaa-server LOCAL protoco..."
ERROR: This command is no longer needed. The 'floodguard' feature is always enabled.
*** Output from config line 64, "floodguard enable"
13、转换一些配置
Cryptochecksum(unchanged): a24fcf17 7e777a56 ca8e0420 377bb244
INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol http 80' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands
13、这里的warning说得很清楚,呵呵,不要以为启动成功就认为升级完成了,其实只完成一半。
************************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** **
** **
** ----> Current image running from RAM only! <---- **
** **
** When the PIX was upgraded in Monitor mode the boot image was not **
** written to Flash. Please issue "copy tftp: flash:" to load and **
** save a bootable image to Flash. Failure to do so will result in **
** a boot loop the next time the PIX is reloaded. **
** **
************************************************************************
Type help or '?' for a list of available commands.
14、启动完成,看看有没有什么新变化
pixfirewall> en
Password:
pixfirewall# sh run
: Saved
:
PIX Version 7.0(1)
names
!
interface GigabitEthernet0
speed 1000
nameif intf2
security-level 4
no ip address
!
interface GigabitEthernet1
speed 1000
nameif intf3
security-level 6
no ip address
!
interface Ethernet0
shutdown
nameif outside
security-level 0
no ip address
!
interface Ethernet1
shutdown
nameif inside
security-level 100
no ip address
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
ftp mode passive
pager lines 24
mtu intf2 1500
mtu intf3 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface intf2
monitor-interface intf3
monitor-interface outside
monitor-interface inside
asdm history enable
arp timeout 14400
nat-control
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
no sysopt connection permit-ipsec
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:a24fcf177e777a56ca8e0420377bb244
: end
15、配置上的变化已经从CISCO文档得知了,但亲眼看到是令人眼前一亮。
再来检查一下版本等等信息。
pixfirewall# sh ver
Cisco PIX Security Appliance Software Version 7.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
pixfirewall up 21 secs
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: GigabitEthernet0 : media index 0: irq 255
1: Ext: GigabitEthernet1 : media index 1: irq 255
2: Ext: Ethernet0 : media index 0: irq 255
3: Ext: Ethernet1 : media index 1: irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
16、这下查看flash看得明白了。
pixfirewall# sh flash
Directory of flash:/
4 -rw- 1975 01:52:34 Jun 07 2005 downgrade.cfg
7 -rw- 1966136 01:53:02 Jun 07 2005 image_old.bin
16128000 bytes total (14154752 bytes free)
17、还有一件很重要的事:将新版PIX0S下载到FLASH里。
pixfirewall# conf t
pixfirewall(config)# int e0
pixfirewall(config-if)# ip add 10.32.2.79 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# end
pixfirewall# ping 10.32.2.78
Sending 5, 100-byte ICMP Echos to 10.32.2.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
pixfirewall# copy tftp flash
Address or name of remote host []? 10.32.2.78
Source filename []? pix701.bin
Destination filename [img]? pix701.bin
Accessing tftp://10.32.2.78/pix701.bin...!!!!!!!!!!
…………
Writing file flash:pix701.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
……
17、检查FLASH,改写BOOTVAR,存盘
pixfirewall# sh flash:
Directory of flash:/
4 -rw- 1975 01:52:34 Jun 07 2005 downgrade.cfg
7 -rw- 1966136 01:53:02 Jun 07 2005 image_old.bin
9 -rw- 5124096 01:56:59 Jun 07 2005 pix701.bin
16128000 bytes total (9030144 bytes free)
pixfirewall# conf t
pixfirewall(config)# boot system flash:pix701.bin
INFO: Converting flash:pix701.bin to flash:/pix701.bin
pixfirewall(config)# end
pixfirewall# wr
Building configuration...
Cryptochecksum: 2b4bf78b 4f0a95ed b8ef276f 6974c7d6
1852 bytes copied in 0.540 secs
[OK]
pixfirewall# sh bootvar
BOOT variable = flash:/pix701.bin
Current BOOT variable = flash:/pix701.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
18、再重启一次,就大功告成。
pixfirewall# reload
Proceed with reload? [confirm]
pixfirewall#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Rebooting....