Upgrading the OS Using the copy tftp flash Command 53
Example 4-2 show activation-key Command Output (Continued)
Maximum Interfaces: |
6 |
Cut-through Proxy: |
Enabled |
Guards: |
Enabled |
URL-filtering: |
Enabled |
Inside Hosts: |
Unlimited |
Throughput: |
Unlimited |
IKE peers: |
Unlimited |
The flash activation key is the SAME as the running key. pix(config)#
Upgrading the Cisco PIX OS
There are three procedures for upgrading a PIX OS. The use of these procedures is determined by which PIX OS is currently running on the PIX device and the model of the Cisco PIX Firewall.
•You can use the copy tftp flash command (you must be in privileged mode to do this) with any Cisco PIX Firewall model running PIX Software version 5.1.1 or later.
•You can use this command from monitor mode. This is the same procedure as copy tftp flash, but as the name indicates, you are in a different mode (monitor mode instead of enable mode) when you copy from the TFTP server. PIX devices that do not have an internal floppy drive (501, 506, 515, 525, and 535) come with a ROM boot monitor program that is used to upgrade the Cisco PIX Firewall's image. For PIX devices that are running 5.0 and earlier OS versions, a boothelper disk is required to create boothelper mode, similar to ROM monitor mode.
•PIX Firewall version 6.2 introduces an HTTP client that lets you use the copy command to retrieve PIX configurations, software images, or Cisco PDM software from any HTTP server.
Upgrading the OS Using the copy tftp flash Command
Step 1 Download the binary software image file pixnnx.bin, where nn is the version number and x is the release number (which you can find at Cisco.com in the document “Cisco PIX Firewall Upgrading Feature Licenses and System Software”). Place the image file in the root of your TFTP server.
Step 2 Enter the copy tftp flash command.
Step 3 Enter the IP address of the TFTP server.
Step 4 Enter the source filename (the image file you downloaded—*.bin).
Step 5 Enter Yes to continue.
54 Chapter 4: System Maintenance
Example 4-3 shows a sample upgrade.
Example 4-3 Upgrading the OS Using copy tftp flash Command
PIX# copy tftp flash
Address or name of remote host [127.0.0.1]? 192.168.1.14 Source file name [cdisk]? pix611.bin
copying tftp://192.168.1.14/pix611.bin to flash [yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!
Received 2562048 bytes Erasing current image
Writing 2469944 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!
Image installed. PIX#
NOTE Under no circumstances must you ever download a Cisco PIX Firewall image earlier than version 4.4 with TFTP. Doing so corrupts the Cisco PIX Firewall Flash memory unit and requires special recovery methods that must be obtained from the Cisco TAC.
Upgrading the OS Using Monitor Mode
If you are upgrading your Cisco PIX Firewall from version 5.0.x or earlier to version 5.1.x or later, you need to use the boothelper or monitor mode method for the upgrade. This is because before version 5.1, the PIX Firewall Software did not provide a way to TFTP an image directly into Flash. Starting with PIX Firewall Software version 5.1, the copy tftp flash command was introduced to copy a new image directly into the PIX's Flash.
The following steps describe how to upgrade the PIX Firewall using monitor mode:
Step 1 Download the binary software image file pixnnx.bin, where nn is the version number and x is the release number (which you can find at Cisco.com in the document “Cisco PIX Firewall Upgrading Feature Licenses and System Software”). Place the image file in the root of your TFTP server.
Step 2 Reload the PIX, and press the Esc key (or enter a BREAK character) to enter monitor mode. For PIX devices running 5.0 and earlier OS versions, a boothelper disk is required. (See the section “Creating a Boothelper Diskette Using a Windows PC” later in this chapter.)
Step 3 Use the interface command to specify which PIX interface the TFTP server is connected out of. The default is interface 1 (inside).
Upgrading the OS Using the copy tftp flash Command 55
NOTE The Cisco PIX Firewall cannot initialize a Gigabit Ethernet interface from monitor or boothelper mode. Use a Fast Ethernet or Token Ring interface instead.
Step 4 Use the address command followed by an IP address to specify the PIX interface IP address.
Step 5 Use the server command followed by an IP address to specify the TFTP server's IP address.
Step 6 Use the file command followed by the filename of the image on the TFTP server to specify the filename of the Cisco PIX Firewall image.
Step 7 Use the ping command followed by the IP address of the TFTP server to verify connectivity. (This is an optional but recommended command to test connectivity.)
Step 8 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible. (This is also an optional command.)
Step 9 Enter tftp to start downloading the image from the TFTP server.
Step 10 After the image downloads, you are prompted to install the new image. Enter y to install the image to Flash.
Step 11 When prompted to enter a new activation key, enter y if you want to enter a new activation key or n to keep your existing activation key.
Example 4-4 shows sample output for upgrading using monitor mode.
Example 4-4 PIX Upgrade: Monitor Mode Output
Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0060.2422.e0b1 Use ? for help.
Monitor> interface 1 monitor> address 10.1.1.1
address 10.1.1.1 monitor> server 10.1.1.12
server 10.1.1.12 monitor> file pix601.bin
file cdisk
monitor> ping 10.1.1.12
Sending 5, 100-byte 0x5b8d ICMP Echoes to 10.1.12, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
continues
56 Chapter 4: System Maintenance
Example 4-4 PIX Upgrade: Monitor Mode Output (Continued)
monitor> tftp
tftp pix601.bin@10.1.1.12................................
Received 626688 bytes
PIX admin loader (3.0) #0: Mon Oct 17 10:43:02 PDT 2002
Flash=AT29C040A @ 0x300
Flash version 6.0.1, Install version 6.0.1
Installing to flash
Upgrading the OS Using an HTTP Client
You can also perform a PIX OS upgrade by connecting to an HTTP server where the image is stored. To retrieve a configuration from an HTTP server, enter the following command:
configure http[s]://[user:password@]location[:port]/pathname
SSL is used when you enter https. The user and password options are used for basic authentication when you log in to the server. The location option is the server's IP address (or a name that resolves to the IP address). The port option specifies the port to contact on the server. It defaults to 80 for HTTP and to 443 for HTTPS. The pathname option is the name of the resource that contains the configuration to retrieve.
Creating a Boothelper Diskette Using a Windows PC
The boothelper diskette, as described earlier in this chapter, provides assistance for Cisco PIX Firewall models 510 and 520 running PIX Software version 5.0(x) or 4.x to be upgraded to a newer version:
Step 1 Go to the Cisco website and download the rawrite.exe utility, which you use to write the PIX binary image to a floppy diskette (you must have a CCO account to do this).
Step 2 Download the PIX binary image (.bin file) that corresponds to the software version you are upgrading to.
Step 3 Download the corresponding boothelper binary file that matches the version you are upgrading to.
For example, if you are upgrading from PIX Software version 5.3 to 6.1(1), you need to download three files:
—rawrite.exe
—pix611.bin
—bh61.bin (boothelper file)