Auto Update Support 57
Step 4 Run the rawrite.exe program by entering rawrite at the DOS prompt. When prompted, enter the name of the boothelper file you want written to the floppy diskette, as shown in Example 4-5.
Example 4-5 Creating a Bootable Diskette from Windows
C:\rawrite
RaWrite 1.2 - Write disk file to raw floppy diskette
Enter source file name: bh61.bin
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18.
Writing image to drive A:. Press ^C to abort.
Track: 11 Head: 1 Sector: 16
Done.
C:\>0
Reboot the PIX with the disk you created. The PIX comes up in boothelper mode. Follow the procedure beginning with Step 3 of the earlier section “Upgrading the OS Using Monitor Mode” to continue with the upgrade process.
Auto Update Support
Auto Update is a protocol specification introduced with Cisco PIX Firewall version 6.2. The Auto Update specification provides the infrastructure necessary for remote management applications to download PIX configurations and software images and perform basic monitoring from a centralized location.
The Auto Update specification allows the Auto Update Server to either push configuration information or send requests for information to the PIX, or it causes the PIX to periodically poll the Auto Update Server. The Auto Update Server can also send a command to the PIX to send an immediate polling request at any time. Communication between the Auto Update Server and the PIX requires a communications path and local CLI configuration on each Cisco PIX Firewall.
To configure the Auto Update server on the PIX, use the auto-update server command:
auto-update server url [verify-certificate]
In place of the url parameter, use the following syntax:
[http[s]://][user:password@]location[:port]/pathname
SSL is used when https is specified. The user and password segment is used for basic authentication when you log in to the server. The location parameter is the server's IP address (or a DNS host name that resolves to the IP address). The port segment specifies the port to contact on the server. The default is 80 for HTTP and 443 for HTTPS. The pathname segment is the name of the resource.
The verify-certificate option specifies that the certificate returned by the server should be verified.
58 Chapter 4: System Maintenance
Password Recovery
If you ever find yourself in the unfortunate circumstance of forgetting or losing the console and Telnet password to your Cisco PIX Firewall, don't panic. Like most Cisco products, PIX devices have a procedure to recover lost passwords. Unlike the Cisco router password recovery process, which entails changing the configuration register number, PIX uses a different method. PIX uses a password lockout utility to regain access to the locked-out device. The password lockout utility is based on the PIX software release you are running. Table 4-2 shows the binary filename (that is included with the utility) and the corresponding PIX OS on which it is used. These files can be downloaded from the Cisco website.
Table 4-2 |
PIX OS Filenames |
|
|
|
|
|
Filename |
PIX Software Version |
|
|
|
|
nppix.bin |
4.3 and earlier releases |
|
|
|
|
np44.bin |
4.4 release |
|
|
|
|
np50.bin |
5.0 release |
|
|
|
|
np51.bin |
5.1 release |
|
|
|
|
np52.bin |
5.2 release |
|
|
|
|
np60.bin |
6.0 release |
|
|
|
|
np61.bin |
6.1 release |
|
|
|
|
np62.bin |
6.2 release |
|
|
|
When you boot the Cisco PIX Firewall with one of these binary files, the console password is erased from Flash memory, the enable password is erased, and the Telnet password is reset to cisco.
Cisco PIX Firewall Password Recovery: Getting Started
The procedure for password recovery on the Cisco PIX Firewall with a floppy drive is slightly different than with a diskless Cisco PIX Firewall. The difference is in how the Cisco PIX Firewall boots with the binary files listed in Table 4-2. Firewall models that have a floppy drive boot from a disk, and diskless firewall models boot from a TFTP server.
In addition to the binary files, you need the following items:
•Laptop or PC
•Terminal-emulating software
•TFTP software (only for diskless PIX Firewall models)
•The rawrite.exe utility (needed only for firewall models that have floppy drives to create the boot disk)
Password Recovery 59
Password Recovery Procedure for a PIX with a Floppy Drive (PIX 520)
Step 1 Create the boot disk by executing the rawrite.exe file on your laptop or PC and writing npxxn.bin to the bootable floppy.
Step 2 Make sure that your terminal-emulating software is running on your PC and that you connected the console cable to the Cisco PIX Firewall.
NOTE Because you are locked out, you see only a password prompt.
Step 3 Insert the PIX Password Lockout Utility disk into the PIX's floppy drive. Push the Reset button on the front of the PIX.
Step 4 The PIX boots from the floppy, and you see a message that says “Erasing Flash Password. Please eject diskette and reboot.”
Step 5 Eject the disk and press the Reset button. Now you can log in without a password.
Step 6 When you are prompted for a password, press Enter. The default Telnet password after this process is “cisco.” The enable password is also erased, and you have to enter a new one.
Password Recovery Procedure for a Diskless PIX (PIX 501, 506, 515, 525, and 535)
Step 1 Start your terminal-emulation software and connect your laptop or PC to the PIX's console port.
Step 2 After you power on the Cisco PIX Firewall and the startup messages appear, send a BREAK character or press the Esc key. The monitor> prompt is displayed.
Step 3 At the monitor> prompt, use the interface command to specify which interface the ping traffic should use.
Step 4 Use the address command to specify the IP address of the PIX interface.
Step 5 Use the server command to specify the IP address of the remote TFTP server containing the PIX password recovery file.
Step 6 Use the gateway command to specify the IP address of a router gateway through which the server is accessible.
Step 7 Use the file command to specify the filename of the PIX password recovery file, such as np62.bin.
Step 8 Use the tftp command to start the download. As the password recovery file loads, the following message is displayed:
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
60 Chapter 4: System Maintenance
Foundation Summary
•The PIX can be accessed for management purposes in several different ways. It can be accessed via the console port, remotely through Telnet, via SSH, and through the PIX Device Manager (PDM).
•Before upgrading the Cisco PIX Firewall OS, it is important to determine your current hardware settings—namely, the RAM and Flash memory size.
•The activation key is the license for the PIX OS. Before the release of PIX 6.2, the activation keys were changed in monitor mode. Cisco PIX Firewall version 6.2 introduces a method of upgrading or changing the license for your PIX remotely without entering monitor mode and without replacing the software image using the activationkey command.
•There are three ways to perform the PIX Firewall OS upgrade:
—copy tftp flash
—Using monitor mode with a boothelper diskette for PIX firewalls with an OS version earlier than 5.0
—Using an HTTP client (available only with version 6.2)
•Auto Update is a protocol specification introduced with Cisco PIX Firewall version 6.2. The Auto Update specification provides the infrastructure necessary for remote management applications to download PIX configurations and software images and to perform basic monitoring from a centralized location.
•It is possible to recover from a lockout from the Cisco PIX Firewall due to forgotten or lost passwords. After determining the PIX's OS version, you can download the corresponding file and boot the PIX through monitor mode.
Q&A 61
Q&A
As mentioned in the Introduction, the questions in this book are more difficult than what you should experience on the exam. The questions do not attempt to cover more breadth or depth than the exam; however, they are designed to make sure that you know the answer. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and then guess. Be sure to use the CD and take the simulated exams.
The answers to these questions can be found in Appendix A.
1 What command upgrades a PIX 525 device running a 5.3 OS version to 6.11?
Ainstall
Bsetup
Ccopy 6.11
Dcopy tftp flash
2What binary file is required to perform a password recovery procedure on a PIX device running OS version 5.2?
Anp52.bin
Bpix52.bin
Cbh52.bin
Dpass52.bin
3What circumstance(s) warrant(s) the use of a boothelper disk in the OS upgrade procedure?
AA corrupt binary image
BA PIX 520 device
CA PIX device running a 5.0 or earlier PIX OS
DNo circumstance warrants the use of a boothelper disk.
4What is the console password set to after a successful password recovery procedure?
A password
B cisco
C secret
D It is erased and set to blank.
62 Chapter 4: System Maintenance
5What is the Telnet password set to after a successful password recovery procedure?
A password
B cisco
C secret
D It is erased and set to blank.
6Which of the following could be reasons to change (upgrade) your activation key for
the PIX?
AYou are upgrading your memory.
BYour current PIX Firewall does not have failover activated.
CYou are upgrading the processor on your PIX Firewall.
DYour current PIX Firewall does not have VPN-3DES enabled.
7What command changes the SSH password for login?
A change ssh password
B password
C passwd
D ssh pass
8What is the default amount of time a Telnet session can be idle?
A 2 minutes
B 15 minutes
C 5 minutes
D 12 minutes
9What is the command to configure Auto Update on the Cisco PIX Firewall?
A auto update
B auto-update server url
C config auto-update
D update server url
Q&A 63
10Which version of SSH does the PIX support?
A 2.1
B 2.2
C 3.1
D 1
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511):
9. ASA security levels
14.Transport Protocols
15.Network Address Translation
17.Port Address Translations
18.Configuring DNS support