Upgrading PIX 515 from 5.1 to 7.x
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by VeeDub on September 2, 2006, 1:05 am
Please log in for more thread options I have the opportunity to pick up a PIX 515 (non-E) with IOS version 5.1 on it. I already have a PIX 520 running 6.3 but want access to the 7.x environment which my 520 will not do. I know there are activation keys that enable certain functions on the PIX etc but wanted to know if these were required to upgrade the IOS on the 515 from 5.1 to 7.x. I do have access to PIX 515e's running 7.1 and need to know if this image can be easily taken from the 515e and placed on the 515 without need for additional licence keys etc like can be done with Cisco routers. Thanks | |||||||||||||||||||
|
Posted by Walter Roberson on September 2, 2006, 11:20 am
Please log in for more thread options PIX doesn't use "IOS", it uses "Finesse", more commonly just called "PIX OS". But that's not germaine to the question. >I already have a PIX 520 running 6.3 but want access to the
>7.x environment which my 520 will not do. I know there are activation >keys that enable certain functions on the PIX etc but wanted to know if >these were required to upgrade the IOS on the 515 from 5.1 to 7.x. If the PIX 515 is running 5.1(1) then it will need a new license key to upgrade to -any- later version. If the PIX 515 is running 5.1(2) or later then it would not need a new license key to run PIX 7.x . If the PIX 515 does not happen to have a 3DES key (which was extra cost back then), then if it were upgraded to PIX 7.x, you would not be able to use 3DES, AES, or (if memory serves) SSL VPN or WebVPN. >I do
>have access to PIX 515e's running 7.1 and need to know if this image >can be easily taken from the 515e and placed on the 515 without need >for additional licence keys etc like can be done with Cisco routers. You have a problem: the PIX 515 running 5.1 is going to have 32 Mb of RAM, but 7.x require at least 64 Mb to run. The Cisco part number for the memory upgrade is PIX-515-MEM-32= . If you hunted around a bit you could probably find a non-Cisco source for the memory. I seem to recall reading that a few people have reported being able to boot 7.0 with only 32 Mb of memory; it isn't a supported configuration. Copying the PIX 7.1 image off of an existing device might be technically possible, but it would very likely not be allowed by the license terms. Your posting IP suggests you are in Australia. If so, then Cisco software licenses do not transfer with the hardware, so if you pick up the PIX 515 running PIX 5.1 then chances are very very slim that you would have gone through one of the few dealers authorized to transfer licenses. In order to be able to use the PIX legally, you would have to go through Cisco's "relicensing" procedure, which is basically paying Cisco on the order of $US700 for the right to use the software. The procedures after that are a bit fuzzy, as Cisco at various times has said that relicensing does -not- entitle you to a software upgrade. A one time software upgrade license is $US1000. You -might- be allowed to instead start a software-only support contract at a much lower cost, but when you are starting with software that old, Cisco might refuse the contract until you pay some kind of upgrade fee. The details of how this all works to get clear legal title to the latest software are unclear, apparently so even to VARs that deal closely with Cisco. By the time you add all these up, you might find it less expensive to just buy a new 515E or perhaps a Cisco ASA 5505. | |||||||||||||||||||
|
Posted by VeeDub on September 2, 2006, 10:36 pm
Please log in for more thread options Hi Walter,
thanks for your extended reply. I am looking to use this device for my CCSP cert so it will not be used in a production environment, though in Cisco's view, I don't think that they differentiate from a licencing perspective. Below is a copy of the "sh version" output: pixfirewall- show ver Cisco Secure PIX Firewall Version 5.1(2) Compiled on Tue 16-May-00 16:09 by bhochuli pixfirewall up 29 secs Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.5748, irq 9 1: ethernet1: address is 0050.54ff.5749, irq 7 2: ethernet2: address is 00d0.b780.a3ad, irq 11 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 6 >From this I can see it is running 5.1 (2) so from this information you
believe it is technically possible to upload a 7.x image to it and use
it without a new activation key? Also, it only has DES available, not 3DES or AES (which I presume was not around at the time of 5.1) so if I wanted to use this I would need a new key. Would this be a key that would be inserted whilst running 5.1 or once 7.x is installed. As I am new to PIX the whole activation key, licence requirements thing is a bit foreign to me, I am far more used to the simple IOS versions used on Routers and Switches. I am not certain if this PIX will be more problems that what it is worth. The slower CPU speed etc is not of concern to me due to it being used for my learning only but I do really need it to be able to run 7.x otherwise they device is useless to me. I have also read the device needs to be updated to 6.2 or 6.3 before upgrading to 7.x. Are you familiar with this requirement? Thanks Walter Roberson wrote: >
> >I have the opportunity to pick up a PIX 515 (non-E) with IOS version
> >5.1 on it. >
> PIX doesn't use "IOS", it uses "Finesse", more commonly just called > "PIX OS". But that's not germaine to the question. > > >I already have a PIX 520 running 6.3 but want access to the
> >7.x environment which my 520 will not do. I know there are activation > >keys that enable certain functions on the PIX etc but wanted to know if > >these were required to upgrade the IOS on the 515 from 5.1 to 7.x. >
> If the PIX 515 is running 5.1(1) then it will need a new license > key to upgrade to -any- later version. > > If the PIX 515 is running 5.1(2) or later then it would not need > a new license key to run PIX 7.x . > > If the PIX 515 does not happen to have a 3DES key (which was > extra cost back then), then if it were upgraded to PIX 7.x, you > would not be able to use 3DES, AES, or (if memory serves) SSL VPN > or WebVPN. > > > >I do
> >have access to PIX 515e's running 7.1 and need to know if this image > >can be easily taken from the 515e and placed on the 515 without need > >for additional licence keys etc like can be done with Cisco routers. >
> You have a problem: the PIX 515 running 5.1 is going to have 32 Mb > of RAM, but 7.x require at least 64 Mb to run. The Cisco part > number for the memory upgrade is PIX-515-MEM-32= . If you hunted > around a bit you could probably find a non-Cisco source for the > memory. > > I seem to recall reading that a few people have reported being able > to boot 7.0 with only 32 Mb of memory; it isn't a supported > configuration. > > > Copying the PIX 7.1 image off of an existing device might be > technically possible, but it would very likely not be allowed by the > license terms. > > Your posting IP suggests you are in Australia. If so, then Cisco > software licenses do not transfer with the hardware, so if you > pick up the PIX 515 running PIX 5.1 then chances are very very slim > that you would have gone through one of the few dealers authorized > to transfer licenses. In order to be able to use the PIX > legally, you would have to go through Cisco's "relicensing" procedure, > which is basically paying Cisco on the order of $US700 for the > right to use the software. > > The procedures after that are a bit fuzzy, as Cisco at various times > has said that relicensing does -not- entitle you to a software upgrade. > A one time software upgrade license is $US1000. You -might- be > allowed to instead start a software-only support contract at a much > lower cost, but when you are starting with software that old, Cisco > might refuse the contract until you pay some kind of upgrade fee. > The details of how this all works to get clear legal title to the > latest software are unclear, apparently so even to VARs that deal > closely with Cisco. > > By the time you add all these up, you might find it less expensive > to just buy a new 515E or perhaps a Cisco ASA 5505. | |||||||||||||||||||
|
Posted by Walter Roberson on September 2, 2006, 10:51 pm
Please log in for more thread options
>Cisco Secure PIX Firewall Version 5.1(2)
>Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz That's good news in one way, the 64 MB is the mimimum you need for PIX 7. However, >Maximum Interfaces: 6
That tells me that the PIX 515 currently has an Unrestricted license. If you were to install PIX 7 on it, then you would need 128 MB to fit the Unrestricted license, according to Cisco. It's the same image as Restricted though, so it'd be a matter of data tables, so if the PIX wasn't very active then you -might- be able to get away with 64 MB, depending on how strictly the PIX OS checks. >From this I can see it is running 5.1 (2) so from this information you
>believe it is technically possible to upload a 7.x image to it and use >it without a new activation key? Yes. >Also, it only has DES available, not
>3DES or AES (which I presume was not around at the time of 5.1) so if I AES did not come in until 6.something, but 3DES existed back then. The same key is used for 3DES and AES; I -think- I saw in passing that that key is also required for the SSL and HTTPS features. >wanted to use this I would need a new key. Would this be a key that
>would be inserted whilst running 5.1 or once 7.x is installed. Either way. It's easier from 6.1 onward: before that point, changing the key requires copying in the OS again, with the key being prompted for as the very last stage of that. 6.1 onward has a simple command to enter a new key. One minor point: when you upgrade to PIX 7, it saves a copy of the existing activation key, and if you ever downgrade then it restores that activation key. So if you install the 3DES key first before the upgrade then if you were to downgrade you would still have 3DES, but if you were to install the 3DES key after the upgrade then if you were to downgrade it'd go back to the old key. On the other had at that point you could just enter the 3DES key since it'd be the same activation key. >I have also read the device needs to be updated to 6.2 or 6.3 before
>upgrading to 7.x. Are you familiar with this requirement? That is what is documented. We did have one report from someone who went from a much older version upward, apparently skipping 6.x in the process. The glitches reported were to do with the memory size, I think it was. | |||||||||||||||||||
|
Posted by john smith on September 2, 2006, 11:18 pm
Please log in for more thread options On Sun, 03 Sep 2006 02:51:48 +0000, Walter Roberson wrote:
>
>>Cisco Secure PIX Firewall Version 5.1(2)
>>Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz >
> That's good news in one way, the 64 MB is the mimimum you need for > PIX 7. However, > >>Maximum Interfaces: 6
>
> That tells me that the PIX 515 currently has an Unrestricted license. > If you were to install PIX 7 on it, then you would need 128 MB > to fit the Unrestricted license, according to Cisco. It's the > same image as Restricted though, so it'd be a matter of data tables, > so if the PIX wasn't very active then you -might- be able to > get away with 64 MB, depending on how strictly the PIX OS checks. > > >>From this I can see it is running 5.1 (2) so from this information you
>>believe it is technically possible to upload a 7.x image to it and use >>it without a new activation key? >
> Yes. > >>Also, it only has DES available, not
>>3DES or AES (which I presume was not around at the time of 5.1) so if I >
> AES did not come in until 6.something, but 3DES existed back then. > The same key is used for 3DES and AES; I -think- I saw in passing > that that key is also required for the SSL and HTTPS features. > >>wanted to use this I would need a new key. Would this be a key that
>>would be inserted whilst running 5.1 or once 7.x is installed. >
> Either way. It's easier from 6.1 onward: before that point, changing > the key requires copying in the OS again, with the key being > prompted for as the very last stage of that. 6.1 onward has a simple > command to enter a new key. > > One minor point: when you upgrade to PIX 7, it saves a copy of the > existing activation key, and if you ever downgrade then it restores > that activation key. So if you install the 3DES key first before > the upgrade then if you were to downgrade you would still have 3DES, > but if you were to install the 3DES key after the upgrade then > if you were to downgrade it'd go back to the old key. On the > other had at that point you could just enter the 3DES key since it'd > be the same activation key. > > >>I have also read the device needs to be updated to 6.2 or 6.3 before
>>upgrading to 7.x. Are you familiar with this requirement? >
> That is what is documented. We did have one report from someone > who went from a much older version upward, apparently skipping 6.x > in the process. The glitches reported were to do with the memory > size, I think it was. i've installed/operated a 515e w/ 64MBram and UR license running 7.x software. it's not officially supported by Cisco, but if you're just looking for lab use, it will do fine. (in this configuration iv'e not used failover though so i dont know if the memory limitations play a role then) | |||||||||||||||||||
| Similar Threads | Posted |
| upgrading the ios. | February 13, 2005, 6:32 pm |
| PIX 7.0.2 upgrading from 7.0.1. | July 29, 2005, 5:09 pm |
| Upgrading PIX 515 from 5.1 to 7.x | September 2, 2006, 1:05 am |
| Does the PIX 515 have to be rebooted after upgrading from PDM 3.0(1) to 3.0(3)? | August 10, 2005, 1:58 pm |
| UPGRADING 3550 SMI to EMI | August 12, 2005, 4:39 am |
| Upgrading IOS on 2500 | April 24, 2006, 6:54 pm |
| thoughts on upgrading to PIX v7.xx | November 21, 2005, 10:40 am |
| Upgrading PIX 515E FO | December 19, 2006, 2:46 pm |
| Upgrading 2500 IOS | January 7, 2007, 6:54 am |
| Upgrading IOS on 1841 | January 27, 2007, 3:25 pm |
| Upgrading FW on 2921 | October 15, 2007, 11:01 am |
| Upgrading IOS on uBRs | November 13, 2007, 1:04 pm |
| IOS Upgrading "Policy" | November 20, 2007, 9:33 pm |
| vpdn problem after upgrading to 12.3(14) | July 12, 2005, 7:53 pm |
| questions about upgrading old 2611 to 12.3 | July 17, 2005, 7:11 pm |
>5.1 on it.