We wanted a 2nd PIX to be used in case the primary fails (not a failover box situation) ; We own a 515 with 6.3 and bought one with 6.2 I tried to move the config file from the 6.3 to the 6.2 machine. It fails to run the "interface" command and there may be other problems. I want to upgrade the 6.2 to 6.3. I cant find "Smartnet" support for a purchase of 6.3 but I have a pix631.bin file from the original machine on CD.
Can I transfer it to the 6.2 machine or will the whole thing blow up with a "activation key" problem on the 6.2 PIX?
I'm not sure what problem you had with the "interface" command, because interface as a command has been pretty much the same throughout the whole PIX version timeline. Setup on version 6.2 vs. 6.3 shouldn't give you any issue.
Is the "new" box licensed right to match? The license is stored seperate than the config. Are the interfaces there? Is it working otherwise? I could see problems with the interface command if the box isn't licensed, where it might not bring recognize interfaces until it is licensed properly.
The PIX hardware is EOL'd and nothing is available for it any longer, no licenses, no new Smartnet, no spares. Etc. Thats why you can't find anything to buy.
You won't be able to use the same activation key on the new box, as the activation keys are tied to the hardware serial # of the box. They are unique for each box, non transferable. They are not tied to the version of code running on the box.
If your "new" box doesn't have a license activated, you bought yourself a doorstop, because you can't buy PIX licenses any longer sorry to say.
Very kind of you to help. I'll post the config and some 6.2 errors as it trys to digest the 6.3 code below for your entertainment.
If I understand you I will not have "activation key" explosions if I move a 6.3 OS to the 6.2 box ( I know nothing of Activation keys ; sounded like it might be an OS copy protection ) ; I was worried the PIX631.bin from our first PIX's CD was in some way tied to that PIX's hardware. I saw myself moving the 6.3 OS onto the 6.2 box and having it not run. I've been blindsided so often by Cisco idiosyncrasies that I'm just trying to cover my ass with my client prior to acting. The 6.2 box looks healthy
As to the config code: When I TFTP'd the 6.3 box's config to the "new" 6.2 PIX I got this:
------------------------- ERROR: invalid IP address interface invalid IP address interfacesion 6.2(2)st name [test] ERROR: invalid IP address interface bad port udp Config Error -- fixup protocol sip udp 5060 ERROR: invalid IP address interface Config Error -- access-list outside_access_in permit tcp any interface outside o bject-group PCA .ERROR: invalid IP address interface Config Error -- access-list outside_access_in permit tcp any interface outside r ange 3060 3064 ERROR: invalid IP address interface Config Error -- access-list outside_access_in permit udp any interface outside r ange 3060 3064 ERROR: invalid IP address interface Config Error -- access-list outside_access_in permit tcp any interface outside e q 3000 ERROR: invalid IP address interface Config Error -- access-list outside_access_in permit tcp any interface outside e q 3333 Warning: Start and End addresses overlap with broadcast address. outside interface address added to PAT pool dmz interface address added to PAT pool . WARNING: TFTP download incomplete!
Config Failed tftp: Unspecified Error
----------------------------------------------------------- And here is the 6.3 config I need to run on the 6.2 box : Saved
: Written by enable_15 at 13:51:53.709 UTC Wed Jan 27 2010
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name 192.168.0.101 networks1
name 192.168.0.102 networks2
name 192.168.0.112 networksf2
name 192.168.0.111 networksf1
name 192.168.2.121 networksweb
name 192.168.0.103 networks3
name 192.168.0.104 networks4
object-group network networksServers
network-object networks1 255.255.255.255
network-object networks2 255.255.255.255
network-object networks3 255.255.255.255
network-object networks4 255.255.255.255
object-group network networksServers_ref
network-object 192.168.2.10 255.255.255.255
network-object 192.168.2.11 255.255.255.255
network-object 192.168.2.12 255.255.255.255
network-object 192.168.2.13 255.255.255.255
object-group service xxxxxxxxxx tcp-udp
description Pxxxxxxxxxxx Standard Ports
port-object range 5631 5632
object-group service PCAnyWeb tcp-udp
description PCAnywhere and Web Services
port-object range 5631 5632
port-object range 80 80
object-group service networks tcp
port-object range 6690 7008
access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
access-list outside_access_in permit tcp any interface outside object-group PCAnyWeb
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
access-list outside_access_in permit tcp any host 192.168.0.122
access-list outside_access_in permit udp any host 192.168.0.122
access-list outside_access_in permit tcp any interface outside range 3060
access-list outside_access_in permit udp any interface outside range 3060
access-list outside_access_in permit tcp any host 192.168.0.124
access-list outside_access_in permit tcp any host 192.168.0.170 eq https
access-list outside_access_in permit udp any host 192.168.0.200 eq 60080
access-list outside_access_in permit tcp any interface outside eq 3000
access-list outside_access_in permit tcp any interface outside eq 3333
Yes, the Activation Key is the license for the box. Each license is unique, and tied to the hardware serial #. Neither the OS image or configuration is tied to a particular box, they should be able to move.
The OS image is the same on every PIX, as long as its valid, it will run on any PIX you load it on.
Your config looks clean, I don't remember when ports and object-groups were introduced, but most likely not in 6.2. But you fail out long before then. I'd recommend you run a later 6.3 anyway.
I still suspect your "new" box isn't licensed.
pix(config)# show activation-key Serial Number: 12345678 (0xbc614e)
Many thanks. It worked; I was able to move a 631.bin to the new PIX and it took; solved all the issues with the config. Without your help I was in a mess; Cisco TAC would not even deal with me as the hardware was too old. WOuld not even answer the question you so kindly did. I must say, in the hopes that someone from Cisco reads this; the firm sucks; that is to say your customer care , you support of your aging hardware is an insult to my customers and to myself as a consultant. I will never recomend a Cisco firewall again (and I have sold many).
The customer had a 6.31 era PIX. He wanted a backup PIX in case the production unit failed. He is not rich, and paid good money for the first unit while new; he was acting as a rational business person in looking for and finding a matching unit. As his consultant he expected I could get it working; all nice, rational thoughts. Cisco could understand this. Cisco could care about supporting good old customers. No, I'm wrong about that: But I'll never put myself or a customer in that spot again. For the record thousands of firms around the world support their older hardware for just the obvious rational reasons above. Live and learn about Cisco.
FWIW: Another way to look at this is to compare the the expected lifetime for hardware for various companies. In the computer/datacomm world, you get about 3 good years out of a piece of gear. If you get 5 years out of it, you're out ahead. If you get 8 years out of it, you're on your last legs. Yeah, a car is built to last longer, but just the same as a car, you need to realize they have a finite lifespan and plan for the eventuality of needing to replace it at some time.
If the end-customer had had another companies piece of gear, say a
10-year old Watchguard, or a Nokia, or a Checkpoint, or a Sonicwall, etc. etc. You wouldn't even have the opportunity to find something matching to setup a HA pair. You'd be in the same position Cisco wants to put you in now, to do a technology refresh to get something current in hardware. Its only because Cisco has been doing this for quite some time, and has been so popular, and has supported their old stuff for so long that its even an option to consider for you. You just happened to fall outside the support envelope.