I have the opportunity to pick up a PIX 515 (non-E) with IOS version
5.1 on it. I already have a PIX 520 running 6.3 but want access to the
7.x environment which my 520 will not do. I know there are activation keys that enable certain functions on the PIX etc but wanted to know if these were required to upgrade the IOS on the 515 from 5.1 to 7.x. I do have access to PIX 515e's running 7.1 and need to know if this image can be easily taken from the 515e and placed on the 515 without need for additional licence keys etc like can be done with Cisco routers.
PIX doesn't use "IOS", it uses "Finesse", more commonly just called "PIX OS". But that's not germaine to the question.
If the PIX 515 is running 5.1(1) then it will need a new license key to upgrade to -any- later version.
If the PIX 515 is running 5.1(2) or later then it would not need a new license key to run PIX 7.x .
If the PIX 515 does not happen to have a 3DES key (which was extra cost back then), then if it were upgraded to PIX 7.x, you would not be able to use 3DES, AES, or (if memory serves) SSL VPN or WebVPN.
You have a problem: the PIX 515 running 5.1 is going to have 32 Mb of RAM, but 7.x require at least 64 Mb to run. The Cisco part number for the memory upgrade is PIX-515-MEM-32= . If you hunted around a bit you could probably find a non-Cisco source for the memory.
I seem to recall reading that a few people have reported being able to boot 7.0 with only 32 Mb of memory; it isn't a supported configuration.
Copying the PIX 7.1 image off of an existing device might be technically possible, but it would very likely not be allowed by the license terms.
Your posting IP suggests you are in Australia. If so, then Cisco software licenses do not transfer with the hardware, so if you pick up the PIX 515 running PIX 5.1 then chances are very very slim that you would have gone through one of the few dealers authorized to transfer licenses. In order to be able to use the PIX legally, you would have to go through Cisco's "relicensing" procedure, which is basically paying Cisco on the order of $US700 for the right to use the software.
The procedures after that are a bit fuzzy, as Cisco at various times has said that relicensing does -not- entitle you to a software upgrade. A one time software upgrade license is $US1000. You -might- be allowed to instead start a software-only support contract at a much lower cost, but when you are starting with software that old, Cisco might refuse the contract until you pay some kind of upgrade fee. The details of how this all works to get clear legal title to the latest software are unclear, apparently so even to VARs that deal closely with Cisco.
By the time you add all these up, you might find it less expensive to just buy a new 515E or perhaps a Cisco ASA 5505.
thanks for your extended reply. I am looking to use this device for my CCSP cert so it will not be used in a production environment, though in Cisco's view, I don't think that they differentiate from a licencing perspective.
Below is a copy of the "sh version" output:
pixfirewall- show ver
Cisco Secure PIX Firewall Version 5.1(2) Compiled on Tue 16-May-00 16:09 by bhochuli
believe it is technically possible to upload a 7.x image to it and use it without a new activation key? Also, it only has DES available, not
3DES or AES (which I presume was not around at the time of 5.1) so if I wanted to use this I would need a new key. Would this be a key that would be inserted whilst running 5.1 or once 7.x is installed. As I am new to PIX the whole activation key, licence requirements thing is a bit foreign to me, I am far more used to the simple IOS versions used on Routers and Switches.
I am not certain if this PIX will be more problems that what it is worth. The slower CPU speed etc is not of concern to me due to it being used for my learning only but I do really need it to be able to run 7.x otherwise they device is useless to me.
I have also read the device needs to be updated to 6.2 or 6.3 before upgrading to 7.x. Are you familiar with this requirement?
That's good news in one way, the 64 MB is the mimimum you need for PIX 7. However,
That tells me that the PIX 515 currently has an Unrestricted license. If you were to install PIX 7 on it, then you would need 128 MB to fit the Unrestricted license, according to Cisco. It's the same image as Restricted though, so it'd be a matter of data tables, so if the PIX wasn't very active then you -might- be able to get away with 64 MB, depending on how strictly the PIX OS checks.
Yes.
AES did not come in until 6.something, but 3DES existed back then. The same key is used for 3DES and AES; I -think- I saw in passing that that key is also required for the SSL and HTTPS features.
Either way. It's easier from 6.1 onward: before that point, changing the key requires copying in the OS again, with the key being prompted for as the very last stage of that. 6.1 onward has a simple command to enter a new key.
One minor point: when you upgrade to PIX 7, it saves a copy of the existing activation key, and if you ever downgrade then it restores that activation key. So if you install the 3DES key first before the upgrade then if you were to downgrade you would still have 3DES, but if you were to install the 3DES key after the upgrade then if you were to downgrade it'd go back to the old key. On the other had at that point you could just enter the 3DES key since it'd be the same activation key.
That is what is documented. We did have one report from someone who went from a much older version upward, apparently skipping 6.x in the process. The glitches reported were to do with the memory size, I think it was.
i've installed/operated a 515e w/ 64MBram and UR license running 7.x software. it's not officially supported by Cisco, but if you're just looking for lab use, it will do fine. (in this configuration iv'e not used failover though so i dont know if the memory limitations play a role then)
well as for RAM, I can see this can be purchased quite inexpensively on eBay so if I needed to upgrade to 128MB I could probably afford this. I have read however that PIX OS and activation keys are tied to the actual serial number of the device. Do you know if this is true? If so, it seems I would need to contact Cisco for both an OS and an activation key if I wanted to upgrade to a 3DES operation. Alternatively I suppose I could get a software contract on it but I presume this would not allow me to simply upgrade to 3DES, this activation key would be extra I presume, but am I right in thinking this would allow me to receive and install 7.x atleast, presuming that the OS is tied to the serial on the device?
Definitely not for 6.x. I'm not sure for 7.x, but I doubt it. But it might plausibly be the case for the Cisco ASA series.
These days, if you are in one of the countries allowed to receive
3DES and you are not on the banned persons list, then you are entitled to a free 3DES activation key. The catch is that you have to go through a registration form, and they are going to check your registration information against the previous owner's registration information.
You do not need a new activation key to go from 5.1(2)UR to 7.x: you just won't be able to use some of the features. And for your study purposes those might turn out to be key features.
i can say from experience the activation is tied to the S/N. even in 6.3. i had to open a TAC case on this 2 weeks ago be/c one of my pixes lost its activation key during a downgrade from 7.2(1) to 6.3(5). i couldn't just take an activation key from one of my many other (same model) pixes. when i called TAC, they had to have my S/N, and he specifically said it was tied to the activation key.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.