shtml
Software Installation Notes
This section provides information about installing software on a PIX
Firewall.
----------------------------------------------------------------------------
----
Note If you are upgrading from an earlier software version, save your
configuration and write down your activation key.
----------------------------------------------------------------------------
----
The following topics are discussed in this section:
Boothelper Installation
Downloading a Software Image over TFTP
Using TFTP Commands
TFTP Download Error Codes
Upgrading the Activation Key
Boothelper Installation
----------------------------------------------------------------------------
----
Note The Boothelper installation only applies to PIX Firewall units with
a diskette drive.
----------------------------------------------------------------------------
----
Follow these steps to install the PIX Firewall software using the
Boothelper:
----------------------------------------------------------------------------
----
Step 1 Access CCO at http://www.cisco.com and log in. Then access the PIX
Firewall software downloads at the following website:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
Step 2 Download the Boothelper image from CCO and the current PIX Firewall
software image.
If you are using Windows, also download the rawrite.exe program from CCO,
and download a TFTP server from the following website:
http://www.cisco.com/cgi-bin/tablebuild.pl/tftp
The UNIX and LINUX operating systems contain a TFTP server.
Step 3 To prepare a UNIX or LINUX TFTP server to provide an image to the
PIX Firewall, edit the inetd.conf file to remove the # (comment character)
from the start of the "tftp" statement. Then use the
ps aux | grep inetd command string to determine the process ID of the
current inetd process. Use the kill command to kill the process. The process
will restart automatically. Continue with Step 5.
Step 4 If you are using Windows, use the rawrite program to put the
Boothelper image on diskette. A sample rawrite session follows:
C:pix> rawrite
RaWrite 1.2 - Write disk file to raw floppy diskette
Enter source file name: bh601.bin
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18
Writing image to drive A:. Press ^C to abort.
Track: 78 Head: 1 Sector: 16
Done.
C:pix>
If you are using UNIX, use the dd command. For example, if the diskette
device name is rd0, use the following command:
dd bs=18b if=./bh601.bin of=/dev/rd0
Step 5 Get the TFTP server working on a host in your network and add the
PIX Firewall binary image to a directory accessible by the server.
Step 6 Connect a console to the PIX Firewall and ensure that it is ready.
Step 7 Put the diskette containing the Boothelper in the PIX Firewall and
reboot it. When the PIX Firewall starts, the pixboothelper> prompt appears.
Step 8 You can now enter commands to download the binary image from the
TFTP server:
a. If needed, use a question mark (?) or enter the help command to list
the available commands.
b. Use the address command to specify the IP address of the PIX Firewall
unit's interface on which the TFTP server resides. You can abbreviate this
command as a.
c. Use the server command to specify the IP address of the host running
the TFTP server. You can abbreviate this command as s.
d. Use the file command to specify the filename of the PIX Firewall
image. You can abbreviate this command as f. In UNIX, the file needs to be
world readable for the TFTP server to access it.
e. If needed, use the gateway command to specify the IP address of a
router gateway through which the server is accessible.
f. If needed, use the ping command to verify accessibility. If this
command fails, fix access to the server before continuing. Use the interface
command to specify which interface the ping traffic should use. The
Boothelper defaults to the interface 1. You can abbreviate the interface
command as i.
g. Use the tftp command to start the download.
The following is an example session:
Cisco Secure PIX Boothelper Version 6.0(1)
pixboothelper> a 10.132.12.66
address:10.132.12.66
pixboothelper> s 10.129.0.2
server 10.129.0.2
pixboothelper> i 0
current interface is 0
0: i82557 @ PCI(bus:0 dev:13 irq:11) ethernet0 100basetx
1: i82557 @ PCI(bus:0 dev:14 irq:10) ethernet1 not_init
2: i82557 @ PCI(bus:0 dev:15 irq:15) ethernet2 not_init
pixboothelper> f pix-6.0.1-release
file pix-6.0.1-release
pixboothelper> tftp
tftp
[EMAIL PROTECTED]
...........
................................
Step 9 After the image downloads, you are prompted to install the new
image. Enter y.
Step 10 When you are prompted, enter your activation key.
Step 11 After you enter your activation key, PIX Firewall prompts you to
remove the Boothelper diskette. You have 30 seconds to remove the diskette.
During this time you have three options:
a. Remove the diskette and reboot the unit with the reboot switch.
b. Use the reload command while the diskette is in the unit.
c. After the interval, the PIX Firewall will automatically boot from the
Boothelper diskette.
After Boothelper downloads the PIX Firewall image via TFTP, it verifies the
checksum of the image.
Keep the Boothelper diskette available for future upgrades. You will need to
repeat these steps whenever you download an image to your PIX Firewall unit.
Alternatively, you can use the copy tftp flash command to download an image
directly from the PIX Firewall command line. Refer to "Using the copy tftp
flash Command" for more information.
----------------------------------------------------------------------------
----
Downloading a Software Image over TFTP
The PIX 506, PIX 515, PIX 525, and PIX 535 receive their boot image from
either Flash memory or by downloading the image from a TFTP server. You can
obtain a TFTP server as an option from Cisco, you can use the TFTP server
provided with UNIX, or you can use a TFTP server available for your
computer.
You can download a free TFTP server from Cisco at the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp
Because the PIX 506, PIX 515, PIX 525, and PIX 535 do not have a diskette
drive, you need to send a binary image to the unit using Trivial File
Transfer Protocol (TFTP). These units have a special mode called ROM monitor
mode that lets you retrieve the binary image over the network.
You can get the most current PIX Firewall software image from the following
website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
----------------------------------------------------------------------------
----
Note A diskette software image is not included with the PIX 506, PIX 515,
PIX 525, and PIX 535. The initial image is stored in Flash memory. You can
obtain the latest binary image from Cisco Connection Online (CCO) using a
web browser or via FTP, storing the image on a TFTP server. Once the TFTP
server is available on a network accessible to the PIX Firewall and you
specify the IP address of the server from boot mode, you can download the
binary image over the network.
----------------------------------------------------------------------------
----
----------------------------------------------------------------------------
----
Note Do not attempt to use a PIX Firewall diskette from a PIX 520 to
transfer the image to the TFTP server. This image will not install
correctly. While the ROM monitor is protected from this boot method, the PIX
506, PIX 515, PIX 525, and PIX 535 will not boot from the diskette image.
----------------------------------------------------------------------------
----
----------------------------------------------------------------------------
----
Note Entering a new activation key or recovering a password requires that
you access the ROM monitor, download an image, and then proceed on to the
prompts that follow this activity. (For password recovery, contact Cisco's
Customer Support organization as described in the section "Obtaining
Technical Assistance" in "About This Manual.")
----------------------------------------------------------------------------
----
----------------------------------------------------------------------------
----
Note When you enter the ROM monitor, PIX 506, PIX 515, PIX 525, and PIX
535 applications will not be running; therefore, no traffic will pass in or
out of your network while this operation is being performed.
----------------------------------------------------------------------------
----
Using TFTP Commands
The following sections describe TFTP commands:
Using the copy tftp flash Command
Using the monitor Command
Using the copy tftp flash Command
Once you start the PIX Firewall and go to configuration mode, you can use
the copy tftp flash command to download a software image via TFTP.
The image you download is made available to the PIX Firewall on the next
reload (reboot).
The command syntax is as follows:
copy tftp[:[[//location][/pathname]]] flash
If the command is used without the location or pathname optional parameters,
then the location and filename are obtained from the user interactively via
a series of questions similar to those presented by Cisco IOS software. If
you only enter a colon (:), parameters are taken from the tftp-server
command settings. If other optional parameters are supplied, then these
values would be used in place of the corresponding tftp-server command
setting. Supplying any of the optional parameters, such as a colon and
anything after it, causes the command to run without prompting for user
input.
The location is either an IP address or a name that resolves to an IP
address via the PIX Firewall naming resolution mechanism (currently static
mappings via the name and names commands). PIX Firewall must know how to
reach this location via its routing table information. This information is
determined by the ip address command, the route command, or also RIP,
depending upon your configuration.
The pathname can include any directory names besides the actual last
component of the path to the file on the server. The pathname cannot contain
spaces. If a directory name has spaces, set the directory in the TFTP server
instead of in the copy tftp flash command. In UNIX, the file needs to be
world readable for the TFTP server to access it.
If your TFTP server has been configured to point to a directory on the
system from which you are downloading the image, you need only use the IP
address of the system and the image filename. For example, if you want to
download the pix601.bin file from the D: partition on a Windows system (IP
address 10.1.1.5), you would access the Cisco TFTP Server View>Options menu
and enter the filename path in the TFTP server root directory edit box; for
example, D:pix_images. To copy the file to the PIX Firewall, use the
following copy tftp command:
copy tftp://10.1.1.5/pix601.bin flash
The TFTP server receives the command and correlates the actual file location
from its root directory information. The server then downloads the TFTP
image to the PIX Firewall.
Examples
The following example causes the PIX Firewall to prompt you for the filename
and location before you start the TFTP download:
copy tftp flash
Address or name of remote host [127.0.0.1]? 10.1.1.5
Source file name [cdisk]? pix601.bin
copying tftp://10.1.1.5/pix601.bin to flash
[yes|no|again]?yes
!!!!!!!!!!!!!!!!!!!!!!!
Received 1695744 bytes.
Erasing current image.
Writing 1597496 bytes of image.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed.
-----Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 7:57 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX activation key on 4.1(6) [7:13187]
u need to put your serial no
and u ll get a new key
u need cco login
-----Original Message-----
From: Jacques Allison [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 5:24 PM
To: [EMAIL PROTECTED]
Subject: PIX activation key on 4.1(6) [7:13187]
Hi all,
On PIX ver 4.1(7) I can use the "show actkey" to display the connection
license key, but the command is not on the ver 4.1.(6). How do I upgrade the
PIX is I lost the original disk and license? I look on CCO and can't find
any answers.
Regards,
Jacques Allison
Senior Network Engineer
Tel: (+27) 012 349 2030 ext.: 210
Fax: (+27) 012 349 1015
Mobile: (+27) 083 327 4941
[EMAIL PROTECTED]
http://www.geocities.com/jacquesa_2000/index.html
+Security
[demime removed a uuencoded section named clip_image002.jpg which was 29
lines]
[demime removed a uuencoded section named clip_image004.jpg which was 30
lines]
[demime removed a uuencoded section named clip_image006.jpg which was 40
lines]
[demime removed a uuencoded section named clip_image008.jpg which was 31
lines]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13200&t=13187
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
