PIX 515E upgrades

Unanswered Question
May 19th, 2007

I need to upgrade 515E's from v6.x to the latest PIX IOS and firmware versions. I think that would be v 7.2 for the PIX IOS. Can anybody share beneficial knowledge from their experiences?

Should I be concerned about the configurations when upgrading from v6 IOS to v7? In other IOS upgrades, I have been able to cut and paste the configurations, but I am aware that on some Cisco devices, involving some IOS upgrades, there is a need to use a software tool to upgrade the configuration separately. Is this the case with the PIX v6 to v7 upgrade?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jballowe Sat, 05/19/2007 - 20:59

not sure why my posts doubled up. read the second one for actual info...

jballowe Sat, 05/19/2007 - 21:14

First, make sure the box meets the HW requirements, especially in terms of RAM - most 515Es will have enough flash to upgrade to 7.0

Second, it's unfortunate, but you cannot just copy and paste the configs.

The biggest changes from version 6.x to 7.x revolve around 1) interface configuration, 2) VPNs & 3) modular policy framework (ICMP, fixup, etc.) 4) failover

The good news is that the inline upgrade, for the most part, works. Of those changes, the only element of config that may not properly be migrated after upgrading the box would be your VPN configuration - the move to tunnel groups and group policy is a big change and sometimes the ACLs used to identify interesting traffic for crypto maps does not populate properly. Upgrading is a great way to go - it even preserves the original configuration so that you can roll back, if necessary.

If you have a large number of site to site VPNs, I would lab test the upgrade before doing it in production. Really, that's just to get you used to the tunnel-group paradigm of VPN configuration.

If you are starting from scratch rather than upgrading, all of your object-groups, ACLs, names, NAT configuration and fixup data (though it will be transformed as you enter it ) can be copied and pasted directly. The interface configuration is more like that of traditional IOS and should be very easy to accomplish.

Conduits are bad - be sure to convert them to ACLs before attempting the upgrade.

Consider using the latest interim release if you run 7.2 instead of the GD release - lots of bugs have been addressed in the interim releases, some of which were pretty nasty.

Hope this helps - good luck!

santontand Sun, 05/20/2007 - 13:36

Thank you for all the information.

If you have links available for how-to's on performing the inline upgrade vs starting from scratch implementations, it would be interesting to know the details of both. I will be in a position to test the upgrades in a lab, so having an alternate upgrade procedure may be useful.

santontand Sun, 05/20/2007 - 13:44

Is it possible that there could be upgrades needed to firmware or microcode on the PIX system board in addition to the PIX IOS upgrade?


This Discussion