I need to upgrade 515E's from v6.x to the latest PIX IOS and firmware versions. I think that would be v 7.2 for the PIX IOS. Can anybody share beneficial knowledge from their experiences?
Should I be concerned about the configurations when upgrading from v6 IOS to v7? In other IOS upgrades, I have been able to cut and paste the configurations, but I am aware that on some Cisco devices, involving some IOS upgrades, there is a need to use a software tool to upgrade the configuration separately. Is this the case with the PIX v6 to v7 upgrade?
First, make sure the box meets the HW requirements, especially in terms of RAM - most 515Es will have enough flash to upgrade to 7.0
Second, it's unfortunate, but you cannot just copy and paste the configs.
The biggest changes from version 6.x to 7.x revolve around 1) interface configuration, 2) VPNs & 3) modular policy framework (ICMP, fixup, etc.) 4) failover
The good news is that the inline upgrade, for the most part, works. Of those changes, the only element of config that may not properly be migrated after upgrading the box would be your VPN configuration - the move to tunnel groups and group policy is a big change and sometimes the ACLs used to identify interesting traffic for crypto maps does not populate properly. Upgrading is a great way to go - it even preserves the original configuration so that you can roll back, if necessary.
If you have a large number of site to site VPNs, I would lab test the upgrade before doing it in production. Really, that's just to get you used to the tunnel-group paradigm of VPN configuration.
If you are starting from scratch rather than upgrading, all of your object-groups, ACLs, names, NAT configuration and fixup data (though it will be transformed as you enter it ) can be copied and pasted directly. The interface configuration is more like that of traditional IOS and should be very easy to accomplish.
Conduits are bad - be sure to convert them to ACLs before attempting the upgrade.
Consider using the latest interim release if you run 7.2 instead of the GD release - lots of bugs have been addressed in the interim releases, some of which were pretty nasty.
If you have links available for how-to's on performing the inline upgrade vs starting from scratch implementations, it would be interesting to know the details of both. I will be in a position to test the upgrades in a lab, so having an alternate upgrade procedure may be useful.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :