06-02-2006 12:56 PM - edited 02-21-2020 12:56 AM
Quick silly question. We just purchase an FO cisco pix 515e that we want to deploy, and reading the requirments it says the boxes need to be in synch with software version. Our current firewall is running pix 7.0(5) and the new FO box is runnign pix 6.3(5). I have tried the standard upgrade, but the default config does not allow it to talk to anything on the inside interface (stock factory config of 192.168.1.0/24). Is there any way i can upgrade this box to the appropiate software version without physical access to the primary (it is in NJ, and I am in MA). Any help would be greatly appreciated..
06-03-2006 01:28 AM
Hi;
did you mean you that you can't access inside interface ( 192.168.0.1)?
you can configure other interface like e1 and assign 10.0.0.1/24 IP address and connect your laptop through cross cable with 10.0.0.2/24.??
this is what do you face ?
06-05-2006 06:24 AM
I mean I can configure the int 0 or 1 or whatever to anything i desire, but it will not communicate to my tftp server no matter what interface i connect and configure for this. I cannot ping any interface, even if i put in the apply all. I think this could be because these are FO licensed firewalls, but my question then is how do i flash them to the matching firmware if the UR's i am connecting them to are running 7.0(5)
06-03-2006 02:31 AM
Hi .. are you sure the interfaces are enabled .. please be aware that you need to type in the following in order to get the interfaces enabled.
interface ethernet0 100full
interface ethernet1 100full
Then you can assign an IP address ( if it does not have already ).
Then you can connect to the inside interface which is the one that has security 100. by using a cross over cable. Make sure your laptop also has an Ip address on the same range.
Then you can copy the new image by tftp
NOTE: If you are still having problems accessing the PIX .. you can try creating an access list that allows all IP traffic and apply it to the inside interface.
access-list PERMIT_ALL permit ip any any
access-group PERMIT_ALL in interface inside.
I hope it helps ... please rate it if it does !!1
06-05-2006 05:27 AM
Well i tried what you suggested, I had done the same before, but wanted to give your suggestion a shot since i might have typoed something and still no love. I cannot ping 192.168.1.2 from int 1 at all. The only way i have been able to flash is via monitor mode, but to finish the process i need to copy the image to the flash before the next reboot or it will get caught into a boot cycle. Below is the config from the box, (it is the stock factory config), if anyone could either confirm a process that works or just say that i need to plug it into the primary before i can do this I would be very appreciative.
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password xxxx
passwd xxxx
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list PERMIT_ALL permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
no ip address outside
ip address inside 192.168.1.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm logging informational 100
pdm history enable
arp timeout 14400
access-group PERMIT_ALL in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxx
: end
06-05-2006 11:53 AM
Hi .. by looking at the config .. you don't need to connect it to the Primary Pix as failover is not enabled. you sould be able to connect your laptop to the ethernet1 port and get a dynamic IP address on the 192.168.1.2-254 range. Can you make sure the cable you use to plug in DIRECTLY is cross over and also you might need to hard code the speed and duplex on your laptop to 100 / full. Use a console connection while at the same time you connect by LAN cable to the PIX and see the status of the e1 interface ...
06-05-2006 01:54 PM
That is what I though, I plug in my laptop via crossover and can flash via monitor (but cannot) get the image copied over via tftp, the interface does not get DHCP address or anything. I hard code it and windows says there is a link and there are physical link lites on the cisco and the laptop and still i get nothing. I am really stumped on this..
06-05-2006 03:16 PM
using your console session .. do a show int command on the PIX while connected to the e1 int. what is the status .. Also have you check whether you have a personal firewall enabled on your laptop ..?
06-05-2006 07:47 PM
If I do a show int the line shows as up and up. Initally it was administrativly down, but assigning the auto brought it up. Firewall has been completely disabled on my machine, and confirmed i can launch a tftp client from another machine even.
06-05-2006 09:52 PM
mm ... so you hardcoded 100 FULL on both sides and it did not work but when you configured it to auto then the interface come up right ..? mm have you tried using a different laptop or perhaps connecting them by a switch /hub instead .. I am just thinking perhaps some incompatibility between the NICs .. negotiation problem ..
06-05-2006 10:25 PM
Tried both, neither worked, tried my desktop switch and still got nothing. I am thinking it is going to have to be plugged into a none fo model 515e for me to do anything which means downtime and a trip to the datacenter.
06-05-2006 08:49 PM
Hi If you have PDM access you can do a remote upgrade via the browser
06-05-2006 10:26 PM
would love to but cannot access the interface at all via ping, telnet, anything.. I know i am just missing something here
06-05-2006 10:30 PM
hi;
three days ago i faced the i same problem,
i actually tried to set another interface like e3
set different ip subnet and connect it to the switch.
and successfully could upgrade the image.
06-06-2006 06:47 AM
I will try that thanks.... did not think of that option..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide