Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Applying DNS Poison patch

My boss put me in charge of getting our systems updated with the recent DNS poison patches. I got the proper patch from Cisco for my 1841, but how exactly do I apply it? I have worked in the Cisco IOS before, but just very basic stuff; setting up IP's, access lists, etc.

What do I need to do for this patch? Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Applying DNS Poison patch

James

In the process that I have described there is no need to copy the config file. The config file is already on the PIX, you will be loading a new image onto the same system and it will use the existing config file. (note that sometimes a new version of the image may make some changes in the config file)

Having just said that it is not necessary to copy the config file, I will also note that it is frequently a good thing before starting any significant maintenance (such as a new image) to make sure that you have a good (current) copy of the config stored somewhere off the device. Whether the encrypted passwords will transfer depends on how you do the copy. many of us do a show run and copy and paste to get the config into a file. In doing this the encrypted passwords will not be saved. But if you do a copy with TFTP from the PIX to a TFTP server then the encrypted passwords are saved.

HTH

Rick

5 REPLIES
Hall of Fame Super Silver

Re: Applying DNS Poison patch

James

Perhaps we should start by clarifying what you have got. Cisco does not typically do "patches" the way some other vendors do. When Cisco supplies a fix for a problem it is typically done by providing a new copy of the IOS image file. If we knew what you have got (and perhaps what you did to get it) then we would be more certain what to do with it.

Assuming that it is a replacement copy of the image file here is what I would do:

- copy the existing image file to a TFTP or FTP server. Having an archive copy assures that you can go back if there were to be problems with the replacement.

- copy the replacement image to flash. Depending on the size of the image file and the size of flash there might be room for both the old version and the new version. If there is not sufficient room for both then delete the old image file before copying the new image file.

- if there are 2 image files in flash then you probably need to configure a boot system flash command to identify that the device should boot the new image. If there is only a single image in flash then the boot system flash command is not required.

- reboot the device.

- verify that the device is running the new version of code and that there are not issues associated with running the new version.

HTH

Rick

New Member

Re: Applying DNS Poison patch

Hi Rick,

My apologies, I had a brain freeze. I am NOT doing the patch on an 1841, I am doing it on a PIX 501 Firewall.

My PIX version is:Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

This is what Cisco gave me to download:

pix635-145.bin PIX Engineering Release 6.3.5.145

Hall of Fame Super Silver

Re: Applying DNS Poison patch

James

No problem. What I said before about 1841 pretty much also applies to the PIX, except I am not sure that the PIX will copy its image to TFTP or FTP to create an archive image. Otherwise, what you have is a replacement image file. You need to load it to flash on the PIX and reboot (essentially the same process as doing a code upgrade).

HTH

Rick

New Member

Re: Applying DNS Poison patch

So I install the new image through TFTP and then basically I need to paste the current config file after the image is installed.

But the config file has encrypted passwords. Will those still copy over?

Hall of Fame Super Silver

Re: Applying DNS Poison patch

James

In the process that I have described there is no need to copy the config file. The config file is already on the PIX, you will be loading a new image onto the same system and it will use the existing config file. (note that sometimes a new version of the image may make some changes in the config file)

Having just said that it is not necessary to copy the config file, I will also note that it is frequently a good thing before starting any significant maintenance (such as a new image) to make sure that you have a good (current) copy of the config stored somewhere off the device. Whether the encrypted passwords will transfer depends on how you do the copy. many of us do a show run and copy and paste to get the config into a file. In doing this the encrypted passwords will not be saved. But if you do a copy with TFTP from the PIX to a TFTP server then the encrypted passwords are saved.

HTH

Rick

239
Views
0
Helpful
5
Replies
CreatePlease to create content