Upgrading the PIX OS

Upgrading the PIX OS

If the PIX Firewall unit is currently running an OS versions 5.1.1 or later and has a DES or 3DES activation key, use the copy tftp flash command to download the latest software image from a TFTP server. The copy tftp flash command process is virtually identical to the typical method for upgrading an IOS on a Cisco router. The new image is used by the PIX Firewall on the next reload (reboot).

Regardless of the upgrade method, the latest PIX OS can be downloaded from the PIX Software Download page on the www.cisco.com site. A CCO account is necessary to get to this site. If necessary, Cisco TFTP Server software can be downloaded from this same site. The PIX images have names like pix622.bin.

Use the following steps to upgrade the PIX unit using the copy tftp flash command.

  1. Make sure the TFTP server is running and the appropriate PIX Firewall binary image (pixnnn.bin) file was copied to the folder TFTP uses as its source.

  2. Confirm connectivity between the PIX unit and the TFTP server by pinging the server from PIX Privilege mode prompt.

  3. At the PIX Privilege mode prompt, type the copy tftp flash command.

  4. Type the TFTP server IP address when prompted for the remote host.

  5. Type the PIX binary filename when prompted for the source filename.

  6. Type yes to confirm the process.

The screen output should look something like this:

Pix# copy tftp flash
Address or name of remote host []?
Source file name [cdisk]? pix622.bin
copying tftp:// to flash:image
Received 1658880 bytes.
Erasing current image.
Writing 1540152 bytes of image.
Image installed.

While this, undoubtedly, was a temporary problem, I couldn’t get these instructions by searching from the www.cisco.co site. Only the older instructions appeared (see the next section). Going to the Cisco TAC site www.cisco.com/tac did locate the latest PIX upgrade document. The point is this: don’t forget that site as an additional resource for Cisco technologies.

Older Upgrade Methods

If the PIX Firewall unit is currently running an OS version earlier than 5.1.1 or doesn’t have a DES or a 3DES activation key (requiring a new activation key), it will be necessary to use a method virtually identical to the password recovery process.

PIX Units Without a Floppy Drive

Use exactly the same steps as the password recovery, except use the PIX binary image file, such as pix622.bin, as the source filename. In this process, you type a series of one-word commands, followed by an IP address or filename.

  1. Start a console session with the PIX unit console port.

  2. Make sure the TFTP server is running and the appropriate PIX Firewall binary image (pixnnn.bin) file was copied to the folder TFTP uses as its source.

  3. Power on the PIX Firewall and, as soon as the startup messages appear, send a BREAK character or press the ESC key. For Windows HyperTerminal, use CTRL+BREAK. You might have to do this several times. The monitor> prompt will indicate success.

  4. Make the following entries, pressing ENTER after each. The command is repeated or responded to on the next line.

    After the image downloads, when you’re prompted to install the new image, type y to install the image in Flash. When you’re prompted to enter a new activation key, type y if you want to enter a new activation key, or type n to keep the existing key.

    monitor> interface 1 ? ? ??? ?? ?? ?? ??? ??? ??(PIX interface to TFTP)
    0: i8255X @ PCI(bus:0 dev:14 irq:10) 
    1: i8255X @ PCI(bus:0 dev:13 irq:11) 
    Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 0002.b945.a23c 
    monitor> address ????? ? ?? ? ? ?? ?(PIX interface address)
    monitor> server ??? ?? ? ??? ? ? ??(TFTP server address)
    monitor> file pix622.bin ?? ??? ? ? ? ?? ???? ??(PIX image name)
    file pix622.bin 
    monitor> ping ? ??? ??? ? ?? ?? ?? (Test connectivity to TFTP)
    Sending 5, 100-byte 0xcde2 ICMP Echoes to, timeout is 4 seconds: 
    Success rate is 100 percent (5/5) 
    monitor> tftp ? ??? ? ?? ? ????? ?? ?? ? ?? ?? ?(execute the TFTP copy)
    tftp pix622.bin@ 
    Received 1658880 bytes 
    Cisco Secure PIX Firewall admin loader (3.0) #0: Tue Dec 7:35:46 PST 2002 
    Flash=i28F640J5 @ 0x300
    BIOS Flash=AT29C257 @ 0xfffd8000
    Flash version 6.2.2, Install version 6.2.2 
    Do you wish to copy the install image into flash? [n] y 
    Installing to flash 
    Serial Number: 480380761 (0x1ca20759) 
    Activation Key: 760754d0 39f62229 a4a0245f b5b87e80 
    Do you want to enter a new activation key? [n] n 
    Writing 1540152 bytes image into flash...

PIX Units with a Floppy Drive

For PIX Classic, 10000, 510, and 520, only two reasons exist to upgrade using a bootable floppy disk:

  • The current PIX Software OS version is earlier than 5.1.1.

  • The current PIX Software OS version is earlier than 6.1 and the activation key doesn’t support DES or 3DES.

Use the following steps to create a bootable floppy disk in Windows.

  1. Go to the PIX Software Download page on the www.cisco.com site and download the rawrite.exe utility, the PIX binary image (pixnnn.bin), and the boothelper (bhnn.bin) binary file that matches the upgrade version. For an upgrade to 6.1(1), the three files would be rawrite.exe, pix611.bin, and bh61.bin.

  2. Place a blank 3.5” floppy disk in the computer floppy drive, and run the rawrite.exe. When prompted, type the name of the file you want written to the floppy disk. If upgrading to PIX versions 5.1 or earlier, type the PIX image itself (pixnnn.bin); for upgrading to PIX versions 5.2 or later, type the PIX boothelper file (bhnn.bin). The following output shows the boothelper results:

    RaWrite 1.2 - Write disk file to raw floppy diskette 
    Enter source file name: bh61.bin
    Enter destination drive: a: 
    Please insert a formatted diskette into drive A: and press -ENTER- : 
    Number of sectors per track for this disk is 18. 
    Writing image to drive A:. Press ^C to abort. 
    Track: 11 Head: 1 Sector: 16 
  3. Insert the 3.5” floppy disk just created in the PIX Firewall diskette drive and reboot or power up the PIX.

  4. If upgrading to PIX 5.1 or earlier, remove the floppy disk from the PIX drive and reboot the PIX. The new image is loaded.

  5. If upgrading to PIX 5.2 or later with the boothelper program on the floppy, the PIX will come up in boothelper mode or Monitor mode. To complete the upgrade, follow the steps for PIX without floppy drive in the last section.

Part III: Virtual Private Networks (VPNs)