Upgrading a PIX 506E to Version 7

KB ID 0000764

Problem

As far as Cisco is concerned you can’t upgrade a PIX 506E past version 6.3(5) PIX 506E and 501 Firewall Image and PDM Upgrade

However if you have a spare one lying around and you want to have a play, you CAN get it to version 7.1(2).

Note: It is possible to run the 8.0(2) version of the PIX OS on a 506E, Howerver you need to decompress the image and make some changes to it before it will work (usung lzma.exe). I could not find any decent details on how to do this, and I’m not really a code jockey. If anyone would like to document that and send me the details, I’ll publish it here.

Solution

Memory For the PIX 506E

Your first task is to get some more memory in the firewall. There are two slots on the board and only one will be populated with a 32MB PC133 chip. You need to be at AT LEAST 64MB to attempt this upgrade.

Opening the PIX 506E Chassis

What memory Do I need to find? Any PC133 will work, the memory in the firewall is non ECC, so if you locate some ECC memory you will need to replace the on board memory. Because it will not boot if you mix them (I know I tried). It’s not fussy if you use ECC or non ECC, as long as you don’t mix them. (Note: A lot of the ECC memory I found that worked, was ex server RAM, and it was fine, but the chips were “too tall” to get the lid back on the firewall afterwards.)

Can I use PC100? Yes! And you can mix PC100 and PC133, and the firewall will still boot (This is what I did).

Perform the Upgrade

1. Connect to the firewall via console cable, just to prove it’s still version 6, issue a show version command, Note the RAM and version number;

Important: At this point take a copy of the firewall Activation Key! [box]

Petes-PIX> en

Password:
Petes-PIX# show version

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
Petes-PIX up 1 min 5 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Output removed for the sake of space!

Serial Number: 810412141 (0x304de999)
Running Activation Key: 0x2d796132 0x68c660cd 0x334cac62 0xcaeddaaa

Configuration has not been modified since last system restart.

Petes-Pix#

[/box]

2. Before continuing make sure you have the 7.1(2) version of the PIX Operating system, and you have a TFTP Server set up ready to send you that file. The new OS needs so much flash memory you WILL NOT be able to run the ASDM*. First erase all files from the flash memory and reboot.

*You could try running th ASDM form your TFTP Server. [box]

Petes-PIX# clear flashfs

Petes-PIX# show flash
flash file system: version:0 magic:0x0
file 0: origin: 0 length:0
file 1: origin: 0 length:0
file 2: origin: 0 length:0
file 3: origin: 0 length:0
file 4: origin: 0 length:0
file 5: origin: 0 length:0

Petes-PIX# reload

Proceed with reload? [confirm]

Rebooting.

[/box]

3. Press Esc as the firewall boots to boot into ROMMON mode. Then set it to load its operating system from your TFTP server (here running on my laptop at 172.16.254.207). [box]

Use BREAK or ESC to interrupt flash boot.
PRESS ESC 
Use SPACE to begin flash boot immediately.

Flash boot in 10 second.
Flash boot interrupted.

0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 0019.aabe.d624

Use ? for help.

monitor> address 172.16.254.240
address 172.16.254.240
monitor> server 172.16.254.207
server 172.16.254.207
monitor> file pix712.bin
file pix712.bin
monitor> tftp
tftp pix712.bin@172.16.254.207 .......................................
......................................................................
.........................................................

Received 6764544 bytes

Cisco PIX admin loader (3.0) #0: Tue Mar 14 16:46:07 PST 2006

#####################################################
#####################################################
#####################################################
#####################################################
#####################################################

64MB RAM

Total NICs found: 2

mcwa i82559 Ethernet at irq 11 MAC: 0019.aabe.d624
mcwa i82559 Ethernet at irq 10 MAC: 0019.aabe.d623

BIOS Flash=am29f400b @ 0xd8000

Old file system detected. Attempting to save data in flash
Flash filesystem is corrupted (0x0).

Could not save data in flash.

Initializing flashfs...

flashfs[7]: Checking block 0...block number was (-2131)

Output removed for the sake of space!

flashfs[7]: Checking block 61...block number was (0)
flashfs[7]: erasing block 61...done.
flashfs[7]: 0 files, 1 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 7870464
flashfs[7]: Bytes used: 1024
flashfs[7]: Bytes available: 7869440
flashfs[7]: flashfs fsck took 52 seconds.
flashfs[7]: Initialization complete.

Need to burn loader....

Erasing sector 0...[OK]
Burning sector 0...[OK]

INFO: Unable to read firewall mode from flash

Cisco PIX Security Appliance Software Version 7.1(2)

Copyright (c) 1996-2006 by Cisco Systems, Inc.

[/box]

4. Now the operating system is in memory but if you rebooted the firewall it would not work, you need to configure the IP address, some basic settings, and copy the new OS to the firewall permanently. [box]

pixfirewall> enable

Password:
pixfirewall# show flash

Directory of flash:/

No files in directory

7870464 bytes total (7868416 bytes free)

pixfirewall# configure terminal
pixfirewall(config)# int Ethernet1
pixfirewall(config-if)# ip address 172.16.254.240 255.255.255.0
pixfirewall(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
pixfirewall(config-if)# no shutdown
pixfirewall(config-if)# exit
pixfirewall(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# ping 172.16.254.207

Sending 5, 100-byte ICMP Echos to 172.16.254.207, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/36/180 ms

pixfirewall(config)# copy tftp://172.16.254.207/pix712.bin flash

Address or name of remote host [172.16.254.207]?

Source filename [pix712.bin]?

Destination filename [pix712.bin]?

Accessing tftp://172.16.254.207/pix712.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file flash:/pix712.bin...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
6764544 bytes copied in 64.950 secs (105696 bytes/sec)

pixfirewall(config)# show flash

Directory of flash:/

5 -rw- 6764544 11:37:32 Feb 08 2013 pix712.bin

7870464 bytes total (1103872 bytes free)

[/box]

5. Change the firewall so that it uses this file to boot from, save the changes, and then reboot. [box]

pixfirewall(config)# boot system pix712.bin
INFO: Converting pix712.bin to flash:/pix712.bin

pixfirewall(config)# write mem

Building configuration...
Cryptochecksum: f59a9bd3 3129b8bc 474b2415 52f2db0f

1049 bytes copied in 0.430 secs
[OK]

pixfirewall(config)# reload

Proceed with reload? [confirm]

--- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down File system

--- SHUTDOWN NOW ---

Rebooting....

[/box]

6. Post reboot you should be upgraded. [box]

pixfirewall> enable
Password:
pixfirewall# show version

Cisco PIX Security Appliance Software Version 7.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is "flash:/pix712.bin"
Config file at boot was "startup-config"

pixfirewall up 10 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz

Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0019.aabe.d623, irq 10
1: Ext: Ethernet1 : address is 0019.aabe.d624, irq 11

The Running Activation Key is not valid, using default settings:

Licensed features for this platform:

Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Disabled
VPN-3DES-AES : Disabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled

pixfirewall#
[/box]

6. Finally add the original activation key you took note of in step one back into the firewall. [box]

pixfirewall# configure terminal
pixfirewall#(config)# activation-key 0x2d796132 0x68c660cd 0x334cac62 0xcaeddaaa
pixfirewall(config)# write mem

Building configuration...
Cryptochecksum: f59a9bd3 3129b8bc 474b2415 52f2db0f

1049 bytes copied in 0.430 secs
[OK]

pixfirewall(config)#

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco Firewall (ASA/PIX) – Granting Access to an FTP Server

KB ID 0000772

Problem

If you have an FTP server, simply allowing the FTP traffic to it wont work. FTP (in both active and passive mode) uses some random high ports that would normally be blocked on the firewall. So by actively inspecting FTP the firewall will know what ports to open and close.

Solution

How you ‘allow’ access to the FTP server will depend on weather you have a public IP address spare or not, if you only have one public IP you will need to ‘port forward’ the FTP traffic to the server. But if you have a spare public IP address you can create a static mapping to that IP address instead.

Cisco ASA FTP Procedure

1. Connect to the firewall > Go to enable mode > Go to Configure terminal mode > Create an object for the FTP server > redirect all FTP Traffic to that object.

Note: In this example 192.168.1.1 is the IP of the FTP server.

[box]

USING PORT FORWARDING

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object network Internal_FTP_Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp ftp ftp
Petes-ASA(config-network-object)#exit
Petes-ASA(config)#
USING A SPARE PUBIC IP (STATIC MAPPING to 123.123.123.124)

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object network Internal_FTP_Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static 123.123.123.124
Petes-ASA(config-network-object)# exit 
Petes-ASA(config)#

[/box]

2. Then allow the FTP traffic in from outside.

Now you need to allow the ftp traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA(config)# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

[box]

Petes-ASA(config)# access-list inbound permit tcp any object Internal_FTP_Server eq ftp[/box]

3. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
 [/box]

4. Then to allow the ASA to insect the FTP traffic, do the following;

[box]

Petes-ASA(config)# policy-map global_policy
Petes-ASA(config-pmap)# class inspection_default
Petes-ASA(config-pmap-c)# inspect ftp 
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit
Petes-ASA(config)# [/box]

5. Save the changes.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#[/box]

Allow Access to FTP Server via ASDM

1. Connect to the ASDM > Configuration > Firewall > Addresses Section > Add > Network Object > Give the FTP server a name > Set it to ‘Host’ > Enter The IP Address > Select the drop down arrow > Tick the ‘Add Automatic Address Translation Rule’ > Advanced.

2. Set Source interface = inside > Destination Interface = outside > Protocol = tcp > Real and Mapped ports = ftp > OK > OK > Apply.

3. To allow the traffic in right click the outside interface > Add Access Rule.. > Set the destination to the server you created earlier > and the service to tcp/ftp > OK > Apply.

4. Service Policy Rules > Inspection_default > Edit > Rule Actions > Tick FTP > OK > Apply.

5. Save the changes > File > Save running Configuration to Flash.

Cisco PIX FTP Procedure

1. Connect to the firewall > Go to enable mode > Go to Configure terminal mode > Access List for the inbound FTP traffic (Its wide open we will narrow it down in a moment).

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure terminal
PetesPIX(config)# access-list inbound permit tcp any any eq ftp
PetesPIX(config)# access-group inbound in interface outside

[/box]

2. Create a static mapping that locks all incoming FTP traffic to the internal servers IP address (In this case 192.168.1.1).

[box]

 PetesPIX(config)# static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255[/box]

3. Now because FTP uses dynamic port allocation you need to add a ‘fixup’ to the FTP port (TCP port 21).

[box]

PetesPIX(config)# fixup protocol ftp 21[/box]

4. Finally save the changes.

[box]

PetesPIX(config)# write mem
Building configuration...
Cryptochecksum: 01832c5d a90d008d ebf30483 dc48a0d0
[OK][/box]

 

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Original article written 15/02/13