In the next couple of months Windows 8 will go RTM. For those of you with Technet, MSDNor Open Value subscriptions you can already get your hands on it. For anyone not wanting to take the ‘plunge’ and reinstall your OS, you can simply ‘Dual Boot’. Then you can get used to Windows 8 in your own good time. If you suddenly find you need Windows 7 simplify reboot and it will still be there.
Solution
Create a Partition for Windows 8
1. From within Windows 7 > Start > Right Click ‘Computer’ > Manage.
2. Launch Disk Management.
3. This machine has one large C: (System Drive). I’m going to ‘Shrink’ the volume that’s on it to free up room for a Windows 8 Partition, but first I’m going to rename it so we know what it is > Right click > Properties.
4. Call it ‘Windows 7’ > Apply > OK.
5. Now Right click > Shrink Volume.
6. Pick the amount to shrink the volume by, Note: Windows 8 needs 20 GB (Minimum) > Shrink.
7. Once complete, right click the newly created ‘free space’ > New Simple Volume.
8. Accept all the defaults and name the volume ‘Windows 8’.
9. Now we have a partition to install to.
Install Windows 8
10. Note: To install from DVD the computer MUST be set to boot from CD/DVD before it’s hard drive. This is set in the computers BIOS, how this is done varies from model to model.
11. Boot the machine and when prompted press any key to boot from DVD. Select your language options > Next.
15. Now you can see why I named the partitions, select Windows 8 > Next.
16. Ignore this for now and let Windows 8 install.
17. It will run setup then reboot.
18. At this point Windows 8 will be the OS that boots by default, you will probably want it to be Windows 7 so select “Change defaults or choose other options”
19. Choose the default operating system.
Note: The ‘Change the timer’ Setting changes the seconds countdown shown at boot, as illustrated in step 27 below.
20. Set it to Windows 7 > Back.
21. Now Select Windows 8 to boot into that OS.
22. Run through the ‘Personalise’ steps.
23. I don’t want to login with a Microsoft account so I’m selecting “Sign in without a Microsoft account” > Next.
24. Local account.
25. Create an account to login with > Finish.
26. There’s Windows 8!
27. When you reboot you can now choose which OS you want to use.
Note: The seconds counter below is set to the default of 30 seconds.
28. If you select nothing Windows 7 will boot by default.
Related Articles, References, Credits, or External Links
Note: PIX 515E and above, can still be upgraded to version 8.0(4) click here for details
Some people will wonder why I’m bothering to write this up, but the truth is, there are LOADS of older PIX firewalls out there in the wild, and all the PIX 501’s and 506E’s that are being retired from corporate use are being bought on ebay, or being put on IT departments test benches. This page deals with PIX version 6 if you are upgrading to version 7 or above,then you need to be on a PIX 515E (or a 525/535) and DO NOT follow these instructions, CLICK HERE. The “Smaller” PIX firewalls (501 and 506E) can only be upgraded to version 6.3(5) and the PDM can only be upgraded to 3.0(4).
Pre-Requisites
1. Before you do anything you will need a TFTP server and have it set up accordingly, for instructions CLICK HERE.
2. I suggest you backup your firewall configuration also, for instructions CLICK HERE.
3. You need to be able to get the Image and PDM versions from Cisco, you will need a valid support contract to be eligible for updates.
4. You will need a CCO Login to the Cisco Site (this is free to set up.
Solution
1. First things first; lets download the software you need CLICK HERE
Remember a CCO login is free of charge and simple to set up but to download software you need a valid Cisco contract or SmartNet.
3. For this example I’m upgrading a PIX 501 so I’m going to need a system image and a PDM file.
4. Download the files above and put then in your TFTP server root directory, then start your TFTP Server.
5. Log into your PIX firewall via the console cable, Telnet, or SSH, then enter enable mode, supply the firewall with the enable password. [box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Pix> enable
Password: ********
Pix#
[/box]
6. Now you need to copy in the new system file you do this with a “Copy tftp flash” command NOTE you can use copy tftp flash:image but it defaults to that anyway 🙂
[box]Pix# copy tftp flash[/box]
7. You will need to give it the IP address of your TFTP server and the name of the image file to copy over.
[box]
Address or name of remote host [0.0.0.0]? 10.254.254.51
Source file name [cdisk]? pix635.bin
copying tftp://10.254.254.51/pix635.bin to flash:image
[/box]
8. You will be asked to confirm, do so by typing yes and pressing enter, the file will then upload and the old image file will be erased from the firewalls memory.
[box]
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
Received 2101248 bytes
Erasing current image
Writing 1978424 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed
Pix#
[/box]
9. The quickest way to load the new image into memory is to restart the firewall do this with a reload command, then press enter to confirm.
[box]
Pix# reload
Proceed with reload? [confirm]
[/box]
10 After the firewall has restarted log in, enter enable mode and issue a “show version” command, and you will see the new version displayed.
[box]
User Access Verification
Type help or '?' for a list of available commands.
Pix> enable
Password: ********
Pix# show version
Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(2)
{{{rest of output omitted}}}}
[/box]
Upgrade Procedure Step 2 PDM Image
1. The procedure for upgrading the PDM is almost identical, again have the new PDM image on your TFTP server’s root directory, and the TFTP server running. Log into your PIX firewall via the console cable, Telnet or SSH, then enter enable mode, and then supply the firewall with the enable password.
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Pix> enable
Password: ********
Pix#
[/box]
2. This time the command is copy tftp flash:pdm
[box]Pix# copy tftp flash:pdm[/box]
3. You will need to give it the IP address of your TFTP server and the name of the file to copy over.
[box]
Address or name of remote host [0.0.0.0]? 10.254.254.51
Source file name [cdisk]? pdm-304.bin
copying tftp://10.254.254.51/pdm-304.bin to flash:pdm
[/box]
4. You will be asked to confirm, do so by typing yes and pressing enter, the file will then upload and the old pdm file will be erased from the firewalls memory.
Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERYIMPORTANT if your ASA was shipped before February 2010. See the link below for more information.
Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.
8. You may find that there is not enough room in flash memory, if so you will see this error. (if it does not error skip to step 11).
9. If you are stuck for room you can delete some items from your flash memory > Tools > File Management.
10. Here you can see I’m deleting and old version of the ASDM. Note you could delete the live version of the ASDM and Operating system if you had no choice (THOUGH DONT REBOOT THE FIREWALL until the new ones have uploaded, or you will be loading the files in in ROMMON mode!)
11. Once all the files have been downloaded to your location, they will be uploaded to the firewalls flash memory.
12. Next.
13. Finish.
Note: What happens now is the following commands are issued in the background automatically; (Note the versions numbers may be different in your case).
[box]
asdm image disk0:/asdm-649.bin
no boot system disk0:/asa843-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin
[/box]
14. After the firewall reboots, it should come back up with the new OS and ASDM version.
Related Articles, References, Credits, or External Links
You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime.
Before we start, we need to make sure we know the difference between primary, secondary, active and standby.
From the rear (Active=Green, Standby=Amber)
The Primary and Secondary firewalls are physical firewalls, the primary will always be the primary, and the secondary will always be the secondary. (Unless you manually change the configuration to force things otherwise!).
The Active firewall will be the firewall that’s passing traffic and in operation, and the Standby firewall is sat waiting to take over, each physical firewall can be either active or standby.
Solution
To get updates from Cisco you need to have a valid support agreement for your firewalls and a Cisco CCO account to log in with. (download link)
In this example, I’m going to upgrade both the firewalls from 8.4(5) to 9.1(1), and the ASDM from version 7.1(1) to 7.1(1)-52. When we start, the primary firewall is the active firewall.
In the past I’ve upgraded from 8.2(5) to 8.4(5), and (here) 8.4(5) to 9.1(1). I’ve never had a problem HOWEVER, DO NOT ATTEMPT an upgrade until you have a good backup of the config.
1. First you need to upload the software to the flash memory on BOTH firewalls, you can either connect to the ASA via command line and TFTP them there, or connect to the ASDM and upload them from your PC/Laptop. If you have an AnyConnect XML profile take a backup of that also (I’ve seen them disappear).
UPLOAD THE OPERATING SYSTEM
Petes-ASA> enablePassword:*********
Petes-ASA#copy tftp flash
Address or name of remote host []? 10.0.0.127
Source filename []? asa911-k8.bin
Destination filename [disk0]? asa911-k8.bin
Accessing tftp://10.1.0.127/asa911-k8.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:asa911-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27260928 bytes copied in 49.250 secs (556345 bytes/sec)
UPLOAD THE ASDM SOFTWARE
Petes-ASA#copy tftp flash
Address or name of remote host []? 10.0.0.127
Source filename []? asdm-711-52.bin
Destination filename [disk0]? asdm-711-52.bin
Accessing tftp://10.1.0.127/asdm-711-52.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:asdm-711-52.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
17790720 bytes copied in 32.200 secs (555960 bytes/sec)
[/box] Upload via ASDMConnect to the ASDM > Tools > File Management > File Transfer > Between Local PC and Flash > Navigate to the file(s) on your local machine > Upload.
REMEMBER TO DO THIS FOR BOTH FIREWALLS!Note: You can copy the file to the standby firewall’s flash memory, from the primary firewall, using the following syntax (though I usually just swap the console cable over!).
2. On the Primary Active Firewall, set the new OS as the default, below I check to see what file the ASA will boot from, then I change it to the new one, finally I remove the link to the old file. You don’t need to carry out the last step, but I like to leave things tidy.
[box]
Petes-ASA# show running-config boot system
boot system disk0:/asa845-k8.bin
Petes-ASA# configure terminal
Petes-ASA(config)# boot system disk0:/asa911-k8.bin
Petes-ASA(config)# no boot system disk0:/asa845-k8.bin
Petes-ASA# show running-config boot system
boot system disk0:/asa911-k8.bin
[/box]
3. If you are also upgrading the ASDM, you need to set the new one as the default image.
[box]
Petes-ASA(config)# asdm image disk0:/asdm-711-52.bin
Petes-ASA(config)# show run asdm image
asdm image disk0:/asdm-711-52.bin
no asdm history enable
[/box]
4. Save the changes.
[box]
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: e150e036 036082e0 6d054a3d 1c7fd9fa
16257 bytes copied in 3.350 secs (5419 bytes/sec) [OK]
[/box]
5. Whilst still on the primary active firewall, you need to reboot the secondary standby firewall with the following command:
[box]
Petes-ASA(config)# failover reload-standbyYOU MAY SEE A WARNING LIKE THE FOLLOWING - THIS IS OK
************WARNING****WARNING****WARNING********************************
Mate version 9.1(1) is not identical with ours 8.4(5)
************WARNING****WARNING****WARNING********************************
Beginning configuration replication: Sending to mate. End Configuration Replication to mate
Petes-ASA(config)#
[/box]
6. This may take a little while, remember it has to reboot, and depending on the version you are upgrading to, may need to change some of the config i.e. in this case of upgrading pasr 8.3 (and newer) all the NAT rules need to be changed. You can check to see if it’s back online by issuing a ‘show failover command (whilst still on the primary firewall). You will know when the secondary firewall is up and ready as you will see ‘Secondary – Standby Ready’.
Note: If you can see the status lights on the standby firewall watch for them to be green,green,amber,green,off (ASA5510).
Warning: Due to the limitations of HTML, your output will be formatted a little differently, you will see the output displayed like this, but the text is the same.
[box]
Petes-ASA(config)# show failover
Failover On Failover unit Primary Failover LAN Interface:
failover Management0/0 (up)
Unit Poll frequency 1 seconds,
holdtime 3 seconds
Interface Poll frequency 3 seconds,
holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
Version: Ours 8.4(5), Mate 9.1(1)
Last Failover at: 13:25:54 GMT/BST Dec 6 2012
This host: Primary - Active Active time: 350 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (123.123.123.123): Normal (Monitored)
Interface inside (10.0.0.254): Normal (Monitored)
Interface backup (234.234.234.235): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.2.1599.0) status (Up/Up)
Logging port IP: 10.0.0.252/24 CSC SSM, 6.2.1599.0, Up
Other host: Secondary - Standby Ready <<<<<< Here we go!
Active time: 326 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface outside (123.123.123.124): Normal (Monitored)
Interface inside (10.0.0.249): Normal (Monitored)
Interface backup (234.234.234.234): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.3.1172.0) status (Up/Up)
Logging port IP: 10.0.0.248/24
CSC SSM, 6.3.1172.0, Up
Stateful Failover Logical Update Statistics
Link : failover Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 1709 0 491 49
sys cmd 58 0 58 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 896 0 244 48
UDP conn 280 0 45 1
ARP tbl 474 0 141 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 1 0
VPN IKEv1 P2 1 0 1 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
Logical Update Queue Information Cur Max Total Recv Q: 0 24 2101 Xmit Q: 0 1 2311
Petes-ASA(config)#
[/box]
7. Now you need to force a failover to the secondary firewall, (again do this on the primary active firewall).
[box]
Petes-ASA(config)# no failover active
Petes-ASA(config)#
Switching to Standby
[/box]
8. Now reboot the primary firewall and that should boot to its new operating system.
[box]
Petes-ASA(config)# reload
Proceed with reload? [confirm] {Enter}
[/box]
9. Once complete, log back in and you can make the primary firewall active once more.
[box]
Petes-ASA>
Detected an Active mate Beginning configuration replication from mate.
Petes-ASA>
End configuration replication from mate.
Petes-ASA> en
Password:*********
Petes-ASA# configure terminal
**** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized.
Petes-ASA(config)# failover active
Switching to Active
[/box]
Related Articles, References, Credits, or External Links