|
|
The PIX 515 is new in version 4.4(1) and provides a new chassis with a new way of downloading images and upgrading the activation key. Apart from these changes, all other configuration issues are the same between the PIX 515 and all previous PIX Firewall models.
The topics discussed in this chapter are:
The PIX 515 has three LEDs in the front left of the chassis that are labeled as follows:
At the rear of the unit are connectors for the inside and outside Ethernet interfaces, for failover, and for the serial console. LEDs on either side of the Ethernet connectors indicate if 100 Mbps Ethernet is present, whether the link is active, and whether full duplex is present.
The PIX 515 receives its boot image from either Flash memory or by downloading the image from a TFTP server. (Cisco sells an optional TFTP server, you can use the TFTP server provided with UNIX, or you can use a TFTP server available for your computer.)
This section describes the monitor command which you can invoke while the PIX 515 is booting by sending a BREAK character or pressing the Esc key.
Because the PIX 515 does not have a diskette drive, you need to send a binary image to the PIX 515 using Trivial File Transfer Protocol (TFTP). The PIX 515 has a special mode called monitor mode that lets you retrieve the binary image over the network. When you power on or reboot the PIX 515, it waits 10-seconds during which you can send a BREAK character or press the Escape key to activate monitor mode.
If you do not want to enter boot mode, press the space bar to start the normal boot immediately, or wait until the 10 seconds is done and the PIX 515 will boot normally.
While in monitor mode, you can enter commands that let you specify the location of the binary image, download it, and reboot the PIX 515 from the new image. If you do not activate monitor mode, the PIX 515 boots normally from Flash memory.
Monitor mode also lets you ping the TFTP server to see if it is online and to specify the IP address of the nearest router if the image is not on a subnet shared with a PIX 515 interface.
The monitor feature only works on the PIX 515 and not with earlier models of the PIX Firewall. TFTP does not perform authentication when transferring files, so a username and password on the TFTP server are not required.
The maximum length of a filename is 122 characters.
If the TFTP service stops receiving data requests during a file transfer, it waits four seconds and then closes the connection.
To download an image over TFTP:
Step 1 Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the Esc (Escape) key.
The monitor> prompt appears.
Step 2 If desired, enter a question mark (?) to list the available commands.
Step 3 Use the interface command to specify which interface the ping traffic should use. If the PIX 515 has only two interfaces, the monitor command defaults to the inside interface.
Step 4 Use the address command to specify the IP address of the PIX Firewall's interface.
Step 5 Use the server command to specify the IP address of the remote server.
Step 6 Use the file command to specify the filename of the PIX Firewall image.
Step 7 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.
Step 8 If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing.
Step 9 Use the tftp command to start the download.
An example follows:
Rebooting.... PIX BIOS (4.0) #47: Sat May 8 10:09:47 PDT 1999 Platform PIX-520 Flash=AT29C040A @ 0x300 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot interrupted. 0: i8255X @ PCI(bus:0 dev:13 irq:11) 1: i8255X @ PCI(bus:0 dev:14 irq:10) Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1 Use ? for help. monitor> ? ? this help message address [addr] set IP address file [name] set boot file name gateway [addr] set IP gateway help this help message interface [num] select TFTP interface ping <addr> send ICMP echo reload halt and reload system server [addr] set server IP address tftp TFTP download timeout TFTP timeout trace toggle packet tracing monitor> addr 192.168.1.1 address 192.168.1.1 monitor> serv 192.168.1.2 server 192.168.1.2 monitor> file cdisk file cdisk monitor> ping 192.168.1.2 Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5) monitor> tftp tftp cdisk@192.168.1.2................................ Received 626688 bytes PIX admin loader (3.0) #0: Tue May 11 10:43:02 PDT 1999 Flash=AT29C040A @ 0x300 Flash version 4.9.9.1, Install version 4.4.1 Installing to flash ...
During a TFTP download, if tracing is on, non-fatal errors appear in the midst of dots that display as the configuration image downloads. The error code appears in inside angle brackets. Table 6-1 lists the code values.
For example, bad blocks intermixed with good packets appear as follows:
....<11>..<11>.<11>......<11>...
Also, tracing will show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.
Table 6-1 lists the TFTP error codes.
| Error Code | Description |
|---|---|
2 | The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet. |
3 | The received packet was not from the server specified in the server command. |
4 | The IP header length was not big enough to be a valid TFTP packet. |
5 | The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP. |
6 | The received IP packet's destination address did not match the address specified by the address command. |
7 | The UDP ports on either side of the connection did not match the expected values. This means either the local port was not the previously selected port, or the foreign port wasn't the TFTP port, or both. |
8 | The UDP checksum calculation on the packet failed. |
9 | An unexpected TFTP code occurred. |
10 | A TFTP transfer error occurred. |
11 | A TFTP packet was received out of sequence. |
To upgrade an activation key on the PIX 515:
Step 1 Acquire a PIX 4.4(n) image from Cisco Connection Online (CCO).
Step 2 Set up a TFTP server and transfer the image to the proper directory.
Step 3 Reboot the PIX 515.
Step 4 Press Escape or send the BREAK character to enter the boot ROM monitor.
Step 5 Download a TFTP image as described in the previous section, "Downloading a PIX 515 Image over TFTP."
Step 6 When prompted to "install new image" enter y.
Step 7 When prompted to "enter new key" enter y.
Step 8 Enter the four-part activation key.
If the key is correct, the system will boot and run correctly.
Posted: Tue Jun 8 20:02:37 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.