|
|
The PIX 515 provides a new chassis and a new way of downloading images and upgrading the activation key. Apart from these changes, all other configuration issues are the same between the PIX 515 and all previous PIX Firewall models.
This chapter includes the following sections:
The PIX 515 has three LEDs in the front left of the chassis that are labeled as follows:
At the rear of the unit are connectors for the inside and outside Ethernet interfaces, for failover, and for the serial console. LEDs on either side of the Ethernet connectors indicate if 100 Mbps Ethernet is present, whether the link is active, and whether full duplex is present.
The PIX 515 receives its boot image from either Flash memory or by downloading the image from a TFTP server using the copy tftp flash or the monitor command.
You can get a TFTP server as follows:
With the 5.1 software release, you can use the copy tftp flash command. This command allows remote management of a binary image that can be uploaded without accessing monitor mode. The following section describes the copy tftp flash command.
The copy tftp flash command lets you change software images without requiring access to the TFTP monitor mode. An image you download is made available to the PIX Firewall on the next reload (reboot).
The command syntax is as follows:
copy tftp[:[[//location][/pathname]]] flashIf the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS software. If you enter a colon (:) then parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input.
The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism (currently static mappings via the name and names commands). PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration.
The pathname can include any directory names besides the actual last component of the path to the file on the server.
copy tftp flash copy tftp: flash copy tftp:/cdisk flash copy tftp://10.0.0.1/cdisk flash copy tftp://tftp-server/cdisk flash copy tftp://tftp-server/tftpboot/cdisk flash
Because the PIX 515 does not have a diskette drive, you need to send a binary image to the PIX 515 using Trivial File Transfer Protocol (TFTP). The PIX 515 has a special mode called monitor mode that lets you retrieve the binary image over the network. When you power on or reboot the PIX 515, it waits 10-seconds during which you can send a BREAK character or press the Escape key to activate monitor mode.
If you do not want to enter boot mode, press the space bar to start the normal boot immediately, or wait until the 10 seconds is done and the PIX 515 will boot normally.
While in monitor mode, you can enter commands that let you specify the location of the binary image, download it, and reboot the PIX 515 from the new image. If you do not activate monitor mode, the PIX 515 boots normally from Flash memory.
Monitor mode also lets you ping the TFTP server to see if it is online and to specify the IP address of the nearest router if the image is not on a subnet shared with a PIX 515 interface.
The monitor feature only works on the PIX 515 and not with earlier models of the PIX Firewall. TFTP does not perform authentication when transferring files, so a username and password on the TFTP server are not required.
The maximum length of a filename is 122 characters.
If the TFTP service stops receiving data requests during a file transfer, it waits four seconds and then closes the connection.
Use the following steps to download an image over TFTP using the monitor command:
Step 1 Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the Esc (Escape) key.
The monitor> prompt appears.
Step 2 If desired, enter a question mark (?) to list the available commands.
Step 3 Use the interface command to specify which interface the ping traffic should use. If the PIX 515 has only two interfaces, the monitor command defaults to the inside interface.
Step 4 Use the address command to specify the IP address of the PIX Firewall's interface.
Step 5 Use the server command to specify the IP address of the remote server.
Step 6 Use the file command to specify the filename of the PIX Firewall image.
Step 7 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.
Step 8 If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing.
Step 9 Use the tftp command to start the download.
An example follows:
Rebooting.... PIX BIOS (4.0) #47: Sat May 8 10:09:47 PDT 1999 Platform PIX-520 Flash=AT29C040A @ 0x300 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot interrupted. 0: i8255X @ PCI(bus:0 dev:13 irq:11) 1: i8255X @ PCI(bus:0 dev:14 irq:10) Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1 Use ? for help. monitor> ? ? this help message address [addr] set IP address file [name] set boot file name gateway [addr] set IP gateway help this help message interface [num] select TFTP interface ping <addr> send ICMP echo reload halt and reload system server [addr] set server IP address tftp TFTP download timeout TFTP timeout trace toggle packet tracing monitor> addr 192.168.1.1 address 192.168.1.1 monitor> serv 192.168.1.2 server 192.168.1.2 monitor> file cdisk file cdisk monitor> ping 192.168.1.2 Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5) monitor> tftp tftp cdisk@192.168.1.2................................ Received 626688 bytes PIX admin loader (3.0) #0: Tue May 11 10:43:02 PDT 1999 Flash=AT29C040A @ 0x300 Flash version 4.9.9.1, Install version 4.4.1 Installing to flash ...
During a TFTP download, if tracing is on, non-fatal errors appear in the midst of dots that display as the configuration image downloads. The error code appears in inside angle brackets. Table 7-1 lists the code values.
For example, bad blocks intermixed with good packets appear as follows:
....<11>..<11>.<11>......<11>...
Also, tracing will show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.
Table 7-1 lists the TFTP error codes.
| Error Code | Description |
|---|---|
2 | The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet. |
3 | The received packet was not from the server specified in the server command. |
4 | The IP header length was not big enough to be a valid TFTP packet. |
5 | The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP. |
6 | The received IP packet's destination address did not match the address specified by the address command. |
7 | The UDP ports on either side of the connection did not match the expected values. This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both. |
8 | The UDP checksum calculation on the packet failed. |
9 | An unexpected TFTP code occurred. |
10 | A TFTP transfer error occurred. |
11 | A TFTP packet was received out of sequence. |
Follow these steps to upgrade an activation key on the PIX 515:
Step 1 Acquire a PIX 4.4(n) image from Cisco Connection Online (CCO).
Step 2 Set up a TFTP server and transfer the image to the proper directory.
Step 3 Reboot the PIX 515.
Step 4 Press Escape or send the BREAK character to enter the boot ROM monitor.
Step 5 Download a TFTP image as described in the previous section, "Downloading a PIX 515 Image over TFTP."
Step 6 When prompted to "install new image," enter y.
Step 7 When prompted to "enter new key," enter y.
Step 8 Enter the four-part activation key.
If the key is correct, the system will boot and run correctly.
Posted: Wed Apr 12 05:07:45 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.