Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Upgrading PIX 515 from 5.1 to 7.x

Reply
Thread Tools

Upgrading PIX 515 from 5.1 to 7.x

 
 
VeeDub
Guest
Posts: n/a
 
      09-02-2006
Hi

I have the opportunity to pick up a PIX 515 (non-E) with IOS version
5.1 on it. I already have a PIX 520 running 6.3 but want access to the
7.x environment which my 520 will not do. I know there are activation
keys that enable certain functions on the PIX etc but wanted to know if
these were required to upgrade the IOS on the 515 from 5.1 to 7.x. I do
have access to PIX 515e's running 7.1 and need to know if this image
can be easily taken from the 515e and placed on the 515 without need
for additional licence keys etc like can be done with Cisco routers.

Thanks

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-02-2006
In article <(E-Mail Removed) om>,
VeeDub <(E-Mail Removed)> wrote:

>I have the opportunity to pick up a PIX 515 (non-E) with IOS version
>5.1 on it.


PIX doesn't use "IOS", it uses "Finesse", more commonly just called
"PIX OS". But that's not germaine to the question.

>I already have a PIX 520 running 6.3 but want access to the
>7.x environment which my 520 will not do. I know there are activation
>keys that enable certain functions on the PIX etc but wanted to know if
>these were required to upgrade the IOS on the 515 from 5.1 to 7.x.


If the PIX 515 is running 5.1(1) then it will need a new license
key to upgrade to -any- later version.

If the PIX 515 is running 5.1(2) or later then it would not need
a new license key to run PIX 7.x .

If the PIX 515 does not happen to have a 3DES key (which was
extra cost back then), then if it were upgraded to PIX 7.x, you
would not be able to use 3DES, AES, or (if memory serves) SSL VPN
or WebVPN.


>I do
>have access to PIX 515e's running 7.1 and need to know if this image
>can be easily taken from the 515e and placed on the 515 without need
>for additional licence keys etc like can be done with Cisco routers.


You have a problem: the PIX 515 running 5.1 is going to have 32 Mb
of RAM, but 7.x require at least 64 Mb to run. The Cisco part
number for the memory upgrade is PIX-515-MEM-32= . If you hunted
around a bit you could probably find a non-Cisco source for the
memory.

I seem to recall reading that a few people have reported being able
to boot 7.0 with only 32 Mb of memory; it isn't a supported
configuration.


Copying the PIX 7.1 image off of an existing device might be
technically possible, but it would very likely not be allowed by the
license terms.

Your posting IP suggests you are in Australia. If so, then Cisco
software licenses do not transfer with the hardware, so if you
pick up the PIX 515 running PIX 5.1 then chances are very very slim
that you would have gone through one of the few dealers authorized
to transfer licenses. In order to be able to use the PIX
legally, you would have to go through Cisco's "relicensing" procedure,
which is basically paying Cisco on the order of $US700 for the
right to use the software.

The procedures after that are a bit fuzzy, as Cisco at various times
has said that relicensing does -not- entitle you to a software upgrade.
A one time software upgrade license is $US1000. You -might- be
allowed to instead start a software-only support contract at a much
lower cost, but when you are starting with software that old, Cisco
might refuse the contract until you pay some kind of upgrade fee.
The details of how this all works to get clear legal title to the
latest software are unclear, apparently so even to VARs that deal
closely with Cisco.

By the time you add all these up, you might find it less expensive
to just buy a new 515E or perhaps a Cisco ASA 5505.
 
Reply With Quote
 
 
 
 
VeeDub
Guest
Posts: n/a
 
      09-03-2006
Hi Walter,

thanks for your extended reply. I am looking to use this device for my
CCSP cert so it will not be used in a production environment, though in
Cisco's view, I don't think that they differentiate from a licencing
perspective.

Below is a copy of the "sh version" output:

pixfirewall- show ver

Cisco Secure PIX Firewall Version 5.1(2)
Compiled on Tue 16-May-00 16:09 by bhochuli

pixfirewall up 29 secs

Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0050.54ff.5748, irq 9
1: ethernet1: address is 0050.54ff.5749, irq 7
2: ethernet2: address is 00d0.b780.a3ad, irq 11

Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 6


>From this I can see it is running 5.1 (2) so from this information you

believe it is technically possible to upload a 7.x image to it and use
it without a new activation key? Also, it only has DES available, not
3DES or AES (which I presume was not around at the time of 5.1) so if I
wanted to use this I would need a new key. Would this be a key that
would be inserted whilst running 5.1 or once 7.x is installed. As I am
new to PIX the whole activation key, licence requirements thing is a
bit foreign to me, I am far more used to the simple IOS versions used
on Routers and Switches.

I am not certain if this PIX will be more problems that what it is
worth. The slower CPU speed etc is not of concern to me due to it being
used for my learning only but I do really need it to be able to run 7.x
otherwise they device is useless to me.

I have also read the device needs to be updated to 6.2 or 6.3 before
upgrading to 7.x. Are you familiar with this requirement?

Thanks



Walter Roberson wrote:
> In article <(E-Mail Removed) om>,
> VeeDub <(E-Mail Removed)> wrote:
>
> >I have the opportunity to pick up a PIX 515 (non-E) with IOS version
> >5.1 on it.

>
> PIX doesn't use "IOS", it uses "Finesse", more commonly just called
> "PIX OS". But that's not germaine to the question.
>
> >I already have a PIX 520 running 6.3 but want access to the
> >7.x environment which my 520 will not do. I know there are activation
> >keys that enable certain functions on the PIX etc but wanted to know if
> >these were required to upgrade the IOS on the 515 from 5.1 to 7.x.

>
> If the PIX 515 is running 5.1(1) then it will need a new license
> key to upgrade to -any- later version.
>
> If the PIX 515 is running 5.1(2) or later then it would not need
> a new license key to run PIX 7.x .
>
> If the PIX 515 does not happen to have a 3DES key (which was
> extra cost back then), then if it were upgraded to PIX 7.x, you
> would not be able to use 3DES, AES, or (if memory serves) SSL VPN
> or WebVPN.
>
>
> >I do
> >have access to PIX 515e's running 7.1 and need to know if this image
> >can be easily taken from the 515e and placed on the 515 without need
> >for additional licence keys etc like can be done with Cisco routers.

>
> You have a problem: the PIX 515 running 5.1 is going to have 32 Mb
> of RAM, but 7.x require at least 64 Mb to run. The Cisco part
> number for the memory upgrade is PIX-515-MEM-32= . If you hunted
> around a bit you could probably find a non-Cisco source for the
> memory.
>
> I seem to recall reading that a few people have reported being able
> to boot 7.0 with only 32 Mb of memory; it isn't a supported
> configuration.
>
>
> Copying the PIX 7.1 image off of an existing device might be
> technically possible, but it would very likely not be allowed by the
> license terms.
>
> Your posting IP suggests you are in Australia. If so, then Cisco
> software licenses do not transfer with the hardware, so if you
> pick up the PIX 515 running PIX 5.1 then chances are very very slim
> that you would have gone through one of the few dealers authorized
> to transfer licenses. In order to be able to use the PIX
> legally, you would have to go through Cisco's "relicensing" procedure,
> which is basically paying Cisco on the order of $US700 for the
> right to use the software.
>
> The procedures after that are a bit fuzzy, as Cisco at various times
> has said that relicensing does -not- entitle you to a software upgrade.
> A one time software upgrade license is $US1000. You -might- be
> allowed to instead start a software-only support contract at a much
> lower cost, but when you are starting with software that old, Cisco
> might refuse the contract until you pay some kind of upgrade fee.
> The details of how this all works to get clear legal title to the
> latest software are unclear, apparently so even to VARs that deal
> closely with Cisco.
>
> By the time you add all these up, you might find it less expensive
> to just buy a new 515E or perhaps a Cisco ASA 5505.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-03-2006
In article <(E-Mail Removed). com>,
VeeDub <(E-Mail Removed)> wrote:

>Cisco Secure PIX Firewall Version 5.1(2)
>Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz


That's good news in one way, the 64 MB is the mimimum you need for
PIX 7. However,

>Maximum Interfaces: 6


That tells me that the PIX 515 currently has an Unrestricted license.
If you were to install PIX 7 on it, then you would need 128 MB
to fit the Unrestricted license, according to Cisco. It's the
same image as Restricted though, so it'd be a matter of data tables,
so if the PIX wasn't very active then you -might- be able to
get away with 64 MB, depending on how strictly the PIX OS checks.


>From this I can see it is running 5.1 (2) so from this information you
>believe it is technically possible to upload a 7.x image to it and use
>it without a new activation key?


Yes.

>Also, it only has DES available, not
>3DES or AES (which I presume was not around at the time of 5.1) so if I


AES did not come in until 6.something, but 3DES existed back then.
The same key is used for 3DES and AES; I -think- I saw in passing
that that key is also required for the SSL and HTTPS features.

>wanted to use this I would need a new key. Would this be a key that
>would be inserted whilst running 5.1 or once 7.x is installed.


Either way. It's easier from 6.1 onward: before that point, changing
the key requires copying in the OS again, with the key being
prompted for as the very last stage of that. 6.1 onward has a simple
command to enter a new key.

One minor point: when you upgrade to PIX 7, it saves a copy of the
existing activation key, and if you ever downgrade then it restores
that activation key. So if you install the 3DES key first before
the upgrade then if you were to downgrade you would still have 3DES,
but if you were to install the 3DES key after the upgrade then
if you were to downgrade it'd go back to the old key. On the
other had at that point you could just enter the 3DES key since it'd
be the same activation key.


>I have also read the device needs to be updated to 6.2 or 6.3 before
>upgrading to 7.x. Are you familiar with this requirement?


That is what is documented. We did have one report from someone
who went from a much older version upward, apparently skipping 6.x
in the process. The glitches reported were to do with the memory
size, I think it was.
 
Reply With Quote
 
john smith
Guest
Posts: n/a
 
      09-03-2006
On Sun, 03 Sep 2006 02:51:48 +0000, Walter Roberson wrote:

> In article <(E-Mail Removed). com>,
> VeeDub <(E-Mail Removed)> wrote:
>
>>Cisco Secure PIX Firewall Version 5.1(2)
>>Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz

>
> That's good news in one way, the 64 MB is the mimimum you need for
> PIX 7. However,
>
>>Maximum Interfaces: 6

>
> That tells me that the PIX 515 currently has an Unrestricted license.
> If you were to install PIX 7 on it, then you would need 128 MB
> to fit the Unrestricted license, according to Cisco. It's the
> same image as Restricted though, so it'd be a matter of data tables,
> so if the PIX wasn't very active then you -might- be able to
> get away with 64 MB, depending on how strictly the PIX OS checks.
>
>
>>From this I can see it is running 5.1 (2) so from this information you
>>believe it is technically possible to upload a 7.x image to it and use
>>it without a new activation key?

>
> Yes.
>
>>Also, it only has DES available, not
>>3DES or AES (which I presume was not around at the time of 5.1) so if I

>
> AES did not come in until 6.something, but 3DES existed back then.
> The same key is used for 3DES and AES; I -think- I saw in passing
> that that key is also required for the SSL and HTTPS features.
>
>>wanted to use this I would need a new key. Would this be a key that
>>would be inserted whilst running 5.1 or once 7.x is installed.

>
> Either way. It's easier from 6.1 onward: before that point, changing
> the key requires copying in the OS again, with the key being
> prompted for as the very last stage of that. 6.1 onward has a simple
> command to enter a new key.
>
> One minor point: when you upgrade to PIX 7, it saves a copy of the
> existing activation key, and if you ever downgrade then it restores
> that activation key. So if you install the 3DES key first before
> the upgrade then if you were to downgrade you would still have 3DES,
> but if you were to install the 3DES key after the upgrade then
> if you were to downgrade it'd go back to the old key. On the
> other had at that point you could just enter the 3DES key since it'd
> be the same activation key.
>
>
>>I have also read the device needs to be updated to 6.2 or 6.3 before
>>upgrading to 7.x. Are you familiar with this requirement?

>
> That is what is documented. We did have one report from someone
> who went from a much older version upward, apparently skipping 6.x
> in the process. The glitches reported were to do with the memory
> size, I think it was.



i've installed/operated a 515e w/ 64MBram and UR license running 7.x
software. it's not officially supported by Cisco, but if you're just
looking for lab use, it will do fine. (in this configuration iv'e not
used failover though so i dont know if the memory limitations play a role
then)

 
Reply With Quote
 
VeeDub
Guest
Posts: n/a
 
      09-03-2006
Thanks John and Walter,

well as for RAM, I can see this can be purchased quite inexpensively on
eBay so if I needed to upgrade to 128MB I could probably afford this. I
have read however that PIX OS and activation keys are tied to the
actual serial number of the device. Do you know if this is true? If so,
it seems I would need to contact Cisco for both an OS and an activation
key if I wanted to upgrade to a 3DES operation. Alternatively I suppose
I could get a software contract on it but I presume this would not
allow me to simply upgrade to 3DES, this activation key would be extra
I presume, but am I right in thinking this would allow me to receive
and install 7.x atleast, presuming that the OS is tied to the serial on
the device?

Thanks again


john smith wrote:
> On Sun, 03 Sep 2006 02:51:48 +0000, Walter Roberson wrote:
>
> > In article <(E-Mail Removed). com>,
> > VeeDub <(E-Mail Removed)> wrote:
> >
> >>Cisco Secure PIX Firewall Version 5.1(2)
> >>Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz

> >
> > That's good news in one way, the 64 MB is the mimimum you need for
> > PIX 7. However,
> >
> >>Maximum Interfaces: 6

> >
> > That tells me that the PIX 515 currently has an Unrestricted license.
> > If you were to install PIX 7 on it, then you would need 128 MB
> > to fit the Unrestricted license, according to Cisco. It's the
> > same image as Restricted though, so it'd be a matter of data tables,
> > so if the PIX wasn't very active then you -might- be able to
> > get away with 64 MB, depending on how strictly the PIX OS checks.
> >
> >
> >>From this I can see it is running 5.1 (2) so from this information you
> >>believe it is technically possible to upload a 7.x image to it and use
> >>it without a new activation key?

> >
> > Yes.
> >
> >>Also, it only has DES available, not
> >>3DES or AES (which I presume was not around at the time of 5.1) so if I

> >
> > AES did not come in until 6.something, but 3DES existed back then.
> > The same key is used for 3DES and AES; I -think- I saw in passing
> > that that key is also required for the SSL and HTTPS features.
> >
> >>wanted to use this I would need a new key. Would this be a key that
> >>would be inserted whilst running 5.1 or once 7.x is installed.

> >
> > Either way. It's easier from 6.1 onward: before that point, changing
> > the key requires copying in the OS again, with the key being
> > prompted for as the very last stage of that. 6.1 onward has a simple
> > command to enter a new key.
> >
> > One minor point: when you upgrade to PIX 7, it saves a copy of the
> > existing activation key, and if you ever downgrade then it restores
> > that activation key. So if you install the 3DES key first before
> > the upgrade then if you were to downgrade you would still have 3DES,
> > but if you were to install the 3DES key after the upgrade then
> > if you were to downgrade it'd go back to the old key. On the
> > other had at that point you could just enter the 3DES key since it'd
> > be the same activation key.
> >
> >
> >>I have also read the device needs to be updated to 6.2 or 6.3 before
> >>upgrading to 7.x. Are you familiar with this requirement?

> >
> > That is what is documented. We did have one report from someone
> > who went from a much older version upward, apparently skipping 6.x
> > in the process. The glitches reported were to do with the memory
> > size, I think it was.

>
>
> i've installed/operated a 515e w/ 64MBram and UR license running 7.x
> software. it's not officially supported by Cisco, but if you're just
> looking for lab use, it will do fine. (in this configuration iv'e not
> used failover though so i dont know if the memory limitations play a role
> then)


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-03-2006
In article <(E-Mail Removed). com>,
VeeDub <(E-Mail Removed)> wrote:
>I have read however that PIX OS and activation keys are tied to the
>actual serial number of the device. Do you know if this is true?


Definitely not for 6.x. I'm not sure for 7.x, but I doubt it.
But it might plausibly be the case for the Cisco ASA series.

>If so,
>it seems I would need to contact Cisco for both an OS and an activation
>key if I wanted to upgrade to a 3DES operation. Alternatively I suppose
>I could get a software contract on it but I presume this would not
>allow me to simply upgrade to 3DES, this activation key would be extra
>I presume, but am I right in thinking this would allow me to receive
>and install 7.x atleast, presuming that the OS is tied to the serial on
>the device?


These days, if you are in one of the countries allowed to receive
3DES and you are not on the banned persons list, then you are
entitled to a free 3DES activation key. The catch is that you
have to go through a registration form, and they are going to
check your registration information against the previous owner's
registration information.

You do not need a new activation key to go from 5.1(2)UR to 7.x:
you just won't be able to use some of the features. And for
your study purposes those might turn out to be key features.
 
Reply With Quote
 
VeeDub
Guest
Posts: n/a
 
      09-03-2006
Thanks Walter

your advice has been invaluable.



Walter Roberson wrote:
> In article <(E-Mail Removed). com>,
> VeeDub <(E-Mail Removed)> wrote:
> >I have read however that PIX OS and activation keys are tied to the
> >actual serial number of the device. Do you know if this is true?

>
> Definitely not for 6.x. I'm not sure for 7.x, but I doubt it.
> But it might plausibly be the case for the Cisco ASA series.
>
> >If so,
> >it seems I would need to contact Cisco for both an OS and an activation
> >key if I wanted to upgrade to a 3DES operation. Alternatively I suppose
> >I could get a software contract on it but I presume this would not
> >allow me to simply upgrade to 3DES, this activation key would be extra
> >I presume, but am I right in thinking this would allow me to receive
> >and install 7.x atleast, presuming that the OS is tied to the serial on
> >the device?

>
> These days, if you are in one of the countries allowed to receive
> 3DES and you are not on the banned persons list, then you are
> entitled to a free 3DES activation key. The catch is that you
> have to go through a registration form, and they are going to
> check your registration information against the previous owner's
> registration information.
>
> You do not need a new activation key to go from 5.1(2)UR to 7.x:
> you just won't be able to use some of the features. And for
> your study purposes those might turn out to be key features.


 
Reply With Quote
 
john smith
Guest
Posts: n/a
 
      09-03-2006
On Sat, 02 Sep 2006 23:32:17 -0700, VeeDub wrote:

> Thanks Walter
>
> your advice has been invaluable.
>
>
>
> Walter Roberson wrote:
>> In article <(E-Mail Removed). com>,
>> VeeDub <(E-Mail Removed)> wrote:
>> >I have read however that PIX OS and activation keys are tied to the
>> >actual serial number of the device. Do you know if this is true?

>>
>> Definitely not for 6.x. I'm not sure for 7.x, but I doubt it.
>> But it might plausibly be the case for the Cisco ASA series.
>>
>> >If so,
>> >it seems I would need to contact Cisco for both an OS and an activation
>> >key if I wanted to upgrade to a 3DES operation. Alternatively I suppose
>> >I could get a software contract on it but I presume this would not
>> >allow me to simply upgrade to 3DES, this activation key would be extra
>> >I presume, but am I right in thinking this would allow me to receive
>> >and install 7.x atleast, presuming that the OS is tied to the serial on
>> >the device?

>>
>> These days, if you are in one of the countries allowed to receive
>> 3DES and you are not on the banned persons list, then you are
>> entitled to a free 3DES activation key. The catch is that you
>> have to go through a registration form, and they are going to
>> check your registration information against the previous owner's
>> registration information.
>>
>> You do not need a new activation key to go from 5.1(2)UR to 7.x:
>> you just won't be able to use some of the features. And for
>> your study purposes those might turn out to be key features.


i can say from experience the activation is tied to the S/N. even in 6.3.
i had to open a TAC case on this 2 weeks ago be/c one of my pixes lost its
activation key during a downgrade from 7.2(1) to 6.3(5). i couldn't just
take an activation key from one of my many other (same model) pixes. when
i called TAC, they had to have my S/N, and he specifically said it was
tied to the activation key.
 
Reply With Quote
 
VeeDub
Guest
Posts: n/a
 
      09-06-2006
Thanks John

seems I need to make sure then that whatever one I get it should
already be enabled for the functionality I require.



john smith wrote:
> On Sat, 02 Sep 2006 23:32:17 -0700, VeeDub wrote:
>
> > Thanks Walter
> >
> > your advice has been invaluable.
> >
> >
> >
> > Walter Roberson wrote:
> >> In article <(E-Mail Removed). com>,
> >> VeeDub <(E-Mail Removed)> wrote:
> >> >I have read however that PIX OS and activation keys are tied to the
> >> >actual serial number of the device. Do you know if this is true?
> >>
> >> Definitely not for 6.x. I'm not sure for 7.x, but I doubt it.
> >> But it might plausibly be the case for the Cisco ASA series.
> >>
> >> >If so,
> >> >it seems I would need to contact Cisco for both an OS and an activation
> >> >key if I wanted to upgrade to a 3DES operation. Alternatively I suppose
> >> >I could get a software contract on it but I presume this would not
> >> >allow me to simply upgrade to 3DES, this activation key would be extra
> >> >I presume, but am I right in thinking this would allow me to receive
> >> >and install 7.x atleast, presuming that the OS is tied to the serial on
> >> >the device?
> >>
> >> These days, if you are in one of the countries allowed to receive
> >> 3DES and you are not on the banned persons list, then you are
> >> entitled to a free 3DES activation key. The catch is that you
> >> have to go through a registration form, and they are going to
> >> check your registration information against the previous owner's
> >> registration information.
> >>
> >> You do not need a new activation key to go from 5.1(2)UR to 7.x:
> >> you just won't be able to use some of the features. And for
> >> your study purposes those might turn out to be key features.

>
> i can say from experience the activation is tied to the S/N. even in 6.3.
> i had to open a TAC case on this 2 weeks ago be/c one of my pixes lost its
> activation key during a downgrade from 7.2(1) to 6.3(5). i couldn't just
> take an activation key from one of my many other (same model) pixes. when
> i called TAC, they had to have my S/N, and he specifically said it was
> tied to the activation key.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
Does the PIX 515 have to be rebooted after upgrading from PDM 3.0(1) to 3.0(3)? Corbin O'Reilly Cisco 1 08-10-2005 06:07 PM
Problem with inside to inside traffic after upgrading PIX 515 Cisco 5 06-15-2004 06:34 AM
pix 515 to pix 501 Cisco 2 02-05-2004 01:55 AM



Advertisments