upgrade pix 520 to newest IOS (6.3?)

Discussion in 'Cisco' started by Scott Emick, May 7, 2004.

  1. Scott Emick

    Scott Emick Guest

    This is what I have:

    fox-pixfirewall# show hardware
    Cisco PIX Firewall Version 6.1(1)
    Cisco PIX Device Manager Version 1.0(2)

    Compiled on Tue 11-Sep-01 07:45 by morlee

    fox-pixfirewall up 1 day 23 hours

    Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz
    Flash i28F640J5 @ 0x300, 16MB
    BIOS Flash AT29C257 @ 0xfffd8000, 32KB

    0: ethernet0: address is 0090.2743.2ee8, irq 11
    1: ethernet1: address is 0002.b30c.2ea5, irq 15
    2: ethernet2: address is 0090.2713.fb3d, irq 10

    Licensed Features:
    Failover: Enabled
    VPN-DES: Enabled
    VPN-3DES: Disabled
    Maximum Interfaces: 6
    Cut-through Proxy: Enabled
    Guards: Enabled
    Websense: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    ISAKMP peers: Unlimited
    Scott Emick, May 7, 2004
    #1
    1. Advertising

  2. In article <>,
    Scott Emick <> wrote:
    :This is what I have:

    :Cisco PIX Firewall Version 6.1(1)
    :Cisco PIX Device Manager Version 1.0(2)

    :Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz
    :Flash i28F640J5 @ 0x300, 16MB


    You accidently omitted the question ;-)

    If the question is whether 6.3(3) is supported on that hardware,
    the answer is Yes, the PIX-520 and PIX-520-XM (which is what you
    probably have) with 128 Mb RAM and 16 Mb flash is supported by 6.3(3).


    You should, though, not expect to be able to upgrade to PIX 7.0 when
    it is released from beta -- my "reading between the lines" is that
    the 510 and 520 will not be supported, and it that is plausible that
    the 506 and 515 might not be either (but that the 506E and 515E would
    likely be supported.)
    --
    vi -- think of it as practice for the ROGUE Olympics!
    Walter Roberson, May 7, 2004
    #2
    1. Advertising

  3. Scott Emick

    Scott Emick Guest

    Yes my question was can I upgrade to 6.3 and are there any additional
    requirements. We want the 3DES.

    Thanks,

    Scott

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<c7gdvl$omd$>...
    > In article <>,
    > Scott Emick <> wrote:
    > :This is what I have:
    >
    > :Cisco PIX Firewall Version 6.1(1)
    > :Cisco PIX Device Manager Version 1.0(2)
    >
    > :Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz
    > :Flash i28F640J5 @ 0x300, 16MB
    >
    >
    > You accidently omitted the question ;-)
    >
    > If the question is whether 6.3(3) is supported on that hardware,
    > the answer is Yes, the PIX-520 and PIX-520-XM (which is what you
    > probably have) with 128 Mb RAM and 16 Mb flash is supported by 6.3(3).
    >
    >
    > You should, though, not expect to be able to upgrade to PIX 7.0 when
    > it is released from beta -- my "reading between the lines" is that
    > the 510 and 520 will not be supported, and it that is plausible that
    > the 506 and 515 might not be either (but that the 506E and 515E would
    > likely be supported.)
    Scott Emick, May 10, 2004
    #3
  4. In article <>,
    Scott Emick <> wrote:
    :Yes my question was can I upgrade to 6.3 and are there any additional
    :requirements. We want the 3DES.

    Your PIX-520-XM with the hardware you showed should not require anything
    addition to upgrade to PIX 6.3.

    The base PIX software supports 3DES, but you need the proper activation
    key for it. After you do the PIX 6.3 upgrade, you would fill out
    an online form on cisco.com (needs CCO registration, but does
    not need a support contract) and provided you fit the legal parameters,
    Cisco will send you a new activation key that you would then enter in.
    (There's a command in 6.2+ to allow you to enter a new activation
    key without reloading the software.)

    [Note: if you had a special feature on one of the PIXes, such as
    the 50-user license on a 501, or Unrestricted or Failover, then sometimes
    the key that gets generated will be missing the special feature, and
    you need to write to Cisco to get it straightened out. They are usually
    fairly prompt about it.]

    --
    Pity the poor electron, floating around minding its own business for
    billions of years; and then suddenly Bam!! -- annihilated just so
    you could read this posting.
    Walter Roberson, May 10, 2004
    #4
  5. Scott Emick

    Scott Emick Guest

    We do have unrestricted. So how hard would it be for me to upgrade
    the IOS on the box with a contigency for rollback, since this is our
    production box for e-commerce website etc. ???

    Thanks,

    Scott Emick

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<c7o6n4$1kg$>...
    > In article <>,
    > Scott Emick <> wrote:
    > :Yes my question was can I upgrade to 6.3 and are there any additional
    > :requirements. We want the 3DES.
    >
    > Your PIX-520-XM with the hardware you showed should not require anything
    > addition to upgrade to PIX 6.3.
    >
    > The base PIX software supports 3DES, but you need the proper activation
    > key for it. After you do the PIX 6.3 upgrade, you would fill out
    > an online form on cisco.com (needs CCO registration, but does
    > not need a support contract) and provided you fit the legal parameters,
    > Cisco will send you a new activation key that you would then enter in.
    > (There's a command in 6.2+ to allow you to enter a new activation
    > key without reloading the software.)
    >
    > [Note: if you had a special feature on one of the PIXes, such as
    > the 50-user license on a 501, or Unrestricted or Failover, then sometimes
    > the key that gets generated will be missing the special feature, and
    > you need to write to Cisco to get it straightened out. They are usually
    > fairly prompt about it.]
    Scott Emick, May 11, 2004
    #5
  6. In article <>,
    Scott Emick <> top-posted:
    :-cnrc.gc.ca (Walter Roberson) wrote in message news:<c7o6n4$1kg$>...
    :> [Note: if you had a special feature on one of the PIXes, such as
    :> the 50-user license on a 501, or Unrestricted or Failover, then sometimes
    :> the key that gets generated will be missing the special feature, and
    :> you need to write to Cisco to get it straightened out. They are usually
    :> fairly prompt about it.]


    :We do have unrestricted. So how hard would it be for me to upgrade
    :the IOS on the box with a contigency for rollback, since this is our
    :production box for e-commerce website etc. ???

    The PIX 520 used to be licensed by connection counts, but is now
    feature-based. What I gathered, perhaps incorrectly, is that effectively
    all PIX 520's running "new enough" software are equivilent to
    Unrestricted, and thus there shouldn't be any potential problem
    about a lower key being issued. (phone #1-800-553-2447
    in Canada/USA) should be able to answer more authoratatively
    about that.

    Rolling back the PIX version should be about the same as installing
    the PIX version in the first place -- but keep a copy of the old
    config saved, as some of the configuration upgrades that are automatically
    done upon the upgrade are not going to be recognized after the downgrade.
    That could lead to some subtle problems; a few statements could effectively
    get lost in an upgrade / downgrade cycle.

    Upgrading or downgrading a PIX is not difficult in itself, but if
    you are in the habit of using a tftp "master copy" of the
    configuration instead of treating the PIX live configuration as the
    "master copy", then after an upgrade you would want to tftp off
    the pix running configuration and compare it to the saved configuration,
    as some statements move around and some get extra parameters added
    and so on. If your config is big, the comparison can take a while.
    But it isn't usually hard, just tedious.

    I should note, though, that none of my pixes would be considered
    "production boxes" in the same sense as yours. If our PIX goes down
    for a little, or has to be rebooted, or if I mess up the configuration a bit,
    then it's not a big deal to us. If I were running a production
    environment, I would keep a lab-bench duplicate device and run the
    upgrade on it first (and possibly do a device swap at that point,
    so as to keep downtime to a minimum.)
    --
    I wrote a hack in microcode,
    with a goto on each line,
    it runs as fast as Superman,
    but not quite every time! -- Don Libes et al.
    Walter Roberson, May 11, 2004
    #6
  7. Scott Emick

    Joey Guest

    That sux about the 520 possibly not getting 7.0. I know of more
    places running that one than any other model... And there's *nothing*
    wrong with it technology-wise. After all they're all x86s'! Oh well.
    :/

    On 7 May 2004 16:37:09 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >Scott Emick <> wrote:
    >:This is what I have:
    >
    >:Cisco PIX Firewall Version 6.1(1)
    >:Cisco PIX Device Manager Version 1.0(2)
    >
    >:Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz
    >:Flash i28F640J5 @ 0x300, 16MB
    >
    >
    >You accidently omitted the question ;-)
    >
    >If the question is whether 6.3(3) is supported on that hardware,
    >the answer is Yes, the PIX-520 and PIX-520-XM (which is what you
    >probably have) with 128 Mb RAM and 16 Mb flash is supported by 6.3(3).
    >
    >
    >You should, though, not expect to be able to upgrade to PIX 7.0 when
    >it is released from beta -- my "reading between the lines" is that
    >the 510 and 520 will not be supported, and it that is plausible that
    >the 506 and 515 might not be either (but that the 506E and 515E would
    >likely be supported.)
    Joey, May 12, 2004
    #7
  8. Scott Emick

    John Llort Guest

    "Joey" <> wrote in message
    news:...
    > That sux about the 520 possibly not getting 7.0. I know of more
    > places running that one than any other model... And there's *nothing*
    > wrong with it technology-wise. After all they're all x86s'! Oh well.
    > :/


    But then how will cisco sell new hardware?, the 520 is old and has been
    EOL'ed
    John Llort, May 13, 2004
    #8
  9. Scott Emick

    John Llort Guest


    >
    > You should, though, not expect to be able to upgrade to PIX 7.0 when
    > it is released from beta -- my "reading between the lines" is that
    > the 510 and 520 will not be supported, and it that is plausible that
    > the 506 and 515 might not be either (but that the 506E and 515E would
    > likely be supported.)
    > --
    > vi -- think of it as practice for the ROGUE Olympics!


    Last I heard the 515 and 506 (non e models) will be supported but the 520
    will never move beyond 6.3.x
    John Llort, May 13, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott Emick
    Replies:
    1
    Views:
    816
    Walter Roberson
    Jul 16, 2004
  2. TECHNISERV CISCO 3COM PROXIM

    upgrade IOS Pix 520

    TECHNISERV CISCO 3COM PROXIM, Sep 29, 2004, in forum: Cisco
    Replies:
    1
    Views:
    523
    Martin Bilgrav
    Sep 29, 2004
  3. douglas w scott

    pix 501 and 520 ios

    douglas w scott, Nov 5, 2004, in forum: Cisco
    Replies:
    1
    Views:
    494
    Walter Roberson
    Nov 5, 2004
  4. Replies:
    2
    Views:
    432
  5. Mike Rahl
    Replies:
    1
    Views:
    1,236
    Trendkill
    May 30, 2007
Loading...

Share This Page