Upgrading PIX 515 from 5.1 to 7.x

Discussion in 'Cisco' started by VeeDub, Sep 2, 2006.

  1. VeeDub

    VeeDub Guest

    Hi

    I have the opportunity to pick up a PIX 515 (non-E) with IOS version
    5.1 on it. I already have a PIX 520 running 6.3 but want access to the
    7.x environment which my 520 will not do. I know there are activation
    keys that enable certain functions on the PIX etc but wanted to know if
    these were required to upgrade the IOS on the 515 from 5.1 to 7.x. I do
    have access to PIX 515e's running 7.1 and need to know if this image
    can be easily taken from the 515e and placed on the 515 without need
    for additional licence keys etc like can be done with Cisco routers.

    Thanks
     
    VeeDub, Sep 2, 2006
    #1
    1. Advertisements

  2. PIX doesn't use "IOS", it uses "Finesse", more commonly just called
    "PIX OS". But that's not germaine to the question.
    If the PIX 515 is running 5.1(1) then it will need a new license
    key to upgrade to -any- later version.

    If the PIX 515 is running 5.1(2) or later then it would not need
    a new license key to run PIX 7.x .

    If the PIX 515 does not happen to have a 3DES key (which was
    extra cost back then), then if it were upgraded to PIX 7.x, you
    would not be able to use 3DES, AES, or (if memory serves) SSL VPN
    or WebVPN.

    You have a problem: the PIX 515 running 5.1 is going to have 32 Mb
    of RAM, but 7.x require at least 64 Mb to run. The Cisco part
    number for the memory upgrade is PIX-515-MEM-32= . If you hunted
    around a bit you could probably find a non-Cisco source for the
    memory.

    I seem to recall reading that a few people have reported being able
    to boot 7.0 with only 32 Mb of memory; it isn't a supported
    configuration.


    Copying the PIX 7.1 image off of an existing device might be
    technically possible, but it would very likely not be allowed by the
    license terms.

    Your posting IP suggests you are in Australia. If so, then Cisco
    software licenses do not transfer with the hardware, so if you
    pick up the PIX 515 running PIX 5.1 then chances are very very slim
    that you would have gone through one of the few dealers authorized
    to transfer licenses. In order to be able to use the PIX
    legally, you would have to go through Cisco's "relicensing" procedure,
    which is basically paying Cisco on the order of $US700 for the
    right to use the software.

    The procedures after that are a bit fuzzy, as Cisco at various times
    has said that relicensing does -not- entitle you to a software upgrade.
    A one time software upgrade license is $US1000. You -might- be
    allowed to instead start a software-only support contract at a much
    lower cost, but when you are starting with software that old, Cisco
    might refuse the contract until you pay some kind of upgrade fee.
    The details of how this all works to get clear legal title to the
    latest software are unclear, apparently so even to VARs that deal
    closely with Cisco.

    By the time you add all these up, you might find it less expensive
    to just buy a new 515E or perhaps a Cisco ASA 5505.
     
    Walter Roberson, Sep 2, 2006
    #2
    1. Advertisements

  3. VeeDub

    VeeDub Guest

    Hi Walter,

    thanks for your extended reply. I am looking to use this device for my
    CCSP cert so it will not be used in a production environment, though in
    Cisco's view, I don't think that they differentiate from a licencing
    perspective.

    Below is a copy of the "sh version" output:

    pixfirewall- show ver

    Cisco Secure PIX Firewall Version 5.1(2)
    Compiled on Tue 16-May-00 16:09 by bhochuli

    pixfirewall up 29 secs

    Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
    Flash i28F640J5 @ 0x300, 16MB
    BIOS Flash AT29C257 @ 0xfffd8000, 32KB

    0: ethernet0: address is 0050.54ff.5748, irq 9
    1: ethernet1: address is 0050.54ff.5749, irq 7
    2: ethernet2: address is 00d0.b780.a3ad, irq 11

    Licensed Features:
    Failover: Enabled
    VPN-DES: Enabled
    VPN-3DES: Disabled
    Maximum Interfaces: 6

    believe it is technically possible to upload a 7.x image to it and use
    it without a new activation key? Also, it only has DES available, not
    3DES or AES (which I presume was not around at the time of 5.1) so if I
    wanted to use this I would need a new key. Would this be a key that
    would be inserted whilst running 5.1 or once 7.x is installed. As I am
    new to PIX the whole activation key, licence requirements thing is a
    bit foreign to me, I am far more used to the simple IOS versions used
    on Routers and Switches.

    I am not certain if this PIX will be more problems that what it is
    worth. The slower CPU speed etc is not of concern to me due to it being
    used for my learning only but I do really need it to be able to run 7.x
    otherwise they device is useless to me.

    I have also read the device needs to be updated to 6.2 or 6.3 before
    upgrading to 7.x. Are you familiar with this requirement?

    Thanks
     
    VeeDub, Sep 3, 2006
    #3
  4. That's good news in one way, the 64 MB is the mimimum you need for
    PIX 7. However,
    That tells me that the PIX 515 currently has an Unrestricted license.
    If you were to install PIX 7 on it, then you would need 128 MB
    to fit the Unrestricted license, according to Cisco. It's the
    same image as Restricted though, so it'd be a matter of data tables,
    so if the PIX wasn't very active then you -might- be able to
    get away with 64 MB, depending on how strictly the PIX OS checks.

    AES did not come in until 6.something, but 3DES existed back then.
    The same key is used for 3DES and AES; I -think- I saw in passing
    that that key is also required for the SSL and HTTPS features.
    Either way. It's easier from 6.1 onward: before that point, changing
    the key requires copying in the OS again, with the key being
    prompted for as the very last stage of that. 6.1 onward has a simple
    command to enter a new key.

    One minor point: when you upgrade to PIX 7, it saves a copy of the
    existing activation key, and if you ever downgrade then it restores
    that activation key. So if you install the 3DES key first before
    the upgrade then if you were to downgrade you would still have 3DES,
    but if you were to install the 3DES key after the upgrade then
    if you were to downgrade it'd go back to the old key. On the
    other had at that point you could just enter the 3DES key since it'd
    be the same activation key.

    That is what is documented. We did have one report from someone
    who went from a much older version upward, apparently skipping 6.x
    in the process. The glitches reported were to do with the memory
    size, I think it was.
     
    Walter Roberson, Sep 3, 2006
    #4
  5. VeeDub

    john smith Guest


    i've installed/operated a 515e w/ 64MBram and UR license running 7.x
    software. it's not officially supported by Cisco, but if you're just
    looking for lab use, it will do fine. (in this configuration iv'e not
    used failover though so i dont know if the memory limitations play a role
    then)
     
    john smith, Sep 3, 2006
    #5
  6. VeeDub

    VeeDub Guest

    Thanks John and Walter,

    well as for RAM, I can see this can be purchased quite inexpensively on
    eBay so if I needed to upgrade to 128MB I could probably afford this. I
    have read however that PIX OS and activation keys are tied to the
    actual serial number of the device. Do you know if this is true? If so,
    it seems I would need to contact Cisco for both an OS and an activation
    key if I wanted to upgrade to a 3DES operation. Alternatively I suppose
    I could get a software contract on it but I presume this would not
    allow me to simply upgrade to 3DES, this activation key would be extra
    I presume, but am I right in thinking this would allow me to receive
    and install 7.x atleast, presuming that the OS is tied to the serial on
    the device?

    Thanks again
     
    VeeDub, Sep 3, 2006
    #6
  7. Definitely not for 6.x. I'm not sure for 7.x, but I doubt it.
    But it might plausibly be the case for the Cisco ASA series.
    These days, if you are in one of the countries allowed to receive
    3DES and you are not on the banned persons list, then you are
    entitled to a free 3DES activation key. The catch is that you
    have to go through a registration form, and they are going to
    check your registration information against the previous owner's
    registration information.

    You do not need a new activation key to go from 5.1(2)UR to 7.x:
    you just won't be able to use some of the features. And for
    your study purposes those might turn out to be key features.
     
    Walter Roberson, Sep 3, 2006
    #7
  8. VeeDub

    VeeDub Guest

    Thanks Walter

    your advice has been invaluable.
     
    VeeDub, Sep 3, 2006
    #8
  9. VeeDub

    john smith Guest

    i can say from experience the activation is tied to the S/N. even in 6.3.
    i had to open a TAC case on this 2 weeks ago be/c one of my pixes lost its
    activation key during a downgrade from 7.2(1) to 6.3(5). i couldn't just
    take an activation key from one of my many other (same model) pixes. when
    i called TAC, they had to have my S/N, and he specifically said it was
    tied to the activation key.
     
    john smith, Sep 3, 2006
    #9
  10. VeeDub

    VeeDub Guest

    Thanks John

    seems I need to make sure then that whatever one I get it should
    already be enabled for the functionality I require.
     
    VeeDub, Sep 6, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.