|
Jugaad
Member
2005-May-12 1:29 am
Re: Cisco PIX OS 7.0 on PIX 520??BTW I love the new PIX OS 7 now. |
|
|
yaplej Premium Member join:2001-02-10 White City, OR |
yaplej
Premium Member
2005-May-12 10:18 am
So why the change in heart? Iv been running 7.0 on a pair of 515-UR's with 64MB of ram. I haven't tried anything extremely resource intensive because they are just in my lab, but 7.0 will run on a 515-UR with 64MB in case someone was wondering |
|
yash0 join:2005-05-10 Israel |
to Jugaad
good & bad news: 1) your trick worked like a charm. put a genuine pdm file on tftp server, do "copy tftp", pull the network cable mid-transfer, and reboot: pdm is history. Very cool indeed! 2) after this there was enough flash mem available and we were able to install the pix701 image and reboot. 3) but: after installing the image, it wouldn't boot :-( it would start the boot sequence, and reset itself, in an endless loop. It seems that Cisco was serious about not supporting 7.0 on the 520... Thanks anyway! |
|
photomankc3Puffy And Prickly Premium Member join:2001-06-13 Liberty, MO |
to webnetwiz
Re: Cisco PIX OS 7.0said by webnetwiz:Pix 520 will not be supported. Neither will the 501, 506, 506E (506E will be supported a little later with a memory upgrade), 515. All other Pixes, 515E, 525 and 535 will be supported. So is the 506 going to be included when the 506E gets there? I have 256M on my 506 and I'd like to take it to 7.x if possible. If not 6.3 is pretty good too. I was pretty excited to finally be able to use VLANs on the 506. Pretty powerful firewall for my home use |
|
photomankc3 |
to Jugaad
said by Jugaad:PIX CLI moving towards IOS sounds good to people who work mostly on IOS. But, for someone who works mostly on PIX, moving towards IOS is a big irritation. For years I looked at IOS and said thank god my PIX CLI is not like that. It definitely is a router vs pix guy thing. I came from routers and got a PIX forced on me several years ago. Since then I've taken over the rest of them. While the commands were in places similar, I always felt a little out of place. I hate the 6.x command line help... especially on complex commands. I bang the tab key constantly to no avail on the PIX. I also hate the forced NAT and NAT exclusion between security levels on the interfaces. It complicates the config greatly where numerous interfaces are involved. 7.X is a whole new affair. I'm a little apprehensive because it is very different than 6.X in it's commands and structure. That's going to mean more reading for me. However command help is much improved IMO. Tab completion is nice and the ability to remove the forced NAT is VERY welcome in my environment. Our lab firewall is on 7.0.1 and so far I like it. It will be some time before we take it into production on our main firewall pair. I agree with you though to a point. I'd rather have better security than a kitchen-sink of router and firewall and IDS in one box. |
|
|
Jugaad
Member
2005-Jun-13 3:59 pm
Everyone hates it when there are changes. I hated it too when PIX 7.0 came out. But, when I started working on it I starting liking it...n now I love it... There is so much more I can do with it. And I have started liking the IOS like CLI too...Much easier to work with...Tabbed input etc... I would suggest people to take the plunge into 7.x in near future... You won't regret it...But like all cutting edge stuff it needs to mature and smoothen out the bugs...as a thumb rule I deploy new line of code after atleast 6 months of it being out...enough time for people to find bugs and report to the manufacturer... |
|
Jugaad |
Jugaad
Member
2005-Jun-13 4:12 pm
Reminds me of a saying >> "Get ready to change....or get replaced" Hehe..best of luck to u all |
|
pdoland Premium Member join:2004-01-26 Houston, TX 1 edit |
to idolclub
I just got a PIX 515E for a customer. Bought it from CDW. I'm not Cisco certified. (I know, I need to finish that...) Anyway, the unit I just got came with 64 meg RAM, and OS version 6.3. So, if my customer wanted to go with 7.0, I'd have to get more memory first. Somebody asked in this thread about getting memory for a 515e, and I found a number of third-party vendors that sell memory for it. So, here are my questions:
1. Is getting version 7 free? The unit is brand new. 2. How do I go about getting the upgrade, like what form or page to fill out? 3. Is it official yet? Some people in this thread seem to feel it is official release, others said it was still in beta.
Thanks. |
|
yaplej Premium Member join:2001-02-10 White City, OR |
yaplej
Premium Member
2005-Jun-13 4:46 pm
I have two PIX515's that have 7.0 running on them with only 64MB of ram. I think that you will only need 128MB to use some features of 7.0 like active/active failover. Perhaps some other cool features too. |
|
|
to pdoland
It's official now..earlier comments were posted when it was beta... See this link and this should answer most of your questions: » www.cisco.com/en/US/prod ··· ae1.html |
|
Jugaad |
to pdoland
Cisco PIX 515/515E Security Appliance Memory Upgrade for PIX Software v7.0 » www.cisco.com/en/US/prod ··· 8d4.html |
|
|
can my 501 support Version 7 ..... i have downloaded pix701.bin ....it is 4.88 MB i have 8 MB Flash.. pls reply me quickly thanx;) |
|
photomankc3Puffy And Prickly Premium Member join:2001-06-13 Liberty, MO |
Cisco says no. I'd not put that image on if I were you. |
|
|
jma24
Anon
2005-Jun-21 12:54 pm
Hi,
I just thought I'd add my experiences:
pixfirewall> sh ver
Cisco PIX Security Appliance Software Version 7.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders System image file is "flash:/image" Config file at boot was "startup-config"
pixfirewall up 35 secs
Hardware: PIX-506E, 96 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0xfff00000, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : media index 0: irq 10 1: Ext: Ethernet1 : media index 1: irq 11
Licensed features for this platform: Maximum Physical Interfaces : 2 Maximum VLANs : 2 Inside Hosts : Unlimited Failover : Not supported VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 0 GTP/GPRS : Disabled VPN Peers : Unlimited
Regards,
John |
|
jma24 |
to photomankc3
Hi,
It is possible to run 7.0 on a Pix 506E. You can't however install ADSM, only the CLI.
My account manager at Cisco tells me that they are planning on doing a compressed image with a bootloader that should fit both PIX 7 and ADSM into 8Mb. Since together they are only ~10Mb that sounds feasible.
The Pix 506E is of course not flash upgradeable (not unless you're a dab hand with surface mount soldering at least).
Regards,
John |
|
photomankc3Puffy And Prickly Premium Member join:2001-06-13 Liberty, MO 1 edit |
Does that mean you can get it on the 506? I have the older 506 platform but it seems to be the same device just not 10/100 and no USB.
Hardware: PIX-506, 256 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 8MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB |
|
|
jma24
Anon
2005-Jun-22 6:43 am
Hi,
I can't swear that it will work for you, because it's clearly *not* a supported configuration, so proceed at your own risk!
However PIX 7.0 will easily fit into 8Mb flash (the image is 5Mb so you have about 2.5Mb spare). On this principle I decided to give it a go for a laugh on a PIX that someone gave me.
By this principle it should be able to run on any of the older PIXs that support a memory upgrade past 64Mb. Given that most PIX techs worth their salt won't touch a GUI, I wonder why Cisco are so adamant that it won't work.
Warnings over, this is how to do it in very general terms.
1) Boot your pix *on the console* and login 2) Back up the FS to tftp 3) Format the filesystem, delete all the files on it 4) Reboot to monitor mode 5) tftp boot the Pix from an image (6.3, 7.0, makes no odds) 6) copy tftp://server/pix701.bin flash:image 7) reload 8) request a new 3DES activation key from Cisco (free).
Regards,
John |
|
NeTwOrKDawgNetworking is a lifestyle join:2005-04-25 Brantford, ON |
to idolclub
Can anyone tell me how to do:
3) Format the filesystem, delete all the files on it
I have tried clear flashfs and no flashfs .. can't get rid of the PDM files in flash so can't update to 7.01 |
|
NeTwOrKDawg 1 edit |
to idolclub
Oops never mind.. that wasn't hard...
Cisco PIX Security Appliance Software Version 7.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders System image file is "flash:/image.bin" Config file at boot was "startup-config"
pixfirewall up 1 min 16 secs
Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0xfff00000, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : media index 0: irq 10 1: Ext: Ethernet1 : media index 1: irq 11
Licensed features for this platform: Maximum Physical Interfaces : 2 Maximum VLANs : 2 Inside Hosts : Unlimited Failover : Not supported VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 0 GTP/GPRS : Disabled VPN Peers : Unlimited
This platform does not support Failover. |
|
photomankc3Puffy And Prickly Premium Member join:2001-06-13 Liberty, MO |
said by NeTwOrKDawg:Oops never mind.. that wasn't hard... Would you mind sharing? I'm not going to make the switch till a couple more releases but I would like to know what the command is. |
|
|
justkidding to yaplej
Anon
2005-Jul-16 1:12 am
to yaplej
Re: Cisco PIX OS 7.0 on PIX 520??If we can change the HW ID for PIX 520 like below
Hardware: PIX-506E, 96 MB RAM, CPU Pentium II 300 MHz ^^^^^^^^^^^ (replace 520 to 515 or 525) and I think FOS 7.0 could be run on PIX520 I am looking for a BIOS hack tool to change the HW ID |
|
adamc1 join:2005-07-18 Australia |
to idolclub
Re: Cisco PIX OS 7.0Anyone know when Cisco will officially support FOS 7 on 506e. I'm trying to be patient. |
|
|
msmyth2002yahoocom
Anon
2005-Jul-30 10:28 am
To get 7.0 to run on a 520 or FrankenPIX we need to upgrade the BIOS to 4.x. The only way I think this can be done is to copy a PIX-515 BIOS flash chip and burn it to the BIOS flash chip of the 520. Hence, we would need an EEPROM burner. The other possibility is to remove the BIOS flash chip from a non-functioning 515 and put it in a 520. Anyone up for it? |
|
|
mesir
Anon
2005-Aug-11 5:56 pm
anyone tried to run 7.x on a 501 yet? I see reports of 506's just curious on a 501. |
|
zeio77 join:2001-03-17 Belmont, CA |
zeio77
Member
2005-Sep-23 2:57 am
I'd everything under the sun to get a 506 with 6.3(5) (PDM erased) to upgrade to:
pix701.bin [ 7.0(1) ] pix702.bin [ 7.0(2) ]
and
pix702-5.bin [7.0(2)-5 ]
I used clear flashfs, the 6.3 -> 7.0 Cisco instructions and the various hack recipes to try and get this thing to boot with PIX OS 7 , it will not.
I used the upgrade from 6.3(5), I used the upgrade from monitor mode, and neither worked. The file starts to load from flash but you never even see a "#" - its like the file header is not executable by the 506's monitor / boot loader.
We will have to wait and see if Crisco lets the 501/506 people squeak by and with how bad PIX OS is and how lame all the competitors are, its almost worth mucking around with OpenBSD at this point since these security/firewall/vpn boxes all suck in some way.
I want:
1) VPN LOCAL authentication - no directories, no crap, no ADS, no LDAP, no TACACS, nothing. I want to have vpn users live in the appliance 2) powerful implied application proxying. None of this crap where DCC doesn't work, idents don't work, AIM and Y! messenger file transfers don't work, etc. Winroute is an example of a "working application" - you don't need port forwards to get PASV ftp, DCC and idents to go through. (this is what is annoying about OpenBSD, they don't believe in proxying "broken" protocols) 3) simplistic access allow implied by port forwarding. Why port forward AND specify the allow for that, it should be implied. EG: "rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 -> 10.10.10.10 port 8080 4) should facilitate: VPN over SSL (have a web page that sets ups a tunneled connection), support for OS X's client without software being installed, support plain-jane microsoft VPN clients (L2TP/IPSec, PPTP, Windows 2000, Windows XP and Windows 2003 and even Windows 98 as well as cooking instructions for Linux and FreeBSD clients as well as some possibility for Treos and other PPTP junk VPN stuff to work.)
If anyone knows a device that does this, or a pile of software with some cooking instructions let me know. |
|
sdrock join:2003-08-12 australia |
to adamc1
never |
|
sdrock |
to zeio77
buy a new one. it wont work and you will end up stuffing it totaly and then you wont have an old one or a new one. and if you try to log a tac case they will tell you to pi55 off. |
|
|
to zeio77
I have actually seen one guy with 7.+ installed on a 506. The problem is he doesnt know how he did it. You have to wait, cisco gonna release version 7 to the smaller ones pretty soon.
And you will never get any clients to work except ciscos own in version 7. They removed the support for that. Maybe you already new that!?
My suggestion is to check at a product called appgate. www.appgate.com |
|
SodaAnt join:2005-09-02 San Ramon, CA |
What kind of memory does a 506E use and what is the maximum it can be upgraded to? |
|
|
to idolclub
Hi everyone, I also tried to get the v7 running on a PIX-520 and got the same result as yash - constant reboots. But trying to get it back to the old version would not work. It crashes at the attempt to flash it via boot helper disk. Booting is no problem, transfering the "IOS" via tftp neither but when the PIX puts the received IOS on the flash card it crashes... Searching the net I found » seclists.org/lists/firew ··· 023.html but this was not related to putting v7 on a 520 but the normal upgrade process. But it's essentially the same with me. Any ideas? Thanks in advance Bjoern |
|