dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
23147

Jugaad
join:2002-04-28
MARS!!

Jugaad

Member

Re: Cisco PIX OS 7.0 on PIX 520??



BTW

I love the new PIX OS 7 now.

yaplej
Premium Member
join:2001-02-10
White City, OR

yaplej

Premium Member

So why the change in heart? Iv been running 7.0 on a pair of 515-UR's with 64MB of ram. I haven't tried anything extremely resource intensive because they are just in my lab, but 7.0 will run on a 515-UR with 64MB in case someone was wondering
yash0
join:2005-05-10
Israel

yash0 to Jugaad

Member

to Jugaad
good & bad news:

1) your trick worked like a charm. put a genuine pdm file
on tftp server, do "copy tftp", pull the network cable
mid-transfer, and reboot: pdm is history.
Very cool indeed!

2) after this there was enough flash mem available and
we were able to install the pix701 image and reboot.

3) but: after installing the image, it wouldn't boot :-(
it would start the boot sequence, and reset itself,
in an endless loop.

It seems that Cisco was serious about not supporting 7.0
on the 520...

Thanks anyway!

photomankc3
Puffy And Prickly
Premium Member
join:2001-06-13
Liberty, MO

photomankc3 to webnetwiz

Premium Member

to webnetwiz

Re: Cisco PIX OS 7.0

said by webnetwiz:

Pix 520 will not be supported. Neither will the 501, 506, 506E (506E will be supported a little later with a memory upgrade), 515. All other Pixes, 515E, 525 and 535 will be supported.
So is the 506 going to be included when the 506E gets there? I have 256M on my 506 and I'd like to take it to 7.x if possible. If not 6.3 is pretty good too. I was pretty excited to finally be able to use VLANs on the 506. Pretty powerful firewall for my home use
photomankc3

photomankc3 to Jugaad

Premium Member

to Jugaad
said by Jugaad:

PIX CLI moving towards IOS sounds good to people who work mostly on IOS. But, for someone who works mostly on PIX, moving towards IOS is a big irritation. For years I looked at IOS and said thank god my PIX CLI is not like that.
It definitely is a router vs pix guy thing. I came from routers and got a PIX forced on me several years ago. Since then I've taken over the rest of them. While the commands were in places similar, I always felt a little out of place. I hate the 6.x command line help... especially on complex commands. I bang the tab key constantly to no avail on the PIX. I also hate the forced NAT and NAT exclusion between security levels on the interfaces. It complicates the config greatly where numerous interfaces are involved.

7.X is a whole new affair. I'm a little apprehensive because it is very different than 6.X in it's commands and structure. That's going to mean more reading for me. However command help is much improved IMO. Tab completion is nice and the ability to remove the forced NAT is VERY welcome in my environment. Our lab firewall is on 7.0.1 and so far I like it. It will be some time before we take it into production on our main firewall pair.

I agree with you though to a point. I'd rather have better security than a kitchen-sink of router and firewall and IDS in one box.

Jugaad
join:2002-04-28
MARS!!

Jugaad

Member



Everyone hates it when there are changes. I hated it too when PIX 7.0 came out. But, when I started working on it I starting liking it...n now I love it...

There is so much more I can do with it. And I have started liking the IOS like CLI too...Much easier to work with...Tabbed input etc...

I would suggest people to take the plunge into 7.x in near future... You won't regret it...But like all cutting edge stuff it needs to mature and smoothen out the bugs...as a thumb rule I deploy new line of code after atleast 6 months of it being out...enough time for people to find bugs and report to the manufacturer...
Jugaad

Jugaad

Member



Reminds me of a saying >>

"Get ready to change....or get replaced"

Hehe..best of luck to u all
pdoland
Premium Member
join:2004-01-26
Houston, TX

1 edit

pdoland to idolclub

Premium Member

to idolclub
I just got a PIX 515E for a customer. Bought it from CDW. I'm not Cisco certified. (I know, I need to finish that...) Anyway, the unit I just got came with 64 meg RAM, and OS version 6.3. So, if my customer wanted to go with 7.0, I'd have to get more memory first. Somebody asked in this thread about getting memory for a 515e, and I found a number of third-party vendors that sell memory for it. So, here are my questions:

1. Is getting version 7 free? The unit is brand new.
2. How do I go about getting the upgrade, like what form or page to fill out?
3. Is it official yet? Some people in this thread seem to feel it is official release, others said it was still in beta.

Thanks.

yaplej
Premium Member
join:2001-02-10
White City, OR

yaplej

Premium Member

I have two PIX515's that have 7.0 running on them with only 64MB of ram. I think that you will only need 128MB to use some features of 7.0 like active/active failover. Perhaps some other cool features too.

Jugaad
join:2002-04-28
MARS!!

Jugaad to pdoland

Member

to pdoland


It's official now..earlier comments were posted when it was beta...

See this link and this should answer most of your questions:
»www.cisco.com/en/US/prod ··· ae1.html
Jugaad

Jugaad to pdoland

Member

to pdoland


Cisco PIX 515/515E Security Appliance Memory Upgrade for PIX Software v7.0

»www.cisco.com/en/US/prod ··· 8d4.html

cisco5350
Premium Member
join:2004-07-10
380008

cisco5350

Premium Member

can my 501 support Version 7 .....
i have downloaded pix701.bin ....it is 4.88 MB
i have 8 MB Flash..
pls reply me quickly
thanx;)

photomankc3
Puffy And Prickly
Premium Member
join:2001-06-13
Liberty, MO

photomankc3

Premium Member

Cisco says no. I'd not put that image on if I were you.

jma24
@bulldogdsl.com

jma24

Anon

Hi,

I just thought I'd add my experiences:

pixfirewall> sh ver

Cisco PIX Security Appliance Software Version 7.0(1)

Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "flash:/image"
Config file at boot was "startup-config"

pixfirewall up 35 secs

Hardware: PIX-506E, 96 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : media index 0: irq 10
1: Ext: Ethernet1 : media index 1: irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

Regards,

John
jma24

jma24 to photomankc3

Anon

to photomankc3
Hi,

It is possible to run 7.0 on a Pix 506E. You can't however install ADSM, only the CLI.

My account manager at Cisco tells me that they are planning on doing a compressed image with a bootloader that should fit both PIX 7 and ADSM into 8Mb. Since together they are only ~10Mb that sounds feasible.

The Pix 506E is of course not flash upgradeable (not unless you're a dab hand with surface mount soldering at least).

Regards,

John

photomankc3
Puffy And Prickly
Premium Member
join:2001-06-13
Liberty, MO

1 edit

photomankc3

Premium Member

Does that mean you can get it on the 506? I have the older 506 platform but it seems to be the same device just not 10/100 and no USB.

Hardware: PIX-506, 256 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 8MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

jma24
@bulldogdsl.com

jma24

Anon

Hi,

I can't swear that it will work for you, because it's clearly *not* a supported configuration, so proceed at your own risk!

However PIX 7.0 will easily fit into 8Mb flash (the image is 5Mb so you have about 2.5Mb spare). On this principle I decided to give it a go for a laugh on a PIX that someone gave me.

By this principle it should be able to run on any of the older PIXs that support a memory upgrade past 64Mb. Given that most PIX techs worth their salt won't touch a GUI, I wonder why Cisco are so adamant that it won't work.

Warnings over, this is how to do it in very general terms.

1) Boot your pix *on the console* and login
2) Back up the FS to tftp
3) Format the filesystem, delete all the files on it
4) Reboot to monitor mode
5) tftp boot the Pix from an image (6.3, 7.0, makes no odds)
6) copy tftp://server/pix701.bin flash:image
7) reload
8) request a new 3DES activation key from Cisco (free).

Regards,

John

NeTwOrKDawg
Networking is a lifestyle
join:2005-04-25
Brantford, ON

NeTwOrKDawg to idolclub

Member

to idolclub
Can anyone tell me how to do:

3) Format the filesystem, delete all the files on it

I have tried clear flashfs and no flashfs .. can't get rid of the PDM files in flash so can't update to 7.01
NeTwOrKDawg

1 edit

NeTwOrKDawg to idolclub

Member

to idolclub
Oops never mind.. that wasn't hard...

Cisco PIX Security Appliance Software Version 7.0(1)

Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

pixfirewall up 1 min 16 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : media index 0: irq 10
1: Ext: Ethernet1 : media index 1: irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform does not support Failover.

photomankc3
Puffy And Prickly
Premium Member
join:2001-06-13
Liberty, MO

photomankc3

Premium Member

said by NeTwOrKDawg:

Oops never mind.. that wasn't hard...
Would you mind sharing? I'm not going to make the switch till a couple more releases but I would like to know what the command is.

justkidding
@dsl.pltn13.pacbell.n

justkidding to yaplej

Anon

to yaplej

Re: Cisco PIX OS 7.0 on PIX 520??

If we can change the HW ID for PIX 520 like below

Hardware: PIX-506E, 96 MB RAM, CPU Pentium II 300 MHz
^^^^^^^^^^^
(replace 520 to 515 or 525)
and I think FOS 7.0 could be run on PIX520
I am looking for a BIOS hack tool to change the HW ID
adamc1
join:2005-07-18
Australia

adamc1 to idolclub

Member

to idolclub

Re: Cisco PIX OS 7.0

Anyone know when Cisco will officially support FOS 7 on 506e.

I'm trying to be patient.

msmyth2002yahoocom
@adelphia.net

msmyth2002yahoocom

Anon

To get 7.0 to run on a 520 or FrankenPIX we need to upgrade the BIOS to 4.x. The only way I think this can be done is to copy a PIX-515 BIOS flash chip and burn it to the BIOS flash chip of the 520. Hence, we would need an EEPROM burner. The other possibility is to remove the BIOS flash chip from a non-functioning 515 and put it in a 520. Anyone up for it?

mesir
@twtelecom.net

mesir

Anon

anyone tried to run 7.x on a 501 yet? I see reports of 506's just curious on a 501.

zeio77
join:2001-03-17
Belmont, CA

zeio77

Member

I'd everything under the sun to get a 506 with 6.3(5) (PDM erased) to upgrade to:

pix701.bin [ 7.0(1) ]
pix702.bin [ 7.0(2) ]

and

pix702-5.bin [7.0(2)-5 ]

I used clear flashfs, the 6.3 -> 7.0 Cisco instructions and the various hack recipes to try and get this thing to boot with PIX OS 7 , it will not.

I used the upgrade from 6.3(5), I used the upgrade from monitor mode, and neither worked. The file starts to load from flash but you never even see a "#" - its like the file header is not executable by the 506's monitor / boot loader.

We will have to wait and see if Crisco lets the 501/506 people squeak by and with how bad PIX OS is and how lame all the competitors are, its almost worth mucking around with OpenBSD at this point since these security/firewall/vpn boxes all suck in some way.

I want:

1) VPN LOCAL authentication - no directories, no crap, no ADS, no LDAP, no TACACS, nothing. I want to have vpn users live in the appliance
2) powerful implied application proxying. None of this crap where DCC doesn't work, idents don't work, AIM and Y! messenger file transfers don't work, etc. Winroute is an example of a "working application" - you don't need port forwards to get PASV ftp, DCC and idents to go through. (this is what is annoying about OpenBSD, they don't believe in proxying "broken" protocols)
3) simplistic access allow implied by port forwarding. Why port forward AND specify the allow for that, it should be implied. EG: "rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 -> 10.10.10.10 port 8080
4) should facilitate: VPN over SSL (have a web page that sets ups a tunneled connection), support for OS X's client without software being installed, support plain-jane microsoft VPN clients (L2TP/IPSec, PPTP, Windows 2000, Windows XP and Windows 2003 and even Windows 98 as well as cooking instructions for Linux and FreeBSD clients as well as some possibility for Treos and other PPTP junk VPN stuff to work.)

If anyone knows a device that does this, or a pile of software with some cooking instructions let me know.
sdrock
join:2003-08-12
australia

sdrock to adamc1

Member

to adamc1
never
sdrock

sdrock to zeio77

Member

to zeio77
buy a new one. it wont work and you will end up stuffing it totaly and then you wont have an old one or a new one. and if you try to log a tac case they will tell you to pi55 off.
Martyboy
join:2005-10-05

Martyboy to zeio77

Member

to zeio77
I have actually seen one guy with 7.+ installed on a 506. The problem is he doesnt know how he did it. You have to wait, cisco gonna release version 7 to the smaller ones pretty soon.

And you will never get any clients to work except ciscos own in version 7. They removed the support for that. Maybe you already new that!?

My suggestion is to check at a product called appgate.
www.appgate.com
SodaAnt
join:2005-09-02
San Ramon, CA

SodaAnt

Member

What kind of memory does a 506E use and what is the maximum it can be upgraded to?
bsteinmann
join:2005-11-22
Mars Hill, ME

bsteinmann to idolclub

Member

to idolclub
Hi everyone,

I also tried to get the v7 running on a PIX-520 and got the same result as yash - constant reboots. But trying to get it back to the old version would not work. It crashes at the attempt to flash it via boot helper disk. Booting is no problem, transfering the "IOS" via tftp neither but when the PIX puts the received IOS on the flash card it crashes...

Searching the net I found »seclists.org/lists/firew ··· 023.html but this was not related to putting v7 on a 520 but the normal upgrade process. But it's essentially the same with me.

Any ideas?
Thanks in advance
Bjoern