Solved

PIX 525 ver 6.3 need to upgraded to version 7

Posted on 2006-10-31
2
404 Views
Last Modified: 2007-12-19
Dear Experts

I have two questions

Question 1

I have a pix 525 with IOS ver 6.3. I need to upgrade the IOS with the latest one i.e 7.1 I believe. I just want to know what will happen to my current configuration after IOS upgradation, shall I need to reconfigure firewall. Below is my current configuration. If i need to reconfigure the firewall what will be the new commands

VPN# sho run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif gb-ethernet0 dmz security10
nameif gb-ethernet1 intf3 security6
enable password UNbpkCo92r/eQuc/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname KFSHVPN
domain-name KFSHVPN
clock timezone AST 3
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 permit ip 10.0.0.0 255.255.248.0 10.1.2.0 255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.248.0 10.1.2.0 255.255.255.0
access-list outside permit tcp any host 212.12.181.156 eq smtp
access-list dmz permit tcp host 193.168.0.5 eq smtp any
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
pager lines 24
logging timestamp
logging trap warnings
logging host inside 10.0.0.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
ip address outside 212.x.x.x 255.255.255.240
ip address inside 10.0.0.3 255.255.248.0
ip address dmz 193.168.0.1 255.255.255.0
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.0-10.1.2.25
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address intf3
pdm location 10.0.0.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 2 212.x.x.x netmask 255.255.255.240
nat (inside) 0 access-list 101
nat (inside) 2 10.0.0.0 255.255.255.240 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) 212.x.x.151 10.0.0.2 netmask 255.255.255.255 0 0
static (dmz,outside) 212.x.x.156 193.168.0.5 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 212.x.x.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.2 255.255.255.255 inside
http 10.0.0.4 255.255.255.255 inside
snmp-server host inside 10.0.0.2

no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup khaleej3000 address-pool ippool
vpngroup khaleej3000 dns-server 10.0.0.26
vpngroup khaleej3000 default-domain
vpngroup khaleej3000 split-tunnel 102
vpngroup khaleej3000 idle-time 1800
vpngroup khaleej3000 password
vpngroup kfsh3000 address-pool ippool
vpngroup kfsh3000 default-domain
vpngroup kfsh3000 split-tunnel 102
vpngroup kfsh3000 idle-time 1800
vpngroup kfsh3000 password
telnet 10.0.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 20
terminal width 80
banner exec Unauthorized access is probhited
banner exec Violators will be prosecuted
banner login Violators will be prosecuted
banner motd Violators will be prosecuted
Cryptochecksum:fd21e28ee9374a135f6c921f9a908fd8
: end
VPN#



Question 2

I need to know is there any free RADIUS server available which can replace Cisco ACS. As i need to configure AAA for Cisco 6513,3550 Switches. If yes please let me know the details.


cheers

alkhaleej
0
Comment
Question by:alkhaleej
2 Comments
 
LVL 3

Expert Comment

by:Caoilte
ID: 17853672
Q1 ) The upgrade process will look after altering the config so it works with PixOS7.

The thing to check is that you have enough memory for PixOS7.... After that it is a 2 step - Upgrade the OS and Upgrade teh PDM to ASDM.

Q2 ) there are a few - google is your friend as they all offer different things, so you should be able to find one that will do AAA for you.
0
 
LVL 8

Accepted Solution

by:
yasirirfan earned 500 total points
ID: 17937464
Dear Khaleej

I agree with Caoilte

Here are the steps to upgrade the pix 525 from 6.3 to 7
http://www.cisco.com/warp/public/110/cspix-adsm-swupgrade.pdf

Question 2 its better u google

Cheers


Yasir
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now