Solved

Pix515 upgrade from 6.3(5) to 7.0

Posted on 2006-11-11
4
440 Views
Last Modified: 2010-04-08
Hey All,

I've been wanting to upgrade for a little bit now but I am a little nervous. Also I have a few questions about the upgrade

1. Do I have to delete the old PDM image from the pix before the upgrade?
2. Will the upgrade affect any of my site to site VPN tunnels?
3. Do I have to upgrade to 7.0 before going to the latest release?
4. Do I have to manually change anything before upgrading or after upgrading besides conduit statements?
5. Here is my current config.
Thanks for any advice.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password .10TvIg6fIFBva1Y encrypted
passwd oHZhaad8jfSR9Hgt encrypted
hostname pixfirewall
domain-name LAKEBLUFF
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.99.0 vpn2
name 172.15.99.0 vpn3
access-list compiled
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host 10.1.0.30
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host 10.1.0.141
access-list no-nat permit ip 172.16.99.0 255.255.255.0 host 10.1.0.30
access-list no-nat permit ip 172.16.99.0 255.255.255.0 host 10.1.0.141
access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.99.0 255.255.255.0
access-list no-nat permit ip host 192.168.11.145 172.16.99.0 255.255.255.0
access-list no-nat permit ip host 192.168.11.145 vpn3 255.255.255.248
access-list no-nat permit ip host 192.168.3.65 192.168.31.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host x.x.173.17
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host x.x.173.18
access-list no-nat permit ip 192.168.0.0 255.255.240.0 vpn2 255.255.255.0
access-list no-nat permit ip host 192.168.7.1 172.16.99.0 255.255.255.0
access-list no-nat permit ip host 192.168.11.145 170.27.0.0 255.255.0.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host x.x.173.83
access-list no-nat permit ip host 192.168.7.4 172.16.99.0 255.255.255.0
access-list no-nat permit ip host 192.168.11.66 host 192.168.31.110
access-list no-nat permit ip host 192.168.11.66 host 192.168.31.10
access-list no-nat permit ip host 192.168.7.1 vpn3 255.255.255.248
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host 10.0.80.20
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host 162.142.32.92
access-list no-nat permit ip 192.168.1.0 255.255.255.0 host 10.0.80.83
access-list no-nat permit ip host 192.168.7.1 host 192.168.31.10
access-list no-nat permit ip 192.168.15.0 255.255.255.0 host 10.3.240.17
access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list no-nat permit ip host 192.168.1.7 10.6.50.0 255.255.255.0
access-list no-nat permit ip host 192.168.1.50 192.168.31.0 255.255.255.0
access-list no-nat permit ip host 192.168.1.51 192.168.31.0 255.255.255.0
access-list no-nat permit ip host 192.168.1.52 192.168.31.0 255.255.255.0
access-list no-nat permit ip host 192.168.1.53 192.168.31.0 255.255.255.0
access-list no-nat permit ip host 192.168.1.54 192.168.31.0 255.255.255.0
access-list no-nat permit ip host 192.168.9.2 vpn3 255.255.255.248
access-list no-nat permit ip host 192.168.9.6 host 192.168.31.10
access-list no-nat permit ip host 192.168.9.7 host 192.168.31.10
access-list no-nat permit ip host 192.168.1.29 vpn3 255.255.255.248
access-list no-nat permit ip host 192.168.9.2 172.16.99.0 255.255.255.0
access-list no-nat permit ip host 192.168.9.6 172.16.99.0 255.255.255.0
access-list no-nat permit ip host 192.168.1.42 host 192.168.31.110
access-list no-nat permit ip host 192.168.1.26 vpn3 255.255.255.248
access-list vpnsales_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 172.16.99.0 255.255.255.0
access-list vpnsales_splitTunnelAcl permit ip host 192.168.11.145 172.16.99.0 255.255.255.0
access-list vpnsales_splitTunnelAcl permit ip host 192.168.7.1 172.16.99.0 255.255.255.0
access-list vpnsales_splitTunnelAcl permit ip host 192.168.7.4 172.16.99.0 255.255.255.0
access-list vpnsales_splitTunnelAcl permit ip host 192.168.9.2 172.16.99.0 255.255.255.0
access-list vpnsales_splitTunnelAcl permit ip host 192.168.9.6 172.16.99.0 255.255.255.0
access-list client_nat permit ip 192.168.11.0 255.255.255.0 host x.x.173.17
access-list client_nat permit ip 192.168.11.0 255.255.255.0 host x.x.173.18
access-list client_nat permit ip 192.168.11.0 255.255.255.0 host x.x.173.83
access-list IT_splitTunnelAcl permit ip 192.168.32.0 255.255.255.0 vpn2 255.255.255.0
access-list IT_splitTunnelAcl permit ip 192.168.9.0 255.255.255.0 vpn2 255.255.255.0
access-list IT_splitTunnelAcl permit ip 192.168.11.0 255.255.255.0 vpn2 255.255.255.0
access-list IT_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 vpn2 255.255.255.0
access-list IT_splitTunnelAcl permit ip 192.168.3.0 255.255.255.0 vpn2 255.255.255.0
access-list IT_splitTunnelAcl permit ip 192.168.7.0 255.255.255.0 vpn2 255.255.255.0
access-list IT_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 vpn2 255.255.255.0
access-list client_nat permit ip host 192.168.1.7 host x.x.65.50
access-list client_nat permit ip host 192.168.1.7 x.x.9.0 255.255.255.0
access-list client_nat permit ip host 192.168.1.7 host x.x.249.115
access-list public_out permit tcp any host x.x.80.189 eq www
access-list public_out permit tcp any host x.x.80.189 eq https
access-list public_out permit tcp any host x.x.80.186 eq ssh
access-list public_out permit tcp any host x.x.80.186 eq https
access-list public_out permit tcp any host x.x.80.186 eq www
access-list public_out permit tcp any host x.x.80.186 eq 994
access-list public_out permit tcp any host x.x.80.182 eq www
access-list public_out permit tcp any host x.x.80.182 eq https
access-list public_out permit tcp any host x.x.80.171
access-list public_out permit esp host x.x.140.2 host x.x.80.171
access-list public_out permit esp host x.x.140.2 host x.x.80.170
access-list public_out permit esp host x.x.140.3 host x.x.80.170
access-list public_out permit tcp any host x.x.80.171 eq pptp
access-list public_out permit gre any host x.x.80.171
access-list public_out permit tcp any host x.x.41.166 eq 8080
access-list public_out permit tcp any host x.x.41.166 eq www
access-list public_out permit tcp any host x.x.41.166 eq https
access-list public_out permit tcp any host x.x.41.166 eq smtp
access-list public_out permit tcp any host x.x.41.166 eq 995
access-list public_out permit tcp any host x.x.80.168 eq www
access-list public_out permit tcp any host x.x.80.168 eq https
access-list public_out permit tcp any host x.x.80.169 eq https
access-list public_out permit tcp any host x.x.80.169 eq www
access-list public_out permit icmp any any
access-list public_out deny ip any any
access-list client permit ip host 172.29.128.20 host x.x.65.50
access-list client permit ip host 172.29.128.20 host x.x.249.115
access-list client permit ip host 172.29.128.20 x.x.9.0 255.255.255.0
access-list client permit ip host 172.29.128.23 host x.x.170.203
access-list client permit ip host 172.29.128.24 host x.x.159.215
access-list client permit ip host 172.29.128.23 host x.x.159.215
access-list client permit ip 192.168.1.0 255.255.255.0 host 10.1.0.30
access-list client permit ip 192.168.1.0 255.255.255.0 host 10.1.0.141
access-list client permit ip vpn2 255.255.255.0 192.168.31.0 255.255.255.0
access-list client permit ip 192.168.1.0 255.255.255.0 host 192.168.31.10
access-list client permit ip host 192.168.3.65 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.11.66 host 192.168.31.110
access-list client permit ip host 192.168.11.66 host 192.168.31.10
access-list client permit ip host 192.168.7.1 host 192.168.31.10
access-list client permit ip host 192.168.1.50 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.1.51 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.1.52 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.1.53 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.1.54 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.9.2 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.9.6 host 192.168.31.10
access-list client permit ip host 192.168.9.7 host 192.168.31.10
access-list client permit ip host 192.168.3.60 192.168.31.0 255.255.255.0
access-list client permit ip host 192.168.1.42 host 192.168.31.110
access-list client permit ip host x.x.80.176 x.x.32.0 255.255.224.0
access-list client permit ip host x.x.80.176 x.x.188.0 255.255.255.0
access-list client permit ip host x.x.80.182 x.x.32.0 255.255.224.0
access-list client permit ip host x.x.80.182 x.x.188.0 255.255.255.0
access-list client permit ip host x.x.80.175 host x.x.1.15
access-list client permit ip 192.168.1.0 255.255.255.0 host x.x.173.17
access-list client permit ip 10.10.90.0 255.255.255.0 host x.x.173.17
access-list client permit ip 192.168.1.0 255.255.255.0 host x.x.173.18
access-list client permit ip 10.10.90.0 255.255.255.0 host x.x.173.18
access-list client permit ip 10.10.90.0 255.255.255.0 host x.x.173.83
access-list client permit ip 192.168.1.0 255.255.255.0 host x.x.173.83
access-list client permit ip host x.x.80.163 host 170.27.64.8
access-list client permit ip host 192.168.11.145 170.27.0.0 255.255.0.0
access-list client permit ip host x.x.80.172 host x.x.29.184
access-list client permit ip host 192.168.1.100 host 10.5.250.29
access-list client permit ip host 192.168.1.7 10.6.50.0 255.255.255.0
access-list client_nat2 permit ip host 192.168.1.27 host x.x.170.203
access-list client_nat2 permit ip host 192.168.1.27 host x.x.159.215
access-list client_nat permit ip host 192.168.1.7 host x.x.1.15
access-list client_nat permit ip host 192.168.1.11 host x.x.1.15
access-list client_nat permit ip host 192.168.1.12 host x.x.1.15
access-list client_nat permit ip host 192.168.1.13 host x.x.1.15
access-list client_nat permit ip host 192.168.1.14 host x.x.1.15
access-list client_nat permit ip host 192.168.1.15 host x.x.1.15
access-list client_nat permit ip host 192.168.1.16 host x.x.1.15
access-list client_nat permit ip host 192.168.1.17 host x.x.1.15
access-list client_nat permit ip 192.168.1.0 255.255.255.0 x.x.32.0 255.255.224.0
access-list client_nat permit ip 192.168.1.0 255.255.255.0 x.x.188.0 255.255.255.0
access-list client_nat permit ip vpn2 255.255.255.0 x.x.32.0 255.255.224.0
access-list client_nat permit ip host 192.168.1.7 host x.x.29.184
access-list client_nat permit ip host 192.168.1.11 host x.x.29.184
access-list client_nat permit ip host 192.168.1.12 host x.x.29.184
access-list client_nat permit ip host 192.168.1.13 host x.x.29.184
access-list client_nat permit ip host 192.168.1.14 host x.x.29.184
access-list client_nat permit ip host 192.168.1.15 host x.x.29.184
access-list client_nat permit ip host 192.168.1.16 host x.x.29.184
access-list client_nat permit ip host 192.168.1.17 host x.x.29.184
access-list client permit ip 10.252.252.24 255.255.255.248 host x.x.64.25
access-list client permit ip 10.252.252.24 255.255.255.248 host x.x.92.26
access-list client permit ip 10.252.252.24 255.255.255.248 host x.x.64.16
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host x.x.92.26
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host x.x.64.25
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host x.x.64.16
access-list client_nat3 permit ip host 192.168.9.4 host x.x.159.215
access-list client permit ip 192.168.1.0 255.255.255.0 host 162.142.32.92
access-list client permit ip 192.168.1.0 255.255.255.0 host 10.0.80.20
access-list client permit ip 192.168.1.0 255.255.255.0 host 10.0.80.83
access-list client permit ip 192.168.15.0 255.255.255.0 host 10.3.240.17
access-list client permit ip 192.168.15.0 255.255.255.0 host 10.64.0.109
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host 10.3.240.17
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host 10.64.0.109
access-list dmz-no-nat permit ip 192.168.32.0 255.255.255.0 vpn2 255.255.255.0
access-list dmz_dns permit icmp any any
access-list dmz_dns permit udp 192.168.32.0 255.255.255.0 host 192.168.7.1 eq domain
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 8443
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 8080
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 8010
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 8009
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 7000
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 7001
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 7002
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 7003
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 7004
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq 7005
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0 eq https
access-list dmz_dns permit udp 192.168.32.0 255.255.255.0 host 192.168.7.1 eq ntp
access-list dmz_dns permit udp 192.168.32.0 255.255.255.0 host 192.168.7.1 eq 2049
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 host 192.168.7.1 eq 123
access-list dmz_dns permit tcp 192.168.32.0 255.255.255.0 host 192.168.7.1 eq 2049
access-list dmz_dns deny ip 192.168.32.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list dmz_dns permit ip 192.168.32.0 255.255.255.0 any
access-list client permit ip host x.x.80.173 host x.x.73.80
access-list client permit ip host x.x.80.173 host x.x.73.81
access-list client permit ip host x.x.80.173 host x.x.73.86
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host x.x.73.80
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host x.x.73.81
access-list client_nat permit ip 192.168.1.0 255.255.255.0 host x.x.73.86
pager lines 24
logging monitor debugging
logging buffered debugging
logging trap debugging
logging host inside 192.168.1.50
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.80.163 255.255.255.224
ip address inside 192.168.1.2 255.255.255.0
ip address DMZ 192.168.32.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 172.16.99.1-172.16.99.254
ip local pool vpn2 172.17.99.1-172.17.99.254
ip local pool vpn3 172.15.99.1-172.15.99.3
arp timeout 14400
global (outside) 5 10.252.252.25-10.252.252.30
global (outside) 1 interface
global (outside) 2 x.x.80.176
global (outside) 3 x.x.80.175
global (outside) 4 x.x.80.172
global (outside) 6 x.x.80.173
global (DMZ) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 2 access-list client_nat 0 0
nat (inside) 3 access-list client_nat 0 0
nat (inside) 4 access-list client_nat 0 0
nat (inside) 5 access-list client_nat 0 0
nat (inside) 6 access-list client_nat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 access-list dmz-no-nat
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.80.189 192.168.1.42 netmask 255.255.255.255 0 0
static (inside,outside) x.x.80.186 192.168.1.38 netmask 255.255.255.255 0 0
static (inside,outside) 172.29.128.20 access-list client_nat 0 0
static (inside,outside) 10.10.90.0 access-list client_nat 0 0
static (DMZ,outside) x.x.41.166 192.168.32.2 netmask 255.255.255.255 0 0
static (inside,outside) 172.29.128.23 access-list client_nat2 0 0
static (inside,outside) 172.29.128.24 access-list client_nat3 0 0
static (inside,outside) 192.168.15.0 access-list client_nat 0 0
static (inside,outside) x.x.80.182 192.168.11.145 netmask 255.255.255.255 0 0
static (inside,outside) x.x.80.170 192.168.1.21 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.80.168 192.168.32.3 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.80.169 192.168.32.4 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.7.1 192.168.7.1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.80.171 192.168.1.20 netmask 255.255.255.255 0 0
access-group public_out in interface outside
access-group dmz_dns in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.80.161 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
route inside 192.168.10.0 255.255.255.0 192.168.1.1 1
route inside 192.168.11.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 67.37.184.233 255.255.255.255 outside
http vpn2 255.255.255.0 inside
http 192.168.1.50 255.255.255.255 inside
snmp-server host inside 192.168.1.74
snmp-server location Transolutions
snmp-server contact James
snmp-server community logging
snmp-server enable traps
tftp-server inside 192.168.1.50 newpixconfig.bin
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map mymap 2 ipsec-isakmp
crypto map mymap 2 match address client
crypto map mymap 2 set peer 167.73.110.89
crypto map mymap 2 set transform-set myset
crypto map mymap 3 ipsec-isakmp
crypto map mymap 3 match address client
crypto map mymap 3 set peer x.x.192.10
crypto map mymap 3 set transform-set myset
crypto map mymap 4 ipsec-isakmp
crypto map mymap 4 match address client
crypto map mymap 4 set peer 170.27.201.250
crypto map mymap 4 set transform-set myset2
crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address client
crypto map mymap 5 set peer x.x.60.19
crypto map mymap 5 set transform-set myset
crypto map mymap 6 ipsec-isakmp
crypto map mymap 6 match address client
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address x.x.110.89 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.192.10 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.201.250 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.30.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.60.19 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.44.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 3600
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash md5
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption aes
isakmp policy 4 hash md5
isakmp policy 4 group 5
isakmp policy 4 lifetime 86400
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpnsales split-tunnel vpnsales_splitTunnelAcl
vpngroup vpnsales idle-time 2000
vpngroup vpnsales password ********
vpngroup vendor1 address-pool vpn
vpngroup vendor1 idle-time 1800
vpngroup vendor1 password ********
vpngroup 5sight address-pool vpn3
vpngroup 5sight idle-time 1800
vpngroup 5sight password ********
vpngroup IT address-pool vpn2
vpngroup IT split-tunnel IT_splitTunnelAcl
vpngroup IT idle-time 2000
vpngroup IT password ********
vpngroup idle-time idle-time 1800
0
Comment
Question by:wilsj
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Good news, bad news, mostly good news.

>1. Do I have to delete the old PDM image from the pix before the upgrade?
No. The upgrade process will reformat the flash anyway. 7.0 uses the newer ASDM to replace the PDM

>2. Will the upgrade affect any of my site to site VPN tunnels?
It should not. The upgrade process will automatically convert your 6.x configuration to the new 7.0 format and carry over all of your original settings. There is also an "undo" function if you have enough flash memory to hold both the old 6.x OS and the new 7.0 OS and both old and new configs. This is all automagic.

>3. Do I have to upgrade to 7.0 before going to the latest release?
You must upgrade to 7.0x before going all the way to 7.21. I've already made the mistake of trying to go all the way and it was not pretty. Bad news is that you can't jump all the way to the latest/greatest.

>4. Do I have to manually change anything before upgrading or after upgrading besides conduit statements?
No. As I stated above, the upgrade process converts everything automagically. I don't see any conduit statements in your config, nor do I see and vpdn group configuration. Neither are supported in 7.0
Split_tunnel acls should be converted to standard acl vs extended.

>5. Here is my current config.
It will look very different after the conversion. Many things have been replaced with policies, like fixups and VPN groups.

you might want to give a read to this document before taking the plunge:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.htm

0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
Ok, it doesn't sound that bad I guess. Couple more questions.

1. On the pix 515 do I have to do the upgrade in monitor mode?
2. After the upgrade to 7.0 can I go directly to 7.21 and are there any major differences from 7.0 to 7.21?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
1. No. Just use copy tftp commands
  pix#copy tftp://1.2.3.4/pix706.bin flash:
 
2. Yes, there are major differences between 7.0 and 7.21. The ASDM GUI is much better, support for PPTP is back . . .
Check out the release notes for 7.21
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_72/rel_note/pixrn72.htm
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
Thanks a lot for the info. If I have any issues I will post and hope to hear from you. Thanks again.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sonicwall NSA 5500 7 117
Stateful firewall thoughput 1 42
Using PowerShell for Windows Firewall #2 21 202
Firewall attack 16 131
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now