Solved

upgrade Cisco PIX to 7.0(8)

Posted on 2008-10-09
9
975 Views
Last Modified: 2012-05-05
Hello,

I need to upgrade my PIX 515 from ver 6.3(5) (PDM ver 3.0(4)) to ver 7.0(8). We currently use a hub and spoke configuration. Our branch offices each connect with a PIX 506. We have several users who also use L2TP/PPTP VPN connections from home (Windows XP). Some of our home users are now getting Windows Vista workstations which does not support the old version of MSCHAP. (Which is why I am upgrading)
1. I'm hoping the experts can look at the present configuration on my PIX 515 and advise me if the upgrade will be clean with no change in connectivity. I am including my present configuration below.

2. Should I use ASDM ver 5.0.8 or 5.2.4?


Present configuration.

Result of firewall command: "show config"
 
: Saved
: Written by enable_15 at 11:35:19.029 CDT Fri Aug 15 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXX encrypted
hostname XY-XYXYXY-01
domain-name XYXYXY
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 111.111.111.0 WWNet
name 111.111.111.5 WW-FIREWALL
name 222.222.222.0 LTNet
name 333.333.333.0 LSNet
name 444.444.444.0 HVNet
name 555.555.555.0 TANet
name 666.666.666.0 LONet
name 777.777.777.0 HPNet
name 888.888.888.0 Slns
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.xxx.yyy.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.xxx.xxx.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.xxx.xxx.0 255.255.255.0 host WW-FIREWALL
access-list 120 permit ip 192.xxx.xxx.0 255.255.255.0 WWNet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 WWNet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.208 255.255.255.240
access-list 100 permit ip any 192.xxx.xxx.192 255.255.255.224
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 LSNet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 LTNet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 TANet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 LONet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 HVNet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 HPNet 255.255.255.0
access-list 100 permit ip 192.xxx.xxx.0 255.255.255.0 Slns 255.255.255.0
access-list 150 permit ip 192.xxx.xxx.0 255.255.255.0 LTNet 255.255.255.0
access-list 160 permit ip 192.xxx.xxx.0 255.255.255.0 LSNet 255.255.255.0
access-list 170 permit ip 192.xxx.xxx.0 255.255.255.0 TANet 255.255.255.0
access-list 180 permit ip 192.xxx.xxx.0 255.255.255.0 LONet 255.255.255.0
access-list 190 permit ip 192.xxx.xxx.0 255.255.255.0 HVNet 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.xxx.xxx.0 255.255.255.0 HPNet 255.255.255.0
access-list acl_inbound permit tcp any interface outside eq https
access-list 210 permit ip 192.xxx.xxx.0 255.255.255.0 Slns 255.255.255.0
access-list 130 permit ip 192.xxx.xxx.0 255.255.255.0 HPNet 255.255.255.0
pager lines 24
logging on
no logging message 106015
no logging message 106011
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 302016
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 11.222.33.444 255.255.255.252
ip address inside 192.xxx.xxx.100 255.255.255.0
ip address DMZ 192.xxx.yyy.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SubNetxx 192.xxx.xxx.201-192.xxx.xxx.210
pdm location 192.xxx.xxx.0 255.255.255.0 inside
pdm location 192.xxx.yyy.192 255.255.255.224 outside
pdm location 192.xxx.xxx.102 255.255.255.255 inside
pdm location 192.xxx.xxx.54 255.255.255.255 inside
pdm location 192.xxx.xxx.74 255.255.255.255 inside
pdm location 192.xxx.xxx.49 255.255.255.255 inside
pdm location 192.xxx.xxx.93 255.255.255.255 inside
pdm location 192.xxx.xxx.17 255.255.255.255 inside
pdm location 192.xxx.xxx.181 255.255.255.255 inside
pdm location 192.xxx.xxx.208 255.255.255.240 outside
pdm location 192.xxx.xxx.192 255.255.255.224 outside
pdm location WWNet 255.255.255.0 outside
pdm location LTNet 255.255.255.0 outside
pdm location LSNet 255.255.255.0 outside
pdm location TANet 255.255.255.0 outside
pdm location LONet 255.255.255.0 outside
pdm location HVNet 255.255.255.0 outside
pdm location HPNet 255.255.255.0 outside
pdm location 192.xxx.xxx.241 255.255.255.255 inside
pdm location Slns 255.255.255.0 outside
pdm location 192.xxx.xxx.59 255.255.255.255 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 100
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 11.222.33.444 https 192.xxx.xxx.241 https netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 11.222.33.444 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.xxx.xxx.49 255.255.255.255 inside
http 192.xxx.xxx.181 255.255.255.255 inside
http 192.xxx.xxx.59 255.255.255.255 inside
snmp-server host inside 192.xxx.xxx.17
snmp-server host inside 192.xxx.xxx.49
no snmp-server location
no snmp-server contact
snmp-server community zxzxzxzxzxzx
snmp-server enable traps
tftp-server inside 192.xxx.xxx.49 /PIX515
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set TTTTTT esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 11.111.11.111
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address outside_cryptomap_30
crypto map newmap 30 set peer 22.222.222.222
crypto map newmap 30 set transform-set myset
crypto map newmap 50 ipsec-isakmp
crypto map newmap 50 match address 150
crypto map newmap 50 set peer 33.333.33.333
crypto map newmap 50 set transform-set myset
crypto map newmap 60 ipsec-isakmp
crypto map newmap 60 match address 160
crypto map newmap 60 set peer 44.444.44.444
crypto map newmap 60 set transform-set myset
crypto map newmap 70 ipsec-isakmp
crypto map newmap 70 match address 170
crypto map newmap 70 set peer 55.555.55.555
crypto map newmap 70 set transform-set myset
crypto map newmap 80 ipsec-isakmp
crypto map newmap 80 match address 180
crypto map newmap 80 set peer 66.666.66.66
crypto map newmap 80 set transform-set myset
crypto map newmap 90 ipsec-isakmp
crypto map newmap 90 match address 190
crypto map newmap 90 set peer 77.777.77.777
crypto map newmap 90 set transform-set myset
crypto map newmap 96 ipsec-isakmp
crypto map newmap 96 match address 210
crypto map newmap 96 set peer 88.888.88.88
crypto map newmap 96 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 11.111.11.111 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 33.333.33.333 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 44.444.44.444 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 55.555.55.555 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 66.666.66.66 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 77.777.77.777 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 22.222.222.222 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 88.888.88.88 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup XXVPNC address-pool SubNet83
vpngroup XXVPNC wins-server xxx.xxx.xxx.1
vpngroup XXVPNC default-domain XXXXXXX
vpngroup XXVPNC idle-time 1800
vpngroup XXVPNC password ********
telnet 192.xxx.xxx.49 255.255.255.255 inside
telnet 192.xxx.xxx.181 255.255.255.255 inside
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local SubNetxx
vpdn group PPTP-VPDN-GROUP client configuration dns 192.xxx.xxx.1 192.xxx.xxx.4
vpdn group PPTP-VPDN-GROUP client configuration wins 192.xxx.xxx.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username qqqqqqq password ********
vpdn username wwwwwww password ********
vpdn username eeeeeee password ********
vpdn username rrrrrrr password ********
vpdn username ttttttt password ********
vpdn username yyyyyyy password ********
vpdn username uuuuuuu password ********
vpdn username iiiiiii password ********
vpdn username ooooooo password ********
vpdn username ppppppp password ********
vpdn username aaaaaaa password ********
vpdn username sssssss password ********
vpdn username ddddddd password ********
vpdn username fffffff password ********
vpdn username ggggggg password ********
vpdn username hhhhhhh password ********
vpdn username jjjjjjj password ********
vpdn username kkkkkkk password ********
vpdn username lllllll password ********
vpdn enable outside
terminal width 80
Cryptochecksum:2768265522a131497d26005dbedbd79e
0
Comment
Question by:rotoboy
9 Comments
 
LVL 4

Accepted Solution

by:
urgoll earned 43 total points
ID: 22678640
Hello,
the PIX software version 7.0 and 7.1 do NOT support the use of PPTP. Please refer to the release notes:
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix708rn.html#wp171380

L2TP was added in 7.2, but there is still no support for PPTP. The recommendation from Cisco is to use IPSec-based VPN instead.

Otherwise, the configuration format for VPN has changed between 6.x and 7.x - things like fixup and isakmp preshared keys have changed syntax or structure, but the upgrade mechanism should translate those for you. But plenty of testing is required and some minor issues are to be expected.

As for the ASDM, you should use the one that corresponds to the version of the PIX image you are using, i.e. 5.0(8) if you are using PIX 7.0(8).

Hope this helps,
Christophe
0
 
LVL 10

Assisted Solution

by:ngravatt
ngravatt earned 41 total points
ID: 22680854
Note that the v7 of the PIX code requires a minimum amount of memory that was not required by v6.
"...devices must be upgraded to a total of 64 MB memory"
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/prod_bulletin0900aecd8023c8d4.html

use the 'show version' command from the CLI to show how much memory your PIX has.

pixfirewall #show version

Cisco PIX Firewall Version 6.2(1)
...
<output deleted for brevity>...
pixfirewall up 22 hours 15 mins
Hardware: PIX-515, 32 MB
 RAM, CPU Pentium 200 MHz
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 41 total points
ID: 22684166
Exactly - make sure you check for sufficient hardware resources before attempting any sort of upgrade.
Then, if you can upgrade, check out this document - it will guide you in migrating from PIX 6.x to 7.x.
http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
Also, while you're at it, (if your hardware supports it) just upgrade to 8.0.4! It's much better and the ASDM 6.1.3 is so much better than the PDM.
Cheers!
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22687399
As stated in the question, his hardware is a PIX 515, which does NOT support 8.0. 8.0 only supports the ASA.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22692749
Sorry urgoll - you are wrong. The 515 DOES support 8.0 as long as the hardware requirements are there.
Here is a quote from Cisco's PIX 8.0.4 release notes:
"
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(4). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. Table 1 lists the default value for the memory that ships with each security appliance and flash memory requirements for Version 8.0(4).

The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 8.0(4).
"
It clearly states that the 515 supports 8.0.4 with the required memory.
Cheers!
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22693668
I stand corrected. However, the 515 was not supported in 8.0 and 8.0(1), which is the last time I checked the 8.0 release notes.

That said, 8.0 does not support PPTP either, which is a desired feature of the original poster.

Regards,
Christophe
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22695362
It does. :) I'm on 8.0.4 right now and using L2TP/PPTP just fine for cell phone VPN.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36708053
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Fiber Patch Panel 6 42
Routing VLANs 5 46
Cisco Air AP 6 28
Cisco NBAR 6 15
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now