PIX 515 upgrade to 6.3?

[dkraut]

I currently have multiple PIX 515's that I need to upgrade to v6.3 to
allow Microsoft PPTP VPN access from internal PC's to a third party
external network application. I'm currently running 6.2 and although
I know that PPTP VPN (internal PC to external net) will work, it's not
a clean solution for multiple FW's and users. The single "fixup
protocol pptp 1723" command available in v6.3 looks to be best route
for my situation. After perusing the Cisco PIX upgrade documents, the
process appears to be fairly straightforward but I'm wondering if
there are any caveats to performing the TFTP of the new bin file from
a remote location? For example, I'm in Atlanta but need to upgrade a
PIX in Chicago. I plan to connect from Atlanta to Chicago via W2K
Terminal Server and then initiate the TFTP of the new BIN to the
Chicago PIX from that W2K terminal server. Since I'm using the VPN
channels created by both the Atlanta and Chicago PIX to connect to the
Chicago network, will this process go smoothly? Also, there are
currently two versions of 6.3 available, 6.3.1 and 6.3.3. No
difference is mentioned and both are ED (Early Deployment) so I was
planning on using 6.3.3. Thoughts, Ideas, Condolences?

Best Regards, David@Rocketmail.com

 

[looking4info]

Hello dkraut,

I didn't do my upgrade from a remote location and I'm not sure if the PIX would accept tftp transfer from and unsecure location(unless you have a site-site VPN). I physically shut my PIX's off at the end of the upgrade, but I'm sure there's reboot command.
Just for the info, this was my procedure:
12-16-2003
01)Upgraded PIX 515E from IOS ver. 6.6.2 to ver. 6.3.3.
02)Downloaded Tftpd32.exe and extracted zip file contents to C:\tftpd32.
03)Downloaded PIX upgrade bin file and saved to C:\tftpd32.
04)Browsed to C:\tftpd32 and executed tftp32.exe.
05)Connected laptop to PIX through Console port on Primary and opened hyperterminal
on Com1 at 9600baud....hit Enter.
06)PIX displayed logon prompt.
07)logged on and moved to config prompt.
08)typed: copy tftp flash
09)asked for tftp server IP, typed 172.16.16.127 in then hit Enter
10)asked for file name, typed pix633.bin then hit Enter
11)PIX copied file and then installed, took less than a minute.
12)Rebooted PIX Primary, waited for lights to come on, 1 minute
12)Moved console cable to Secondary and shut off Secondary
13)Unplugged failover cable from Primary and rebooted Secondary
14)Logged onto Secondary to the config prompt
15)typed: copy tftp flash
16)asked for tftp server IP, typed 172.16.16.127 in then hit Enter
17)asked for file name, typed pix633.bin then hit Enter
18)PIX copied file and then installed, took less than a minute.
19)Shutdown Secondary and then plugged Failover cable back into Primary.
20)Rebooted Secondary.
21)Tested Failover by shutting off Primary.
22)Secondary took over.
23)Rebooted Primary and waited for it to load OS, 1 minute
24)Shutdown secondary to failover to Primary.
25)Rebooted Secondary.

 

[dkraut]

looking4info,

Thanks for the detailed reply! Yes, I have a site to site VPN established between the PIX 515's that need to be upgraded and a TFTP server installed at both sites. I wonder if the reboot is necessary to refresh the newly installed bin image? Cisco's upgrade doc makes no mention of a reboot after the TFTP copy? >>

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml

 

[looking4info]

dkraut,

I was on the phone with Cisco tech support and they had me do the reboot. I to have a site-to-site VPN but with a CheckPoint at the other site.
The upgrade of my Primary and Secondary PIX went very smoothly and there was no problems with connecting to the CheckPoint afterward.
Good Luck.

 

[dkraut]

Thanks again for the feedback. I just performed (2) PIX 515 upgrades to version 6.3.3 from a remote location using TFTP and they both went perfectly. I added the "fixup protocol pptp 1723" command and tested the Microsoft VPN client and it also now works perfectly. wr mem and outta here for the weekend!

Best Regards,

David@Rocketmail.com

 

[yizhar]

HI.

> The single "fixup protocol pptp 1723" command available in v6.3 looks to be best route for my situation.
I'm not sure if it supports more then a single PPTP tunnel - try to connect from several internal hosts at the same time to check.
This documents does not specify a limit, but I would check this to be sure:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#1067379

> I wonder if the reboot is necessary to refresh the newly installed bin image?
Yes it is, and I recommend another reload before the upgrade just to verify that the box can reload and establish connections before you make major changes.

I recommend that you also upgrade to the latest PDM .
There are many changes and the new PDM is much better (I think that the old PDM won't support OS 6.3x anyway).
You can even allow HTTPS connection to PIX direclty to outside interface from your management site IP address (like with SSH). This can be useful when VPN does not work for some reason.

Bye


Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar