Friday, 19 February 2010

Upgrade your Cisco PIX 525 firewall

Following on from the Cisco Advisory posted here on the 18th feb I thought it would be a good time to cover off exactly how you went about performing the upgrade. This article relates to upgrading a Cisco PIX 525 firewall however the process is similar for Cisco ASA devices too.

Install Notes:
  • If you have a pair, one with 'Fail over License' and the other with unrestricted license (in #sh ver) apply the upgrade to the FailOver node first. If you loose the node then you still have your unrestricted node for use. Otherwise if it goes wrong for what ever reason your Fail Over License' device will reboot every 24 hours
  •  The article states to connect to the Outside interface. You can infact connect to any available interface you choose not just the Outside if thats easier.
  • If you are conducting a minor release upgrade you can perform the procedure on both firewalls at the same time. TFTP transfer the image file then reboot the firewalls together. Conduct your post install checks and you should be good to go.
Tools: 
  • Cisco DTE adapter 
  • Console cable   
  • Ethernet cable (crossover ideally)
  • A tftp sever application such as SolarWinds TFTP Server  
  • Passwords for your device
  • Pix724-30.bin file (or which ever file it is you are upgrading to)
    Procedure:
    • Connect the console cable to the Primary F/W via the Cisco DTE adapter
    • Open HyperTerminal - COM1;9600;8;none;1;none
    • Log on the 1st F/W using your password details
    • Do #sh fail - to check which is the active node
    • Do #sh ver - copy the Serial Number/Running Active Key to a file and save for future reference should things go bad
    • Do #sh run and copy your running in to notepad as a precaution 
    • Power down the Secondary node - this is because you can't have a fail over pair with differing OS versions when performing an upgrade to a major release e.g 6.3 to 7.2.4
    • Next do #sh ip - and check for the 'Outside' IP address
    • Pick a suitable IP from the same scope and apply it to the LAN connection on the laptop - eg 203.92.26.1
    • Connect the Laptop to the 'Outside' port on the F/W - DON'T forget to reconnect the 'Outside' cable once done!
    • Back to HyperTerminal  do #ping 203.92.26.1 - to check the F/W can communicate with the laptop (if it doesn't, check the arp - #sh arp and #clear arp and try again)
    • Start tftp32 on the laptop
    • Change the 'Current Directory' in the TFTP server or make a note of the path to the folder with your pix724-30.bin file in it
    • Back to HyperTerminal, do #copy tftp://203.92.26.1/pix724-30.bin flash - This will copy the upgrade OS to flash memory
    • Do #write mem - to commit the changes
    • Once done do #reload
    • Once back up log back in and check that it is the active node (#sh fail), check the OS version (#sh ver), check to see active connections (#sh conn), check the vpn settings (#sh crypto - if applicable)
    • Once you are satisfied its complete power down the primary F/W and power up the secondary F/W
    • Run through the steps again
    • Once complete power up the Primary F/W and reload the secondary F/W at the same time
    • Log in to the Primary F/W and do #sh fail - check that it’s the active node, if it isn't restart the secondary F/W again
    • Log in to the secondary F/W and check it is the secondary node - you should get a synching message whilst you log on.
    • Finally go through the checks again and make sure you are happy
     Post Upgrade tasks:
    •  If you run any VPN's through the firewall test these as applicable
    • Advise any other teams/engineers your upgrade has been successful
    • Enjoy a well earned cup of your favourite brew :o)

    No comments:

    Post a Comment