Solved: Upgrading the PIX Firewall

acira · ‎10-18-2004

I currently have two Pix 515 firewalls (v4.4 and v6.2). I want to upgrade the v4.4, but am unable to download the software from Cisco. Every time I try to download using the "download pix software" link, it times out.

I already setup a tftp server and plan on using monitor mode to perform the upgrade. I already did a "write net :" to backup the current configuration. Also, will the original configuration remain intact, or will they be lost after the upgrade.

Thanks in advance.

ddawson · ‎10-18-2004

It sounds like you may have a browser or proxy issue with the download. Try another host and/or browser and see if that works any better.

From PIX software 4.4 and later you can upgrade directly to any newer software version. It should maintain your config, but it's always a good idea to back it up before an upgrade as you've done. The config in the PIX doesn't actually get converted when the PIX reboots with the new software - that happens the first time you do a "write mem" under the new software, so it's important to remember to do that as part of the upgrade process. You can then check the freshly saved config against your backup config for any differences. Also, it's important to check the Release Notes before any upgrade, but if you have a relatively simple PIX config it will probably be fine. One thing you will want to do is migrate away from conduits to access-lists. Cisco has a utility that will convert them for you, and it does a pretty good job as long as your config isn't too complex, so I'd suggest giving it a try and see how it works for you. The downloadable version of that utility should be on the same download page as other PIX software, and versions exist for both Windows and Sun Solaris.

Good luck!

View solution in original post

ddawson · ‎10-18-2004

It sounds like you may have a browser or proxy issue with the download. Try another host and/or browser and see if that works any better.

From PIX software 4.4 and later you can upgrade directly to any newer software version. It should maintain your config, but it's always a good idea to back it up before an upgrade as you've done. The config in the PIX doesn't actually get converted when the PIX reboots with the new software - that happens the first time you do a "write mem" under the new software, so it's important to remember to do that as part of the upgrade process. You can then check the freshly saved config against your backup config for any differences. Also, it's important to check the Release Notes before any upgrade, but if you have a relatively simple PIX config it will probably be fine. One thing you will want to do is migrate away from conduits to access-lists. Cisco has a utility that will convert them for you, and it does a pretty good job as long as your config isn't too complex, so I'd suggest giving it a try and see how it works for you. The downloadable version of that utility should be on the same download page as other PIX software, and versions exist for both Windows and Sun Solaris.

Good luck!