Installing the ASA/PIX SoftwareThe ASA/PIX operating system software comes installed on the security appliances. If you purchased your hardware before 2005, it will not have the version 7 operating system. Version 7 will be shipped on all ASA/PIX Security Appliances larger than a PIX 515E after the first part of 2005. ASDM runs only on ASA/PIX version 7. If you have a version of the PIX operating system prior to 7, you must manually install ASA/PIX version 7 before you can complete the step-by-step instructions outlined in this book. Manual ASA/PIX Version 7 InstallationYou must do seven things before you can upgrade the security appliance, as follows:
Ensure That PIX 6.3(x) Is InstalledIt's a simple task to ensure that PIX version 6.3 is running on your ASA/PIX Security Appliance. Connect to the console port and reboot the device; the version numbers display just before the security appliance prompt displays. Alternatively, manually log in to your appliance and enter the show version command in Privileged or Nonprivileged mode. The Security Appliance will display the following output in the first few lines, revealing the current version of the operating system: Cisco PIX Firewall Version 6.3(4) Cisco PIX Device Manager Version 3.0(2) Compiled on Fri 02-Jul-04 00:07 by CiscoSystems CiscoPix up 7 days 18 hours If you are on a version of the PIX operating system lower than 6.3, you must go to the Cisco website and upgrade to 6.3 before proceeding to the following steps. You can find all software versions and instructions on the website download pages. Obtain a Valid ASA/PIX Version 7 LicenseBefore you can use the full functionality offered in ASA/PIX version 7, you must ensure that you have a valid ASA/PIX version 7 license. You have two options for obtaining a license. One is to call Cisco customer support and ask for the license. They will provide you with step-by-step instructions. If you currently have a SmartNet contract, you should be eligible for a no-cost upgrade to the ASA/PIX version 7 operating system. The second option is to go to Cisco.com and search for the "Licensing and Activation Keys [Cisco PIX Firewall Software]" document. This document describes how you can obtain an ASA/PIX license from Cisco. Obtain the ASA/PIX Version 7 Operating System and ASDM 5.0 SoftwareTo obtain a version of the ASA/PIX version 7 operating system, you must log on to the Cisco website with a valid username and password. Navigate to Technical Support and then to Downloads. When you are on the download pages, navigate to Cisco Secure Software and then to Cisco Secure PIX Firewall Software. NOTE Occasionally, Cisco changes the look of its website, so these steps might vary depending on when you download the software. Proceed to the location marked Download PIX Firewall Software. On this page, you will see the binary image for the ASA/PIX version 7 operating system. Click the image name, and you will be prompted to open or save the image. Click Save and put the image in a safe location on your PC; later, you will transfer the file to the home directory of your TFTP server. If you have a TFTP server on your system already, you can save the file directly into the home directory of the TFTP server. Repeat this procedure for the ASDM 5.0 software. Preparing Your PC for an ASA/PIX Security Appliance UpgradeTo upgrade your ASA/PIX Security Appliance to version 7, you must have a PC with a TFTP server, and you must configure your network interface card to allow connectivity to the security appliance. NOTE If you already have a TFTP server on your network, you can skip the section that describes how to configure a PC as a TFTP server. You can install any number of free TFTP servers from the Internet on your PC. Any implementation of TFTP should work for this download. NOTE When this text refers to a PC, the reference can apply to either a Windows-or a Linux-based machine. However, the examples in this book use Windows as the primary operating system. Before you can transfer the software from your PC to the ASA/PIX device, you must establish a network connection between the two. This connection requires configuration on the PC as well as configuration on the security appliance. If you already know how to connect the two machines, use the following steps as a reference only. If you have no experience in doing this, however, you can follow the step-by-step instructions to successfully move the file from the TFTP server to the ASA/PIX Security Appliance:
Your PC should now be prepared to copy the ASA/PIX operating system and ASDM software. Preparing the ASA/PIX Security Appliance for the UpgradeYou must now put the ASA/PIX Security Appliance in a mode in which you can configure it to use its TFTP download functions:
Upgrading the ASA/PIX Security Appliance to Version 7The following tasks have been completed:
You are ready to start the download procedure. A word of caution: All steps are critical in this process. If these steps are not followed, you might have to restart the download process from the beginning. Enter the following commands on you security appliance:
Congratulations. At this point, you should have a fully functioning ASA/PIX version 7 image loaded and running on your security appliance. Upgrading the ASA/PIX Security Appliance to ASDM 5.0After installing the ASA/PIX version 7 operating system, you need to complete the following steps from Configuration mode (enter the two commands enable and then conf t to get into this mode) to install ASDM 5.0:
ASA/PIX LicensesBefore you can use the full functionality of your ASA/PIX Security Appliance, you must ensure that you have a valid license key. ASA/PIX licenses come in the following basic flavors:
Restricted LicenseThe licensing structure on the ASA/PIX Security Appliance is such that you get different functionality with different types of licenses. If you purchase a restricted license, you are limited as to the number of users who can use the security appliance at any one time. When a user goes outbound through the appliance, a table is built called an xlate. The licenses use the number of xlates to enforce the number of users allowed on the PIX. A limited license does not include support for failover. (See Table 3-1 in the next section.) Unrestricted LicenseAn unrestricted license allows you to pass as many users as you want to the Internet; it also allows failover connectivity to an ASA/PIX Security Appliance with a failover license. This license also allows you to use the maximum number of interfaces and memory available in the security appliance. With more memory, you can support more VPN users. 3G Mobile Wireless Security ServicesThe 3G Mobile Wireless security services license is a license for security services covering 3G Mobile Wireless deployments that use the General Packet Radio Service (GPRS) Tunneling Protocol standard (GTP). This license also includes advanced GTP inspection services that provide mobile wireless users secure interaction with roaming partners. Refer to the ASA/PIX Security Appliance 7 software description at Cisco.com for more information. Active/Active FailoverThe active/active failover license supports bidirectional state sharing between active/active failover pair members for network environments with asymmetric routing topologies, allowing flows to enter through one Cisco ASA/PIX Security Appliance and exit through the other. Specialized ASA LicensingThis is a class of licenses to be used specifically for ASA Security Appliance hardware. Refer to the ASA/PIX Security Appliance 7 software description at Cisco.com for more information. Installing the PIX License KeyInstalling an ASA/PIX license key is straightforward. To upgrade a license on PIX 6.3 and above, just follow these steps:
|