4-2. Managing the Flash File System Every Cisco firewall has a Flash (nonvolatile) memory file system. Files such as the firewall operating system image, a firewall management application image, and the firewall configuration can be stored for use. This section discusses the various types of files and how to navigate and use the Flash file system. The Flash file system can be characterized by the following features: The operating system for Cisco firewalls is stored in Flash memory in a compressed format. In PIX 6.x, only one image can be stored in Flash at any time. FWSM allows one image to be stored in each of two Flash memory partitions, although only one image can be run at any time. PIX 7.x loosens this restriction, allowing multiple images; however, only one of those images can run actively at any time. In PIX 7.x and FWSM multiple-context modes, only the system execution space can directly access and manage the Flash file system. All other contexts have no knowledge of a Flash file system and no means to manage one. When a firewall boots, it uncompresses and copies an executable image from Flash to RAM. The image is actually run from RAM. While an image is being run, a different image can be copied or written into Flash memory. In fact, the running image can be safely overwritten in Flash, because it is run from RAM. The new image is not run until the next time the firewall reloads. The various Cisco firewall platforms have different Flash memory organization and storage capabilities. Generally, Flash memory is divided into partitions, each having its own restrictions on the types of files that can be stored there. Table 4-6 summarizes the Flash memory differences: Table 4-6. Flash Memory Organization/Storage by Platform | PIX 6.x | PIX 7.x | FWSM 2.x |
---|
Flash partitions | 1 | 2 | 6 | File types allowed on partitions | One OS image One PDM image One crash dump | Open partition flash:/ OS images, ASDM images, configuration files, logging files, arbitrary files Hidden partition System startup configuration file, crash dump file
| Maintenance image Network configuration for maintenance image Crash dump flash:/images (OS, PDM, system startup configuration) Alternative images disk:/Security context configurations, RSA keys, arbitrary files
|
The operating system and PDM or ASDM images must be compatible before PDM/ASDM can be used. A PDM/ASDM image can be loaded into Flash at any time without requiring a firewall reload. An image (operating system or PDM/ASDM) can be transferred into a firewall by any of the following methods: - TFTP at the monitor prompt - TFTP from an administrative session (firewall console, Telnet, or SSH) - HTTP or HTTPS from a web server - The firewall polls an Auto Update Server (AUS) device periodically to see if a new image is available for it. If so, the image is downloaded using HTTPS (TCP port 443).
TIP After a PDM or ASDM image is downloaded into the firewall Flash memory, it can be used immediately. After an operating system image is downloaded, however, the firewall must be rebooted to run the new image. You have to manually force a reboot by using the reload EXEC command. Obviously, you can download a new OS image at any timeeven while the firewall is in production. To run the new image, firewall service has to be interrupted during downtime or a maintenance window. Using the PIX 6.x Flash File System In PIX 6.x, the Flash memory is organized as a "closed," flat file system. Only six different files can be stored in Flash. These files aren't directly accessible or readable, and there is no hierarchical structure (folders or directories) to navigate. In fact, the files do not even have filenames. Instead, the firewall displays only the file index numbers it assigns automatically: 0 The operating system binary image 1 The startup configuration commands; these are copied into the running configuration (RAM) and are executed when the firewall boots 2 VPN and other keys and certificates 3 The PDM image (if present) 4 A memory image saved after a firewall crash (if enabled) 5 The file size of the compressed operating system image (file 0) In PIX 6.x, you can display the Flash files with the show flashfs command, as in the following example: Firewall# show flashfs flash file system: version:3 magic:0x12345679 file 0: origin: 0 length:1949752 file 1: origin: 2097152 length:6080 file 2: origin: 2228224 length:1504 file 3: origin: 2359296 length:3126944 file 4: origin: 0 length:0 file 5: origin: 8257536 length:308 Firewall# Navigating a PIX 7.x or FWSM Flash File System PIX 7.x and FWSM 2.x platforms take a very different approach to the Flash file system, much like Cisco IOS software. Flash memory is organized like a traditional file system, which must be formatted, and it can contain a tree of directories, each containing arbitrary files. You can navigate the Flash file system and manage any of its contents, as described in the following sections. TIP In PIX 7.x, you can use flash:/ to reference the entire Flash file system. FWSM, however, uses flash:/ to reference the Flash partition that contains operating system and PDM images. You can use disk:/ to reference the Flash partition that contains configuration files and other arbitrary files. Each administrative session maintains a current placeholder or current directory where the user is positioned within the firewall file system. This is very similar to navigating a file system from within a shell on a Windows or UNIX machine. In an administrative session, you can take the following actions: List the files stored in a directory: FWSM 2.x | Firewall# dir [/all] [/recursive] [disk:[path]] | PIX 7.x | Firewall# dir [/all] [/recursive] [flash:[path]] |
By default, an administrative session begins in the flash:/ or disk:/ root directory, for PIX 7.0 or FWSM, respectively. You can specify the flash: or disk: keyword and a path to view the contents of a different directory. The path also can contain regular expressions to match specific patterns within filenames. For example, you can use the following command to see a list of all configuration files (having a .cfg suffix) in Flash: Firewall# dir flash:*.cfg Directory of flash:/*.cfg 10 -rw- 1575 23:05:09 Sep 30 2004 old_running.cfg 12 -rw- 3134 23:30:24 Nov 08 2004 admin.cfg 13 -rw- 1401 14:12:31 Oct 20 2004 CustomerA.cfg 14 -rw- 2515 23:29:28 Nov 08 2004 border.cfg 17 -rw- 1961 13:52:22 Oct 25 2004 datacenter.cfg
You can use the /all keyword to list all the files in the directory and the /recursive keyword to recursively look in all nested directories and list the files found. Display the current directory name: FWSM 2.x | Firewall# pwd | PIX 7.x | Firewall# pwd |
Because you can "move around" within the Flash file system hierarchy, it's easy to forget where the current directory is pointed. In the following example, the user has moved into the Syslog directory in Flash: Firewall# pwd flash:/syslog/
Change to a different directory: FWSM 2.x | Firewall# cd [disk:][path] | PIX 7.x | Firewall# cd [flash:][path] |
You can specify a directory name as path relative to the file system's root. The keyword flash: or disk: is optional but is the default. If the cd command is used alone, the pointer is changed to the root directory in Flash. For example, the following commands move the user into the Syslog directory in Flash: Firewall# cd Firewall# cd syslog
or Firewall# cd flash:/syslog
Display a file's contents: FWSM 2.x | Firewall# more [/ascii] || [/binary] [disk:]path | PIX 7.x | Firewall# more [/ascii] || [/binary] [flash:]path |
The file found at filesystem:path is displayed, one page at a time, in the current administrative session. By default, the flash: or disk: file system is assumed, and the file contents are shown as plain text. For example, the following command displays the flash:/mytest text file: Firewall# more mytest hello this is a test the end Firewall#
You can also display a file to see both the hex and ASCII representations of its contents. The file can contain either ASCII text or binary data. You can use either the /binary or /ascii keyword, because they produce identical results. The following example shows the same small text file in the dual format: Firewall# more /ascii mytest 00000000: 68656c6c 6f207468 69732069 73206120 hell o th is i s a 00000010: 74657374 0d0a0d0a 74686520 656e64XX test .... the endX Firewall#
TIP Be careful when you use the more command. If you attempt to view the contents of a large binary file, such as by using more image.bin to view the PIX image file, you could be stuck waiting a very long time while every byte is shown as a literal (and often cryptic) character to your terminal session. If you want to look at the contents of a binary file, always use the more /binary or more /ascii forms of the command. Administering a PIX 7.x or FWSM Flash File System A firewall running PIX 7.x offers two file systemsa Flash file system that is accessible to administrative users, and a hidden file system that contains system-related resources that are inaccessible. On a firewall running FWSM 2.x, both file systems are accessible. The Flash file system can contain files and directories, each under user control. In a PIX 7.x administrative session, you can take the following management actions on the Flash file system and its contents: Copy a file to or from Flash. You can copy files according to the basic syntax copy from to, as in the following commands: FWSM 2.x | Firewall# copy disk:path/filename url | PIX 7.x | Firewall# copy flash:path/filename url |
or FWSM 2.x | Firewall# copy url disk:path/filename | PIX 7.x | Firewall# copy url flash:path/filename |
In the Flash file system, files are identified by their path, relative to the Flash root directory, and their filename. You can use regular expressions in the filename to select specific files if needed. Files can be copied to or from a URL, which can be an FTP server, a TFTP server, or another location in Flash. The respective URL formats are as follows: ftp://[user[:password]@]server[:port]/[path/]filename[;type=xy] tftp://[user[:password]@]server[:port]/[path/]filename flash:path/filename
If a server requires user authentication, you can specify the user ID and password in the user:password@ format. Delete a file from Flash: FWSM 2.x | Firewall# delete [/noconfirm] [/recursive] [disk:][/path]filename | PIX 7.x | Firewall# delete [/noconfirm] [/recursive] [flash:][/path]filename |
The file named filename is deleted from Flash. You can specify the flash: or disk: keyword, as well as a path, if needed. If those are omitted, the Flash file system is assumed, and the path is assumed to be the current working directory (as shown by the pwd command). You can use the /noconfirm keyword to delete the file without being asked to confirm the action. Without this keyword, you must press the Enter key each time the firewall prompts you for confirmation. You can delete an entire directory and its contents recursively by using the /recursive keyword. For example, suppose an old configuration file oldconfig.cfg exists in Flash. First, a directory is shown to find the correct filename, and then the file is deleted using the following commands: Firewall# dir flash: Directory of flash:/ 6 -rw- 4902912 17:11:35 Nov 22 2004 image.bin 10 -rw- 1575 23:05:09 Sep 30 2004 oldconfig.cfg 23 -rw- 8596996 10:12:38 Nov 12 2004 asdm.bin Firewall# delete flash:oldconfig.cfg Delete filename [oldconfig.cfg] Delete flash:/oldconfig.cfg? [confirm] Firewall#
Rename a file: FWSM 2.x | Firewall# rename [/noconfirm] [disk:] [source-path] [disk:] [destination-path] | PIX 7.x | Firewall# rename [/noconfirm] [flash:] [source-path] [flash:] [destination-path] |
You can rename an existing file named source-path (a filename with an optional path) to destination-path. You can add the flash: or disk: file system keyword, but the Flash memory is used by default. If you provide no other path information, the path is assumed to be the current working directory (as seen with the pwd command). By default, the firewall prompts you for each argument as a confirmation. You can use the /noconfirm keyword to skip all the confirmation steps. For example, the file flash:/capture1 is renamed flash:/capture2 using the following commands: Firewall# rename flash:/capture1 flash:/capture2 Source filename [capture1]? Destination filename [capture2]? Firewall#
Make a new directory: FWSM 2.x | Firewall# mkdir [/noconfirm] [disk:]path | PIX 7.x | Firewall# mkdir [/noconfirm] [flash:]path |
A new empty directory is created at path, which can contain a path and filename. You can add the flash: or disk: keyword, but it is assumed by default. The firewall prompts you for confirmation before creating the directory. You can use the /noconfirm keyword to skip the confirmation prompts. For example, to create a new directory called MyStuff in the Flash file system, you would use the following command sequence: Firewall# mkdir flash:/MyStuff Create directory filename [MyStuff]? Created dir flash:/MyStuff Firewall# dir flash: Directory of flash:/ [output omitted] 64 drw- 0 16:02:57 Nov 23 2004 MyStuff 16128000 bytes total (2419712 bytes free) Firewall#
Remove a directory: FWSM 2.x | Firewall# rmdir [/noconfirm] [disk:]path | PIX 7.x | Firewall# rmdir [/noconfirm] [flash:]path |
A directory named path is removed or deleted from Flash. The path can contain a directory path and filename if needed. The firewall prompts you for confirmation before removing the directory. You can use the /noconfirm keyword to skip the confirmation prompts. A directory must be empty of files and other directories before it can be removed. Check the Flash file system's integrity If you suspect that the Flash file system might be corrupted, you can use the following command to check it: FWSM 2.x | | PIX 7.x | Firewall# fsck flash: |
For example, the Flash file system has been checked in the following example. The output shows the number of orphaned files and directories that are found. These files and directories have been created but can no longer be reached in the file system because the mechanism to index or point to them is corrupt. Firewall# fsck flash: Fsck operation may take a while. Continue? [confirm] flashfs[7]: 32 files, 6 directories flashfs[7]: 0 orphaned files, 0 orphaned directories flashfs[7]: Total bytes: 16128000 flashfs[7]: Bytes used: 13607936 flashfs[7]: Bytes available: 2520064 flashfs[7]: flashfs fsck took 23 seconds. Fsck of flash:: complete Firewall#
Destroy the entire Flash file system: FWSM 2.x | Firewall# format disk: | PIX 7.x | Firewall# format flash: |
or FWSM 2.x | | PIX 7.x | Firewall# erase flash: |
CAUTION You should use the format and erase commands only in special cases, where the entire contents of Flash memory (both accessible and hidden Flash file systems) need to be erased. This might be desirable if a firewall is to be turned over or transferred to a different owner and the Flash contents need to remain confidential. Every file, including image files, configuration files, and licensing files, is overwritten with a 0xFF data pattern so that it is completely removed. A generic Flash file system is then rebuilt. Identifying the Operating System Image In PIX 6.x and FWSM 2.x, only one operating system image file can be stored in Flash at any time. The firewall automatically allocates storage for the image and handles its creation. In PIX 6.x, the image file is always indexed as file number 0 in the Flash file system, as displayed by the show flashfs command. Therefore, when the firewall boots up, that image is always loaded into RAM and executed. In FWSM 2.x, you can see a list of files in the image or application partition with the dir flash:/ command. PIX 7.x relaxes this restriction, allowing one or more operating system images to be stored in Flash, as long as there is sufficient space to store them. Naturally, only one of the image files can run on the firewall at any time, so you must select one file for use. Use the following command to select the bootable image: Firewall(config)# boot system flash:filename Naturally, this command is stored in the running configuration after it is entered. It should also be written into the startup configuration so that the image can be identified during the next reload or bootup. The firewall searches for the specified file as soon as the command is entered. If the file can't be found in Flash, the command is accepted but a warning message is displayed. You can also enter this command more than once to configure a list of image files that can be executed. The list of filenames is tried in sequence so that if one file is not found in Flash, the next file is tried, and so on. The firewall also maintains this value as an environment variable BOOT while it is running. If multiple boot system commands have been configured, the BOOT variable contains the entire sequence of values. You can display the current boot image setting with the following command: Firewall# show bootvar For example, two image files are stored in Flash: flash:/image.bin and flash:/image-beta.bin. You can run either image on the firewall. For normal production use, image.bin is used, whereas image-beta.bin is occasionally run to test new firewall features. The following commands show the available images and then specify image.bin and image-beta.bin as the bootable image sequence: Firewall# dir flash: Directory of flash:/ 4 -rw- 4976640 10:23:28 Nov 12 2004 image.bin 9 -rw- 5261204 4:10:17 Dec 30 2004 image-beta.bin [output omitted] Firewall# configure terminal Firewall(config)# boot system flash:/image.bin Firewall(config)# boot system flash:/image-beta.bin Firewall(config)# exit Firewall# copy running-config startup-config Firewall# Firewall# show bootvar BOOT variable = flash:/image.bin Current BOOT variable = flash:/image.bin;flash:/image-beta.bin CONFIG_FILE variable = Current CONFIG_FILE variable = Firewall# Notice that the BOOT variable has two different lines of output. The first, BOOT variable, shows the value obtained from the boot system commands at bootup time. The Current BOOT variable line shows the current value obtained by any additional boot system commands entered since bootup. Upgrading an Image from the Monitor Prompt If the firewall has no operating system image, you can still download one via TFTP from the monitor prompt. At this point, the firewall is not inspecting any traffic and has no running configuration. (Before PIX OS release 5.2, the only methods available to download a new image were TFTP and copying the image to a floppy disk.) Follow these steps to download a firewall operating system image via TFTP: 1. | Make sure a TFTP server is available.
The TFTP server should have the firewall image available for downloading.
TIP You can obtain TFTP server software from a variety of sources: Solarwinds.net TFTP server (http://www.solarwinds.net; free) Kiwi CatTools 2.x, Kiwi Enterprises (http://www.kiwisyslog.com; commercial package) Tftpd32 (http://tftpd32.jounin.net; free) tftpd, standard on UNIX systems (free) At one time, Cisco offered a free TFTP server on Cisco.com. However, this was limited to Windows 95 installations, so it has since been dropped from support. | 2. | Boot the firewall to the monitor prompt.
Just after booting the firewall, you can press the Esc or Break key to break the normal bootup sequence. Be sure to do this when the following output and prompt are displayed:
Cisco Secure PIX Firewall BIOS (4.0) #39: Tue Nov 28 18:44:51 PST 2000 Platform PIX-525 System Flash=E28F128J3 @ 0xfff00000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot in 8 seconds. [ESC key pressed here] Flash boot interrupted. 0: i8255X @ PCI(bus:0 dev:14 irq:10) 1: i8255X @ PCI(bus:0 dev:13 irq:11) Ethernet auto negotiation timed out. Ethernet port 1 could not be initialized. Use ? for help. monitor>
| 3. | Identify the TFTP server.
NOTE The parameters you assign here are used only temporarily until the firewall can download and run the new image. None of these commands is stored in a configuration; as soon as the firewall boots, they are lost. Identify the firewall interface where the TFTP server is located: monitor> interface number
TFTP uses the interface with index number (0 to n 1, where n is the number of interfaces installed). During the bootup sequence, the firewall lists the physical interfaces that are installed. Some models also list their MAC addresses but do not number the interfaces. Therefore, it might not be clear how they correspond to the actual connections on the firewall. In any case, the first interface shown is always index 0. NOTE When the installed interfaces are listed, only the interfaces that are not Gigabit Ethernet are shown. This is because you cannot use a Gigabit Ethernet interface to download a software image from the monitor prompt. Assign an IP address to that interface: monitor> address ip-address
Here, the firewall needs just enough information to be able to contact the TFTP server. Only one physical interface can be used, so this IP address is applied to it. Because a subnet mask can't be given, the firewall assumes a regular classful network mask (172.17.69.41 yields a Class B mask of 255.255.0.0, for example). If your TFTP server is located on a different classful subnet, you can also specify a gateway address that can route between the firewall and the server. Use the following monitor command: monitor> gateway ip-address
Make sure that the firewall can reach the TFTP server. The firewall must be able to reach the server with a minimal amount of routing. You can use the following monitor command to test reachability: monitor> ping ip-address
Define the TFTP server's IP address: monitor> server ip-address
Define the image filename to fetch: monitor> file filename
The image file named filename is located in the TFTP server's root directory. This is often called the /tftpboot directory, but it depends on how your TFTP server is configured.
| 4. | Copy the image from the TFTP server:
monitor> tftp As the TFTP download is progressing, you should see periods or dots added to the output. After the download completes, the firewall needs confirmation before it actually writes the new image into its Flash memory. You can also enter a new license activation key at the end of this process, if needed.
A successful TFTP download looks something like this:
Cisco Secure PIX Firewall BIOS (4.0) #39: Tue Nov 28 18:44:51 PST 2000 Platform PIX-525 System Flash=E28F128J3 @ 0xfff00000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot in 8 seconds. [ESC key pressed here] Flash boot interrupted. 0: i8255X @ PCI(bus:0 dev:14 irq:10) 1: i8255X @ PCI(bus:0 dev:13 irq:11) Use ? for help. monitor> monitor> interface 0 Using 0: i8255X @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2744.5e66 monitor> address 172.17.69.1 monitor> ping 172.17.69.49 Sending 5, 100-byte 0x5b8d ICMP Echoes to 172.17.69.49, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5) monitor> server 172.17.69.41 monitor> file image.bin monitor> tftp tftp image.bin@172.17.69.41............................................... .......................................................................... [output omitted] ............................................... Received 2064384 bytes. Flash version 6.3(4), Install version 6.3(4) Do you wish to copy the install image into flash? [n] y Installing to flash Serial Number: 807443449 (0x30209bf9) Activation Key: c422440f 2eb1445a 46fb4413 74a344ee Do you want to enter a new activation key? [n] Writing 1941560 bytes image into flash...
| 5. | Reload the firewall to run the new image:
monitor> reload The firewall performs a reload immediately. You should see the usual bootup output on the console, followed by information about the new running image.
| Upgrading an Image from an Administrative Session 1. | Make sure an image server is available.
The server should have the firewall image available for downloading, either by TFTP, FTP, HTTP, or HTTPS.
| 2. | Make sure there is sufficient space on the Flash file system.
In PIX 6.x, only one operating system image and one PDM image can be stored in the Flash file system at any time. If a new image is downloaded, it automatically overwrites an existing image in Flash.
PIX 7.x allows one or more image files as well as other files to be stored in Flash, as long as there is sufficient space to contain them all. When a new image or file is downloaded, it is stored in Flash with a specific filename. A file is overwritten only if an existing file in Flash has an identical filename.
You can use the following command to check the available (free) space in the Flash memory:
Firewall# dir flash:/ For example, suppose a new firewall image is available on a server. The image file size is 4,995,512 bytes. First, the amount of free Flash memory is checked, giving the following output:
Firewall# dir flash:/ Directory of flash:/ 6 -rw- 4976640 10:04:50 Nov 12 2004 image.bin 10 -rw- 1575 23:05:09 Sep 30 2004 old_running.cfg 12 -rw- 3134 23:30:24 Nov 08 2004 admin.cfg 13 -rw- 1401 14:12:31 Oct 20 2004 CustomerA.cfg 14 -rw- 2515 23:29:28 Nov 08 2004 border.cfg 17 -rw- 1961 13:52:22 Oct 25 2004 datacenter.cfg 23 -rw- 8596996 10:12:38 Nov 12 2004 asdm.bin 21 drw- 704 15:06:09 Nov 22 2004 syslog 32 -rw- 205 15:06:08 Nov 22 2004 stuff 16128000 bytes total (2466816 bytes free) Firewall# Clearly, 2,466,816 bytes free is insufficient to store the new image unless the existing image (image.bin) is overwritten.
| 3. | Make sure the firewall can reach the server:
Firewall# ping [interface] ip-address The server has IP address ip-address. The firewall should already have the necessary routing information to reach the server. You can specify the firewall interface where the server is located ("outside," for example) if the firewall can't determine that directly. For example, this firewall can reach the server at 192.168.254.2:
Firewall# ping 192.168.254.2 192.168.254.2 response received -- 0ms 192.168.254.2 response received -- 0ms 192.168.254.2 response received -- 0ms Firewall#
| 4. | (TFTP only) Identify a possible TFTP server:
Firewall(config)# tftp-server [interface] ip-address path The TFTP server can be found at ip-address. By default, the inside interface is assumed unless one is specified as interface ("outside," for example). The image files are stored in the path directory on the TFTP server. This path is relative only to the TFTP process itself. For example, if the image files are stored in the topmost TFTP directory (/tftpboot within the server's file system, for instance), the path would be /, or the root of the TFTP directory tree.
TIP The tftp-server command is optional because most of the TFTP parameters can be given with the copy EXEC command when the image is downloaded. However, the firewall always assumes the inside interface will be used for TFTP. The only way to override this assumption is by specifying a firewall interface in the tftp-server command. This interface is always used whenever files are copied to and from a TFTP server, even if the server address is different from the one configured with this command. | 5. | Copy the image file from the server.
With any download method, the basic command syntax is
Firewall# copy source flash:[image | pdm | filename] The image is downloaded and copied into Flash memory as either an operating system image or a pdm image. Only one of either image type can be stored in the firewall Flash, and their locations are automatically determined. In fact, PIX 6.x restricts the image transfer to these two file types.
PIX 7.x, however, uses a more flexible Flash file system. From the system execution space, you can copy one or more image files into Flash and then specify which image the firewall should use. You can give the destination filename as an arbitrary filename. You also can use the image or asdm keywords for backward compatibility. In that case, the firewall uses the image filename configured with the boot system or asdm image commands, respectively.
Use a TFTP server: Firewall# copy tftp:[:[[//location][/pathname]] flash:[image | pdm | filename]
The image file is located on the TFTP server at location, which can be either a host name (already defined with a name command) or an IP address. The image file is referenced by pathname, which can include any directory structure needed within TFTP, along with the filename. (If the actual path name of the TFTP directory contains spaces, you should first define the whole path name using the tftp-server command. Spaces are not allowed in the pathname here.) If the location or pathname parameters are left out of this command, the firewall prompts you for those values. If you add a colon after the tftp keyword, the firewall picks up the remaining parameters configured with the tftp-server command. For example, suppose a new operating system image named newpiximage.bin is located on TFTP server 192.168.254.2. Recall that the firewall assumes that the TFTP server is located on the inside interface by default. In this case, it's located on the outside interface. You can download the new firewall image into Flash memory using the following commands: Firewall# configure terminal Firewall(config)# tftp-server outside 192.168.254.2 / Firewall(config)# exit Firewall# copy tftp://192.168.254.2/newpiximage.bin flash:image Address or name of remote host [192.168.254.2]? Source filename [newpiximage.bin]? Destination filename [image.bin]? %Warning:There is a file already existing with this name Do you want to over write? [confirm] Accessing tftp://192.168.254.2/newpiximage.bin...!!!!!!!!!!!!! [output omitted] Writing file flash:/image.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 4976640 bytes copied in 143.380 secs (34801 bytes/sec) Firewall#
Use an FTP server: Firewall# copy ftp://[user[:password]@]server[:port]/[path/]filename [;type=xy] flash:[image | pdm | filename]
The FTP server is known as server by either an IP address or a host name (the host name must be preconfigured with the name configuration command). If the server requires user authentication, the username and password are given as user:password@. By default, TCP port 21 is used; you can override this by specifying port. The image file is found on the server with path name path (relative to the user's home directory) and filename filename. By default, the firewall uses an FTP session in binary passive mode. You can use a different FTP mode by appending the ;type=xy keyword, where x is a single letter a (ASCII) or i (image or binary) and y is a single letter p (passive) or n (normal). For example, ;type=ip is the default binary passive mode. As an example, suppose an image named newpiximage.bin is located on an FTP server at 192.168.254.2. The server requires authentication using username myuserid and password mypassword, and the image is stored in the PixImages directory. You can download the new firewall image into Flash memory using the following command: Firewall# copy ftp://myuserid:mypassword@192.168.254.2/PixImages/ newpiximage.bin flash:image Address or name of remote host [192.168.254.2]? Source filename [newpiximage.bin]? Destination filename [image.bin]? %Warning:There is a file already existing with this name Do you want to over write? [confirm] Accessing ftp://myuserid:mypassword@192.168.254.2/PixImages/ newpiximage.bin... !!!!!!!!!!!!! [output omitted] Writing file flash:/image.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 4976640 bytes copied in 149.110 secs (33375 bytes/sec) Firewall#
Use an HTTP or HTTPS server: Firewall# copy http[s]://[user:password@]location[:port ]/ http_pathname flash[:[image | pdm | filename]
You can use either http (HTTP, port 80) or https (HTTPS or SSL, port 443), depending on how the web server is configured. If user authentication is required, it can be given as user:password@. The web server has a name or IP address given by location. (If a host name is used, it must also be defined in the firewall with the name command.) By default, the port number is either TCP 80 or TCP 443, according to the http or https keyword. You can override the TCP port number by giving it as port. The image file can be found on the server at the path http_pathname. The directory hierarchy is relative to the web server's file structure. For example, a PIX operating system image named newpiximage.bin is stored on the web server at http://192.168.254.2 in the default directory. The server requires authentication using username myuserid and password mypassword. You can download the new firewall image into Flash memory using the following command: Firewall# copy http://myuserid:mypassword@192.168.254.2/ newpiximage.bin flash:image.bin Address or name of remote host [192.168.254.2]? Source filename [newpiximage.bin]? Destination filename [image.bin]? %Warning:There is a file already existing with this name Do you want to over write? [confirm] Accessing http://192.168.254.2/newpiximage.bin...!!!!!!!!!!!!!!!!! [output omitted] Writing file flash:/image.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [output omitted] 4902912 bytes copied in 137.730 secs (35787 bytes/sec) Firewall#
| |