|
In order to have a flexible product, the PIX uses software licensing to enable or disable features within the PIX OS. Although the hardware is common to all platforms (except that certain licenses can ship with additional memory or hardware accelerators) and the software is common, features differ depending on the activation key.
The activation key allows you to upgrade features without acquiring new software, although the process is similar. The activation key is computed by Cisco depending on what you have ordered and your serial number, so it's different for each piece of PIX hardware you own. The serial number is based on the flash, so if you replace the flash, you have to replace the activation key.
The activation key enables feature-specific information such as interfaces, high availability, and type of encryption. More specific information is found in the section "PIX Licensing and Upgrades."
To get information about the activation key, use the show version command. The command provides information about the code version, hardware information, and activation key information. Alternately, the command show activation-key provides something like this:
Serial Number: 480090153 (0x1c9d9829) Running Activation Key: 0x75fe7c49 0xc08b4082 0x08979930 0xe4b4c4b0 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited
The flash activation key is the same as the running key.
This machine is a PIX 515 and has an unrestricted license, with the maximum number of interfaces permitted, including failover.
Updating the activation key in version 6.2 of the PIX OS couldn't be simpler. The command activation-key <activation-key-four-tuple> sets the key to the new value. Note that activation four-tuples are in hexadecimal, are case insensitive, and don't require you to start the numbers with 0x. Thus the previously mentioned machine could be set with:
PIX1(config)# activation-key 75fe7c49 c08b4082 08979930 e4b4c4b0
Updating the activation keys in prior versions is not much more complicated. Power-cycle the PIX, and send an Esc or Break to enter monitor mode. This will present you with a prompt:
monitor>
Type a ? to see the options. Sample output is listed here:
Use ? for help. monitor> ? ? this help message address [addr] set IP address file [name] set boot file name gateway [addr] set IP gateway help this help message interface [num] select TFTP interface ping <addr> send ICMP echo reload halt and reload system server [addr] set server IP address tftp TFTP download timeout TFTP timeout trace toggle packet tracing
It would be a good idea to upgrade your software at this time, but in any event, the PIX will ask you if you want to update your activation key at the end of the TFTP process.
Generally, the licensing falls into one of three types, plus an additional factor for crypto constraints. The three main categories are unrestricted, restricted, and failover. If you have a single PIX, you'll want unrestricted or restricted licensing, depending on the number of interfaces you want to support. If you have two PIX appliances and want high availability, you'll want one machine with an unrestricted license and another machine with a failover license.
The traditional way of managing images is via TFTP. This is a UDP-based transport protocol—fast and efficient. Unfortunately, it is not authenticated, so you have to be a bit careful to ensure that your data gets saved when you write to a TFTP server and that the data downloaded doesn't get corrupted.
By tradition, UNIX hosts have TFTP software preinstalled. If you do have a UNIX laptop, try man tftpd to see how to turn it on. If you have a Windows laptop, the server is not installed (although a client might well be—it's standard on most NT and Win2K environments).
Luckily, a TFTP server for a Windows environment is easy to acquire and install. Perhaps one of the best is the Solar Winds server, part of the Solar Winds suite. The full tool set is an invaluable aid to security professionals, and some pieces of it, like the TFTP server, are free. Installation is via the WISE installation wizard.
Another excellent TFTP server is the one Cisco provides. It is available at www.cisco.com/cgi-bin/tablebuild.pl/tftp and is also free. Simply provide your Cisco user ID when you download, and launch the installer executable.
Running the Cisco TFTP server is straightforward. The server, by default, is not running. (This mode is recommended, since there is no authentication; you don't want anyone uploading or downloading files without your knowledge.) The first time you run it, you will want to press O for Options (under the View menu) to set the log file, if desired, and set the TFTP root directory. This is where you want to store the images. If you are going to be upgrading the PIX software, FTP the binary image down from the Web into that directory, and you are ready for the transfer.
If you have a very old version of the software (pre 5.1(x)), you must upgrade using monitor mode. You can follow the preceding notes or the following step-by-step procedure:
Enter monitor mode. Remember, this requires that you get a console session running, power-cycle the box, and press Escape within 10 seconds of the boot.
The PIX is currently unconfigured. Set up your download interface by doing the _following:
Use interface <number> to set the TFTP interface. The default is 1, so you don't have to set it if the TFTP server is on the inside.
Use address <IP address> to set the IP address of the PIX.
Hopefully, your server is on the same network as the TFTP interface. If not, you can set a default gateway with gateway <IP address>.
Next prepare the transfer information:
Use server <IP address> to set the IP address of your TFTP server.
Use file <filename> to set the name of the image to upload.
Finally, execute the transfer. Use tftp to start the file.
This process loads a new image in place, and when you reboot, you will come up under the new image.
Luckily, this process should not apply—unless you accidentally upload the wrong file or your TFTP transfer fails. Monitor mode is primarily used in the event of disaster.
The process of updating your software on a reasonably new version of code is straightforward. You can avoid monitor mode and do everything from the PIX enable command line. Log in to the PIX and get into enable mode. It is a good idea to ping your TFTP server to verify connectivity—for example:
PIX1# ping inside 10.1.1.1
Get the version of the software onto your TFTP server, and copy the file to flash:
pixfirewall# copy tftp flash Address or name of remote host [127.0.0.1]? 10.1.1.1 Source file name [cdisk]? pix621.bin copying tftp://10.1.1.1/pix621.bin to flash [yes|no|again]? yes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Received 1640448 bytes. Erasing current image. Writing 1640448 bytes of image. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed.
On the next reload, the new image is available.
Passwords are stored on the PIX using an MD5 hash. This is good; you are probably aware that Cisco type 7 passwords can be instantly decrypted using a simple personal digital assistant (PDA). MD5 hash is harder: a hacker essentially has to try out all the combinations. Unfortunately, the MD5 hash used on the PIX is significantly weaker than the Cisco type 5 hash used on Cisco routers. Programs such as Cain & Abel (www.oxid.it) can, with time, discover a password. This weakness has been assigned CVE vulnerability CAN-2002-0954. So, if all you have is a printout, you can recover your password. This can be helpful for machines that are in production environments. (However, the caveat is that others can do the same. Be careful about leaving configuration files on TFTP servers or printouts where others can get to them.)
If your environment can tolerate a little downtime, you can reset your PIX password. You download a program, depending on your OS version, that will execute on the PIX and reset the password to the default, cisco. You can then get in and use enable mode to set the password to a known value.
Earlier you saw that monitor mode was used for emergencies. Forgetting the password is a pretty good emergency. Here is what you do:
Pick the correct version of the software from Table 8.2.
Version | Filename | URL |
---|---|---|
4.3 and earlier releases | nppix.bin | www.cisco.com/warp/public/110/nppix.bin |
4.4 release | np44.bin | www.cisco.com/warp/public/110/np44.bin |
5.0 release | np50.bin | www.cisco.com/warp/public/110/np50.bin |
5.1 release | np51.bin | www.cisco.com/warp/public/110/np51.bin |
5.2 release | np52.bin | www.cisco.com/warp/public/110/np52.bin |
5.3 release | np53.bin | www.cisco.com/warp/public/110/np53.bin |
6.0 release | np60.bin | www.cisco.com/warp/public/110/np60.bin |
6.1 release | np61.bin | www.cisco.com/warp/public/110/np61.bin |
6.2 release | np62.bin | www.cisco.com/warp/public/110/np62.bin |
Place this software on a TFTP server accessible to the PIX.
Connect to the PIX on the console port. Verify connectivity. (You should get a password prompt, which you can't answer.)
Reboot the PIX.
Within 10 seconds of the reboot, press Esc to enter monitor mode.
Use the interface command to set the interface to that of the TFTP server.
Use the address command to specify the IP address of that interface.
Use the server command to specify the IP address of the TFTP server.
Use the gateway command to specify the default route to the TFTP server, if needed. (This is not recommended; if at all possible, try to have the TFTP server on the same network as the PIX interface to minimize the likelihood of file corruption.)
Use the file command to specify the filename of the recovery file you chose in Step 1.
Use the ping command to verify that you can connect to the TFTP server.
Use the tftp command to start the download.
At this point, you should be prompted to erase the passwords, and you will be in. The default password has now been set to cisco, with no enable password.
|