安全 : Cisco PIX 500 系列安全设备

PIX 500安全工具6.x到7.x的软件升级程序

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 9 月 15 日) | 反馈


注意:本文档介绍如何升级 PIX 500 系列安全设备上的软件。要下载 PIX 软件,请访问软件中心仅限注册用户)。您必须登录并签订有效服务合同才能访问 PIX 软件。


目录


简介

本文档说明如何将 PIX 设备从版本 6.2 或 6.3 升级到版本 7.x。还介绍了自适应安全设备管理器 (ASDM) 版本 5.0 的安装。

先决条件

要求

在您开始此升级过程之前,请完成以下任务。

  • 请使用 show running-config 或 write net 命令将当前 PIX 配置保存到文本文件或 TFTP 服务器。

  • 请使用 show version 命令显示序列号和激活密钥。将此输出保存到文本文件。如果需要恢复回到旧版本的代码,可能需要原始激活密钥。有关激活密钥的详细信息,请参阅 PIX 防火墙常见问题

  • 请确保您的当前配置中没有 conduit 或 outbound 命令。7.x 版本中不再支持这些命令,升级进程将删除它们。在尝试升级之前,请使用命令输出解释程序仅限注册用户)工具将这些命令转换为访问列表。

  • 请确保 PIX 不会终止点对点隧道协议 (PPTP) 连接。PIX 7.1 及更高版本目前不支持 PPTP 终止。

  • 如果使用故障切换,请确保不与通过接口的任何数据共享 LAN 或有状态接口。例如,如果您使用内部接口传递数据流并将该接口用作有状态故障切换接口(内部故障切换链路),则在升级之前,必须将有状态故障切换接口移到其他接口。不这样做将导致与内部接口绑定的所有配置都被删除。并且,数据流在升级后不会通过该接口。

  • 在继续之前,请确保 PIX 运行版本 6.2 或 6.3。

  • 请阅读您计划升级到的版本的发行版本注释,以了解所有新的、已更改的和已不再使用的命令。

  • 有关版本 6.x 和 7.x 之间的任何其他命令更改,请参阅升级指南

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • PIX 安全设备 515、515E、525 和 535

  • PIX 软件版本 6.3(4)、7.0(1)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

最低系统要求

在您开始升级到版本 7.x 的过程之前,Cisco 建议 PIX 运行 6.2 版本或更高版本。这可确保正确转换当前配置。此外,必须满足下列硬件要求以达到最低 RAM 和闪存要求:

PIX 模型 RAM 要求 闪存要求
  受限 (R) 不受限 (UR)/仅故障切换 (FO)  
PIX-515 64 MB* 128 MB* 16 MB
PIX-515 E 64 MB* 128 MB* 16 MB
PIX-525 128 MB 256 MB 16 MB
PIX-535 512 MB 1 GB 16 MB

* 所有 PIX-515 和 PIX-515E 设备都必须升级内存。

发出 show version 命令以确定 PIX 上目前已安装的 RAM 和闪存量。不需要升级闪存,因为在默认情况下,此表中的所有 PIX 设备都已安装 16 MB 闪存。

注意: 版本 7.x 中仅支持此表中的 PIX 安全设备。更旧的 PIX 安全设备(如 PIX-520、510、10000 和 Classic)已停产,不运行 7.0 或更高版本。如果您有这些设备之一并希望运行 7.x 或更高版本,请与您的本地 Cisco 客户团队或经销商联系以购买更新的安全设备。此外,RAM 少于 64 MB 的 PIX 防火墙(PIX-501、PIX-506 和 PIX-506E)无法运行最初的 7.0 版本。

PIX 515/515E 设备的内存升级信息

只有 PIX-515 和 PIX-515E 设备才需要进行内存升级。有关在这些设备上升级内存所需的部件号,请参阅此表。

注意: 部件号取决于 PIX 上安装的许可证。

当前设备配置 升级解决方案
平台许可证 总内存(升级之前) 部件号 总内存(升级之后)
受限 (R) 32 MB PIX-515-MEM-32= 64 MB
不受限 (UR) 32 MB PIX-515-MEM-128= 128 MB
仅故障切换 (FO) 64 MB PIX-515-MEM-128= 128 MB

有关详细信息,请参阅针对 PIX 软件 v7.0 的 Cisco PIX 515/515E 安全设备内存升级产品公告

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

升级 PIX 安全设备

软件下载

要下载 PIX 7.x 软件,请访问 Cisco 软件中心仅限注册用户)。Cisco.com 中不再提供 TFTP 服务器软件。但是,您可以通过在您喜欢的 Internet 搜索引擎上搜索“tftp 服务器”找到许多 TFTP 服务器。Cisco 并不具体推荐任何特定的 TFTP 实施。有关详细信息,请访问 TFTP 服务器页仅限注册用户)。

升级 程序

请注意,将 PIX 安全设备升级到版本 7.x 是一项重大更改。许多 CLI 都被修改,因此升级后您的配置看上去将非常不同。请仅在维护时段内进行升级,因为该升级过程需要一些停机时间。如果需要恢复回到 6.x 映像,您必须按照降级过程进行操作。不这样做将导致 PIX 进入连续的重新启动循环。为了继续升级,请在此表中找到您的 PIX 设备模型,然后选择链接以查看有关如何升级的说明。

PIX 模型 升级方法
PIX-515 箴言报
PIX-515E copy tftp flash
PIX-525 copy tftp flash
PIX-535(未安装 PDM) copy tftp flash
PIX-535(安装了 PDM) 箴言报

从监控模式升级 PIX 安全设备

进入监控模式

完成以下步骤以在 PIX 上进入监控模式。

  1. 使用以下通信设置,将一条控制台电缆连接到 PIX 上的控制台端口:

    • 9600 bps

    • 8 个数据位

    • 无奇偶校验

    • 1 个停止位

    • 无流控制

  2. 重新通电或重新加载 PIX。启动期间,将提示您使用 BREAK 或 ESC 中断闪存引导。您有十秒的时间可中断正常引导进程。

  3. ESC 键或发送 BREAK 字符,以便进入监控模式。

    • 如果使用 Windows Hyper Terminal,则可以按 ESC 键或按 Ctrl+Break 来发送 BREAK 字符。

    • 如果使用 Telnet 通过终端服务器访问 PIX 的控制台端口,则需要按 Ctrl+](Control + 右中括号)才能到达 Telnet 命令提示符下。然后输入 send break 命令。

  4. 此时将显示 monitor> 提示符。

  5. 继续从监控模式升级 PIX 部分。

从监控模式升级 PIX

完成以下步骤以从监控模式升级您的 PIX。

注意: 在监控模式下,64 位插槽内的快速以太网卡不可见。此问题意味着 TFTP 服务器无法驻留在这些接口中的一个接口上。用户应该使用 copy tftp flash 命令通过 TFTP 下载 PIX 防火墙映像文件。

  1. 将 PIX 设备二进制映像(例如 pix701.bin)复制到 TFTP 服务器的根目录中。

  2. 在 PIX 上进入监控模式。如果不确定如何进入监控模式,请参阅本文档中有关如何进入监控模式的说明。

    注意: 一旦进入监控模式,便可以使用“?”键来查看可用选项的列表。

  3. 输入 TFTP 服务器连接到的接口号,或距离 TFTP 服务器最近的接口。默认值为接口 1(内部)。

    monitor>interface <num>
    

    注意: 在监控模式下,接口总是自动协商速度和双工。不能对接口设置进行硬编码。因此,如果 PIX 接口被插入到对速度/双工进行硬编码的交换机,则在监控模式下时,请将其重新配置为自动协商。另请注意,PIX 设备不能从监控模式初始化千兆以太网接口。必须改用快速以太网接口。

  4. 输入在步骤 3 中定义的接口的 IP 地址。

    monitor>address <PIX_ip_address>
    
  5. 输入 TFTP 服务器的 IP 地址。

    monitor>server <tftp_server_ip_address>
    
  6. (可选)输入您的网关的 IP 地址。如果 PIX 的接口所在的网络与 TFTP 服务器所在的网络不一样,则必须输入网关地址。

    monitor>gateway <gateway_ip_address>
    
  7. 输入 TFTP 服务器上您要加载的文件的名称。这是 PIX 二进制映像文件名。

    monitor>file <filename>
    
  8. 从 PIX ping TFTP 服务器以验证 IP 连接。

    如果 ping 失败,请仔细检查电缆、PIX 接口和 TFTP 服务器的 IP 地址,以及网关的 IP 地址(如果需要)。必须在 ping 成功之后才能继续。

    monitor>ping <tftp_server_ip_address>
    
  9. 键入 tftp 以开始 TFTP 下载。

    monitor>tftp
    
  10. PIX 将映像下载到 RAM 中并自动引导它。

    在引导进程期间,会将文件系统与您的当前配置一起转换。但是,您还没有完成升级。在引导之后请注意以下警告消息并继续执行步骤 11:

    ******************************************************************
      **                                                                    **
      **   *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***  **
      **                                                                    **
      **          ----> Current image running from RAM only! <----          **
      **                                                                    **
      **  When the PIX was upgraded in Monitor mode the boot image was not  **
      **  written to Flash.  Please issue "copy tftp: flash:" to load and   **
      **  save a bootable image to Flash.  Failure to do so will result in  **
      **  a boot loop the next time the PIX is reloaded.                    **
      **                                                                    **
      ************************************************************************
  11. 引导后,请进入启用模式并再次将同一映像复制到 PIX。这次使用 copy tftp flash 命令。

    这会将映像保存到闪存文件系统中。不执行此步骤将导致在下次 PIX 重新加载时发生引导循环。

    pixfirewall>enable
    pixfirewall#copy tftp flash
    

    注意: 有关如何使用 copy tftp flash 命令复制映像的详细说明,请参阅使用 copy tftp flash 命令升级 PIX 安全设备部分。

  12. 使用 copy tftp flash 命令复制映像后,升级过程便已完成。

示例配置 - 从监控模式升级 PIX 安全设备

monitor>interface 1 
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
2: i8255X @ PCI(bus:1 dev:0  irq:11)
3: i8255X @ PCI(bus:1 dev:1  irq:11)
4: i8255X @ PCI(bus:1 dev:2  irq:11)
5: i8255X @ PCI(bus:1 dev:3  irq:11)

Using 1: i82559 @ PCI(bus:0 dev:14 irq:7 ), MAC: 0050.54ff.4d81
monitor>address 10.1.1.2 
address 10.1.1.2 
monitor>server 172.18.173.123 
server 172.18.173.123 
monitor>gateway 10.1.1.1
gateway 10.1.1.1
monitor>file pix701.bin 
file pix701.bin 
monitor>ping 172.18.173.123 
Sending 5, 100-byte 0xa014 ICMP Echoes to 172.18.173.123, timeout is 4 seconds: 
!!!!! 
Success rate is 100 percent (5/5) 
monitor>tftp 
tftp pix701.bin@172.18.173.123.......................................... 
Received 5124096 bytes 

Cisco PIX Security Appliance admin loader (3.0) #0: Mon Mar  7 17:39:03 PST 2005
#######################################################################
128MB RAM

Total NICs found: 6
mcwa i82559 Ethernet at irq 10  MAC: 0050.54ff.4d80
mcwa i82559 Ethernet at irq  7  MAC: 0050.54ff.4d81
mcwa i82558 Ethernet at irq 11  MAC: 00e0.b600.2014
mcwa i82558 Ethernet at irq 11  MAC: 00e0.b600.2015
mcwa i82558 Ethernet at irq 11  MAC: 00e0.b600.2016
mcwa i82558 Ethernet at irq 11  MAC: 00e0.b600.2017
BIOS Flash=AT29C257 @ 0xfffd8000
Old file system detected. Attempting to save data in flash
 

!--- This output indicates that the Flash file
!--- system is formatted. The messages are normal.

Initializing flashfs...
flashfs[7]: Checking block 0...block number was (-10627)
flashfs[7]: erasing block 0...done.
flashfs[7]: Checking block 1...block number was (-14252)
flashfs[7]: erasing block 1...done.
flashfs[7]: Checking block 2...block number was (-15586)
flashfs[7]: erasing block 2...done.
flashfs[7]: Checking block 3...block number was (5589)
flashfs[7]: erasing block 3...done.
flashfs[7]: Checking block 4...block number was (4680)
flashfs[7]: erasing block 4...done.
flashfs[7]: Checking block 5...block number was (-21657)
flashfs[7]: erasing block 5...done.
flashfs[7]: Checking block 6...block number was (-28397)
flashfs[7]: erasing block 6...done.
flashfs[7]: Checking block 7...block number was (2198)
flashfs[7]: erasing block 7...done.
flashfs[7]: Checking block 8...block number was (-26577)
flashfs[7]: erasing block 8...done.
flashfs[7]: Checking block 9...block number was (30139)
flashfs[7]: erasing block 9...done.
flashfs[7]: Checking block 10...block number was (-17027)
flashfs[7]: erasing block 10...done.
flashfs[7]: Checking block 11...block number was (-2608)
flashfs[7]: erasing block 11...done.
flashfs[7]: Checking block 12...block number was (18180)
flashfs[7]: erasing block 12...done.
flashfs[7]: Checking block 13...block number was (0)
flashfs[7]: erasing block 13...done.
flashfs[7]: Checking block 14...block number was (29271)
flashfs[7]: erasing block 14...done.
flashfs[7]: Checking block 15...block number was (0)
flashfs[7]: erasing block 15...done.
flashfs[7]: Checking block 61...block number was (0)
flashfs[7]: erasing block 61...done.
flashfs[7]: inconsistent sector list, fileid 9, parent_fileid 0
flashfs[7]: inconsistent sector list, fileid 10, parent_fileid 0
flashfs[7]: 9 files, 3 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 15998976
flashfs[7]: Bytes used: 10240
flashfs[7]: Bytes available: 15988736
flashfs[7]: flashfs fsck took 58 seconds.
flashfs[7]: Initialization complete.

Saving the datafile
!
Saving a copy of old datafile for downgrade
!
Saving the configuration
!
Saving a copy of old configuration as downgrade.cfg
!
Saved the activation key from the flash image
Saved the default firewall mode (single) to flash
The version of image file in flash is not bootable in the current version of
software.
Use the downgrade command first to boot older version of software.
The file is being saved as image_old.bin anyway.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Upgrade process complete
Need to burn loader....
Erasing sector 0...[OK]
Burning sector 0...[OK]
Erasing sector 64...[OK]
Burning sector 64...[OK]

Licensed features for this platform:
Maximum Physical Interfaces : 6         
Maximum VLANs               : 25        
Inside Hosts                : Unlimited 
Failover                    : Active/Active
VPN-DES                     : Enabled   
VPN-3DES-AES                : Enabled   
Cut-through Proxy           : Enabled   
Guards                      : Enabled   
URL Filtering               : Enabled   
Security Contexts           : 2         
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited 

This platform has an Unrestricted (UR) license.

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
  --------------------------------------------------------------------------
                                 .            .                             
                                 |            |                             
                                |||          |||                            
                              .|| ||.      .|| ||.                          
                           .:||| | |||:..:||| | |||:.                       
                            C i s c o  S y s t e m s                        
  --------------------------------------------------------------------------

Cisco PIX Security Appliance Software Version 7.0(1) 

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2005 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706


!--- These messages are printed for any deprecated commands.

.ERROR: This command is no longer needed. The LOCAL user database is always enabled.
 *** Output from config line 71, "aaa-server LOCAL protoco..."
ERROR: This command is no longer needed. The 'floodguard' feature is always enabled.
 *** Output from config line 76, "floodguard enable"

Cryptochecksum(unchanged): 8c224e32 c17352ad 6f2586c4 6ed92303 

!--- All current fixups are converted to the 
!--- new Modular Policy Framework.

INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol http 80' to MPF commands
INFO: converting 'fixup protocol ils 389' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands
  ************************************************************************
  **                                                                    **
  **   *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***  **
  **                                                                    **
  **          ----> Current image running from RAM only! <----          **
  **                                                                    **
  **  When the PIX was upgraded in Monitor mode the boot image was not  **
  **  written to Flash.  Please issue "copy tftp: flash:" to load and   **
  **  save a bootable image to Flash.  Failure to do so will result in  **
  **  a boot loop the next time the PIX is reloaded.                    **
  **                                                                    **
  ************************************************************************
Type help or '?' for a list of available commands.
pixfirewall>
pixfirewall>enable
Password:
<password>

pixfirewall# 
pixfirewall#copy tftp flash

Address or name of remote host []? 172.18.173.123

Source filename []? pix701.bin

Destination filename [pix701.bin]? 
<enter>


Accessing tftp://172.18.173.123/pix701.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file flash:/pix701.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
5124096 bytes copied in 139.790 secs (36864 bytes/sec)
pixfirewall# 

使用 copy tftp flash 命令升级 PIX 安全设备

完成以下步骤,以使用 copy tftp flash 命令升级 PIX。

  1. 将 PIX 设备二进制映像(例如 pix701.bin)复制到 TFTP 服务器的根目录中。

  2. 在 enable 提示符下,发出 copy tftp flash 命令。

    pixfirewall>enable
    Password:
    <password>
    
    pixfirewall#copy tftp flash
    
  3. 输入 TFTP 服务器的 IP 地址。

    Address or name of remote host [0.0.0.0]? <tftp_server_ip_address>
    
  4. 输入 TFTP 服务器上您要加载的文件的名称。这是 PIX 二进制映像文件名。

    Source file name [cdisk]?
    <filename>
    
    
  5. 当提示开始 TFTP 复制时,键入 yes

    copying tftp://172.18.173.123/pix701.bin to flash:image
    [yes|no|again]?yes
    
  6. 现在,映像已从 TFTP 服务器被复制到闪存中。

    此时将显示以下消息,表明传输成功,闪存中的旧二进制映像已擦除,并且新的映像已写入并已安装。

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Received 5124096 bytes
    Erasing current image
    Writing 5066808 bytes of image
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Image installed
    pixfirewall#
  7. 重新加载 PIX 设备以引导新的映像。

    pixfirewall#reload
    Proceed with reload? [confirm] 
    <enter>
    
    
    
    Rebooting....
  8. PIX 现在引导 7.0 映像,这将完成升级过程。

示例配置 - 使用 copy tftp flash 命令升级 PIX 设备

pixfirewall#copy tftp flash
Address or name of remote host [0.0.0.0]? 172.18.173.123
Source file name [cdisk]? pix701.bin
copying tftp://172.18.173.123/pix701.bin to flash:image
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 5124096 bytes
Erasing current image
Writing 5066808 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed
pixfirewall# 
pixfirewall#reload
Proceed with reload? [confirm] 
<enter>




Rebooting..�

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
128 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class�Irq
00�00�00�8086�7192�Host Bridge�
00�07�00�8086�7110�ISA Bridge�
00�07�01�8086�7111�IDE Controller�
00�07�02�8086�7112�Serial Bus�9
00�07�03�8086�7113�PCI Bridge�
00�0D�00�8086�1209�Ethernet�11
00�0E�00�8086�1209�Ethernet�10
00�13�00�11D4�2F44�Unknown Device�5

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E28F128J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 5063168 bytes of image from flash.�
######################################################################
######################################################################
128MB RAM

Total NICs found: 2
mcwa i82559 Ethernet at irq 11�MAC: 0009.4360.ed44
mcwa i82559 Ethernet at irq 10�MAC: 0009.4360.ed43
BIOS Flash=am29f400b @ 0xd8000
Old file system detected. Attempting to save data in flash


!--- This output indicates that the Flash file
!--- system is formatted. The messages are normal.

Initializing flashfs...
flashfs[7]: Checking block 0...block number was (-27642)
flashfs[7]: erasing block 0...done.
flashfs[7]: Checking block 1...block number was (-30053)
flashfs[7]: erasing block 1...done.
flashfs[7]: Checking block 2...block number was (-1220)
flashfs[7]: erasing block 2...done.
flashfs[7]: Checking block 3...block number was (-22934)
flashfs[7]: erasing block 3...done.
flashfs[7]: Checking block 4...block number was (2502)
flashfs[7]: erasing block 4...done.
flashfs[7]: Checking block 5...block number was (29877)
flashfs[7]: erasing block 5...done.
flashfs[7]: Checking block 6...block number was (-13768)
flashfs[7]: erasing block 6...done.
flashfs[7]: Checking block 7...block number was (9350)
flashfs[7]: erasing block 7...done.
flashfs[7]: Checking block 8...block number was (-18268)
flashfs[7]: erasing block 8...done.
flashfs[7]: Checking block 9...block number was (7921)
flashfs[7]: erasing block 9...done.
flashfs[7]: Checking block 10...block number was (22821)
flashfs[7]: erasing block 10...done.
flashfs[7]: Checking block 11...block number was (7787)
flashfs[7]: erasing block 11...done.
flashfs[7]: Checking block 12...block number was (15515)
flashfs[7]: erasing block 12...done.
flashfs[7]: Checking block 13...block number was (20019)
flashfs[7]: erasing block 13...done.
flashfs[7]: Checking block 14...block number was (-25094)
flashfs[7]: erasing block 14...done.
flashfs[7]: Checking block 15...block number was (-7515)
flashfs[7]: erasing block 15...done.
flashfs[7]: Checking block 16...block number was (-10699)
flashfs[7]: erasing block 16...done.
flashfs[7]: Checking block 17...block number was (6652)
flashfs[7]: erasing block 17...done.
flashfs[7]: Checking block 18...block number was (-23640)
flashfs[7]: erasing block 18...done.
flashfs[7]: Checking block 19...block number was (23698)
flashfs[7]: erasing block 19...done.
flashfs[7]: Checking block 20...block number was (-28882)
flashfs[7]: erasing block 20...done.
flashfs[7]: Checking block 21...block number was (2533)
flashfs[7]: erasing block 21...done.
flashfs[7]: Checking block 22...block number was (-966)
flashfs[7]: erasing block 22...done.
flashfs[7]: Checking block 23...block number was (-22888)
flashfs[7]: erasing block 23...done.
flashfs[7]: Checking block 24...block number was (-9762)
flashfs[7]: erasing block 24...done.
flashfs[7]: Checking block 25...block number was (9747)
flashfs[7]: erasing block 25...done.
flashfs[7]: Checking block 26...block number was (-22855)
flashfs[7]: erasing block 26...done.
flashfs[7]: Checking block 27...block number was (-32551)
flashfs[7]: erasing block 27...done.
flashfs[7]: Checking block 28...block number was (-13355)
flashfs[7]: erasing block 28...done.
flashfs[7]: Checking block 29...block number was (-29894)
flashfs[7]: erasing block 29...done.
flashfs[7]: Checking block 30...block number was (-18595)
flashfs[7]: erasing block 30...done.
flashfs[7]: Checking block 31...block number was (22095)
flashfs[7]: erasing block 31...done.
flashfs[7]: Checking block 32...block number was (1486)
flashfs[7]: erasing block 32...done.
flashfs[7]: Checking block 33...block number was (13559)
flashfs[7]: erasing block 33...done.
flashfs[7]: Checking block 34...block number was (24215)
flashfs[7]: erasing block 34...done.
flashfs[7]: Checking block 35...block number was (21670)
flashfs[7]: erasing block 35...done.
flashfs[7]: Checking block 36...block number was (-24316)
flashfs[7]: erasing block 36...done.
flashfs[7]: Checking block 37...block number was (29271)
flashfs[7]: erasing block 37...done.
flashfs[7]: Checking block 125...block number was (0)
flashfs[7]: erasing block 125...done.
flashfs[7]: inconsistent sector list, fileid 7, parent_fileid 0
flashfs[7]: inconsistent sector list, fileid 12, parent_fileid 0
flashfs[7]: 5 files, 3 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 16128000
flashfs[7]: Bytes used: 5128192
flashfs[7]: Bytes available: 10999808
flashfs[7]: flashfs fsck took 59 seconds.
flashfs[7]: Initialization complete.

Saving the configuration
!
Saving a copy of old configuration as downgrade.cfg
!
Saved the activation key from the flash image
Saved the default firewall mode (single) to flash
Saving image file as image.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Upgrade process complete
Need to burn loader....
Erasing sector 0...[OK]
Burning sector 0...[OK]

Licensed features for this platform:
Maximum Physical Interfaces : 6�
Maximum VLANs�: 25�
Inside Hosts�: Unlimited 
Failover�: Active/Active
VPN-DES�: Enabled�
VPN-3DES-AES�: Enabled�
Cut-through Proxy�: Enabled�
Guards�: Enabled�
URL Filtering�: Enabled�
Security Contexts�: 2�
GTP/GPRS�: Disabled�
VPN Peers�: Unlimited 

This platform has an Unrestricted (UR) license.

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
--------------------------------------------------------------------------
.�.�
|�|�
|||�|||�
.|| ||.�.|| ||.�
.:||| | |||:..:||| | |||:.�
C i s c o�S y s t e m s�
--------------------------------------------------------------------------

Cisco PIX Security Appliance Software Version 7.0(1) 

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************

Copyright (c) 1996-2005 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

!--- These messages are printed for any deprecated commands.

ERROR: This command is no longer needed. The LOCAL user database is always enabled.
*** Output from config line 50, "aaa-server LOCAL protoco..."
ERROR: This command is no longer needed. The 'floodguard' feature is always enabled.
*** Output from config line 55, "floodguard enable"

Cryptochecksum(unchanged): 9fa48219 950977b6 dbf6bea9 4dc97255 

!--- All current fixups are converted to the new Modular Policy Framework.

INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol http 80' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands
Type help or '?' for a list of available commands.
pixfirewall>

注意: 使用不受限的许可证,PIX 515 E 最多可以有八个 VLAN,PIX 535 最多可以有二十五个 VLAN。

从 PIX 7.x 降级到 6.x

PIX 安全设备版本 7.0 及更高版本使用一种不同于早期 PIX 版本的闪存文件格式。因此,不能使用 copy tftp flash 命令从 7.0 映像降级到 6.x 映像,而必须使用 downgrade 命令。不这样做将导致 PIX 陷入引导循环。

当 PIX 最初被升级时,6.x 启动配置以 downgrade.cfg 的形式被保存在闪存中。当您执行此降级过程时,此配置将恢复到被降级的设备。此配置可以查看,在您降级前,当您发出命令moreflash :downgrade.cfg (从 7.0 中的 enable> 提示符下)查看此配置。此外,如果 PIX 是通过监控模式升级的,则以前的 6.x 二进制映像仍以 image_old.bin 的形式保存在闪存中。您可以发出 show flash: 命令验证此映像命令。如果此映像存在于闪存上,则可以在此过程的步骤 1 中使用此映像,而不从 TFTP 服务器加载映像。

完成以下步骤,以降级您的 PIX 安全设备。

  1. 输入 downgrade 命令并指定要降级到的映像的位置。

    pixfirewall#downgrade tftp://<tftp_server_ip_address>/<filename>
    

    注意: 如果 PIX 是从监控模式升级的,则旧的二进制映像仍保存在闪存中。发出以下命令以降级回该映像:

    pixfirewall#downgrade flash:/image_old.bin
    
  2. 此时将显示一条警告消息,提醒您闪存即将被格式化。按 enter 以继续。

    This command will reformat the flash and automatically reboot the system.
    Do you wish to continue? [confirm]  
    <enter>
    
    
  3. 现在该映像被复制到 RAM 中,启动配置也被复制到 RAM 中。

    Buffering image
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    
    Buffering startup config
    
    All items have been buffered successfully
  4. 此时将显示第二条警告消息,表明闪存现在开始格式化。请勿中断此进程,否则闪存可能被损坏。按 enter 继续格式化。

    If the flash reformat is interrupted or fails, 
    data in flash will be lost
    and the system might drop to monitor mode.
    Do you wish to continue? [confirm] 
    <enter>
    
    
  5. 现在闪存已格式化,旧映像已安装,PIX 将重新启动。

    Acquiring exclusive access to flash
    Installing the correct file system for the image and 
    saving the buffered data
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Flash downgrade succeeded
    
    
    Rebooting....
  6. PIX 现在引导到正常提示符。这将完成降级过程。

示例配置 - 从 PIX 7.x 降级到 6.x

pixfirewall#downgrade tftp://172.18.108.26/pix634.bin
This command will reformat the flash and automatically reboot the system.
Do you wish to continue? [confirm] 
<enter>

Buffering image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Buffering startup config

All items have been buffered successfully.
If the flash reformat is interrupted or fails, data in flash will be lost
and the system might drop to monitor mode.
Do you wish to continue? [confirm] 
Acquiring exclusive access to flash
Installing the correct file system for the image and saving the buffered data
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Flash downgrade succeeded



Rebooting....


CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
128 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class�Irq
00�00�00�8086�7192�Host Bridge�
00�07�00�8086�7110�ISA Bridge�
00�07�01�8086�7111�IDE Controller�
00�07�02�8086�7112�Serial Bus�9
00�07�03�8086�7113�PCI Bridge�
00�0D�00�8086�1209�Ethernet�11
00�0E�00�8086�1209�Ethernet�10
00�13�00�11D4�2F44�Unknown Device�5

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E28F128J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1962496 bytes of image from flash.�
#################################################################################
##############################
128MB RAM
mcwa i82559 Ethernet at irq 11�MAC: 0009.4360.ed44
mcwa i82559 Ethernet at irq 10�MAC: 0009.4360.ed43
System Flash=E28F128J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000
IRE2141 with 2048KB

-----------------------------------------------------------------------
||�||
||�||
||||�||||
..:||||||:..:||||||:..
c i s c o S y s t e m s 
Private Internet eXchange
-----------------------------------------------------------------------
Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(4)
Licensed Features:
Failover:�Enabled
VPN-DES:�Enabled
VPN-3DES-AES:�Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:�10
Cut-through Proxy:�Enabled
Guards:�Enabled
URL-filtering:�Enabled
Inside Hosts:�Unlimited
Throughput:�Unlimited
IKE peers:�Unlimited

This PIX has an Unrestricted (UR) license.


****************************** Warning *******************************
Compliance with U.S. Export Laws and Regulations - Encryption.

This product performs encryption and is regulated for export
by the U.S. Government.

This product is not authorized for use by persons located
outside the United States and Canada that do not have prior
approval from Cisco Systems, Inc. or the U.S. Government.

This product may not be exported outside the U.S. and Canada
either by physical or electronic means without PRIOR approval
of Cisco Systems, Inc. or the U.S. Government.

Persons outside the U.S. and Canada may not re-export, resell
or transfer this product by either physical or electronic means
without prior approval of Cisco Systems, Inc. or the U.S.
Government.
******************************* Warning *******************************

Copyright (c) 1996-2003 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706


Cryptochecksum(unchanged): 9fa48219 950977b6 dbf6bea9 4dc97255 
Type help or '?' for a list of available commands.
pixfirewall>

升级故障切换集中的 PIX 设备

从 PIX 设备 6.x 升级到 7.x 是一个主要升级。它不可能在不停机的情况下完成,即使对于故障切换集中的 PIX 也是如此。许多故障切换命令随升级而更改。建议的升级路径是关闭故障切换集中的一个 PIX 的电源。然后按照本文档中的说明来升级已打开电源的 PIX。升级完成后,验证数据流是否可以通过,并重新启动 PIX 一次以验证它是否可以正常启动而不出现任何问题。如果认为一切正常,请关闭新升级的 PIX 的电源并打开另一个 PIX 的电源。然后按照本文档中的说明升级该 PIX。升级完成后,验证数据流是否可以通过。也重新启动该 PIX 一次以验证它是否可以正常启动而不出现任何问题。如果认为一切正常,请打开另一个 PIX 的电源。现在两个 PIX 都已升级到 7.x 并已打开电源。使用 show failover 命令验证它们是否能正常建立故障切换通信。

注意: PIX 现在强制执行以下限制:传递数据流的任何接口不能被同时用作 LAN 故障切换接口或有状态故障切换接口。如果您的当前 PIX 配置有一个用于传递正常数据流和 LAN 故障切换信息或有状态信息的共享接口,并且您要进行升级,则数据流将不再通过该接口。与该接口关联的所有命令也将失败。

安装自适应安全设备管理器 (ASDM)

在安装 ASDM 之前,Cisco 建议您阅读计划安装的版本的发行版本注释。发行版本注释包括最低支持的浏览器和 Java 版本以及支持的新功能的和未解决警告的列表。

在版本 7.0 中安装 ASDM 的过程与过去稍有不同。并且,一旦 ASDM 映像被复制到闪存中,便必须在配置中指定它,以便 PIX 知道使用它。完成以下步骤,以将 ASDM 映像安装到闪存中。

  1. 从 Cisco.com 下载 ASDM 映像仅限注册用户)并将其放到您的 TFTP 服务器的根目录中。

  2. 验证您的 PIX 是否具有与 TFTP 服务器的 IP 连接。为了执行此操作,请从 PIX ping TFTP 服务器。

  3. 在 enable 提示符下,发出 copy tftp flash 命令。

    pixfirewall>enable
    Password: 
    <password>
    
    pixfirewall#copy tftp flash
    
  4. 输入 TFTP 服务器的 IP 地址。

    Address or name of remote host [0.0.0.0]? <tftp_server_ip_address>
    
  5. 输入 TFTP 服务器上您要加载的 ASDM 文件的名称。

    Source file name [cdisk]? <filename>
    
  6. 输入您计划保存在闪存中的 ASDM 文件的名称。按 enter 保持同一文件名。

    Destination filename [asdm-501.bin]? <enter>
    
  7. 现在,映像已从 TFTP 服务器被复制到闪存中。此时将显示以下消息,表明传输成功。

    Accessing tftp://172.18.173.123/asdm-501.bin...
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!
    Writing file flash:/asdm-501.bin...
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!
    5880016 bytes copied in 140.710 secs (42000 bytes/sec)
  8. 在复制 ASDM 映像之后,发出 asdm image flash:命令以指定要使用的 ASDM 映像。

    pixfirewall(config)#asdm image flash:asdm-501.bin
    
  9. 使用 write memory 命令将配置保存到闪存中。

    pixfirewall(config)#write memory
    
  10. 这将完成 ASDM 安装过程。

故障排除

症状 解决方法
在您使用 copy tftp flash 方法升级 PIX 并重新启动之后,它将陷入此重新启动循环:
Cisco Secure PIX Firewall BIOS (4.0) #0: 
Thu Mar  2 22:59:20 PST 2000
Platform PIX-515
Flash=i28F640J5 @ 0x300

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 5063168 bytes of image from flash.   
BIOS 版本低于 4.2 的 PIX 设备不能使用 copy tftp flash 命令进行升级。必须使用监控模式方法升级它们。
在 PIX 运行 7.0 版本并重新启动之后,它将陷入此重新启动循环:
Rebooting....

Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar�2 22:59:20 PST 2000
Platform PIX-515
Flash=i28F640J5 @ 0x300

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 115200 bytes of image from flash.�

PIX Flash Load Helper

Initializing flashfs...
flashfs[0]: 10 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 15998976
flashfs[0]: Bytes used: 1975808
flashfs[0]: Bytes available: 14023168
flashfs[0]: Initialization complete.

Unable to locate boot image configuration

Booting first image in flash

No bootable image in flash. Please download 
an image from a network server in the monitor mode

Failed to find an image to boot
如果已从监控模式将 PIX 升级到 7.0 版本,但在第一次引导 7.0 版本后未将 7.0 版本的映像重新复制到闪存中,则在重新加载 PIX 时,该 PIX 将陷入重新启动循环。解决方法是从监控模式再次加载映像。在它引导之后,必须使用 copy tftp flash 方法再复制映像一次。
当您使用 copy tftp flash 方法升级时,将看到以下错误消息:
pixfirewall#copy tftp flash
Address or name of remote host [0.0.0.0]? 172.18.173.123
Source file name [cdisk]? pix701.bin
copying tftp://172.18.173.123/pix701.bin to flash:image
[yes|no|again]? y
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 5124096 bytes
Erasing current image
Insufficient flash space available for this request:
Size info: request:5066808 current:1966136 delta:3100672 free:2752512
Image not installed
pixfirewall# 
当通过 copy tftp flash 方法升级 PIX-535 或 PIX-515(非 E),并且还将 PDM 加载到该 PIX 上的闪存中时,通常会显示此消息。解决方法是使用监控模式方法升级。
将 PIX 从 6.x 版本升级到 7.0 版本之后,某些配置不会正确迁移。 show startup-config errors 命令的输出显示在配置迁移期间出现的所有错误。在第一次引导 PIX 之后,这些错误将显示在此输出中。查看这些错误并尝试解决它们。
PIX 运行版本 7.x,并且安装了一个更新的版本。当 PIX 重新启动时,旧版本继续加载。 在 PIX 版本 7.x 中,可以在闪存中保存多个映像。PIX 首先在配置中查找所有 boot system flash:命令。这些命令指定 PIX 需要引导的映像。如果找不到 boot system flash:命令,PIX 将引导闪存中的第一个可引导映像。要引导另一个版本,请使用 boot system flash://<filename> 命令指定文件。
ASDM 映像已被加载到闪存中,但是用户无法将 ASDM 加载到他们的浏览器中。 首先,请保证在闪存装载的ASDM文件由asdm镜像flash:// <asdm_file>命令指定。其次,请验证配置中是否存在 http server enable 命令。最后,请验证是否已通过 http <address> <mask> <interface> 命令允许了要尝试加载 ASDM 的主机。
FTP 在升级后无法工作。 升级后不会启用 FTP 检查。请使用启用 FTP 检查部分所示的两种方法之一启用 FTP 检查。

启用 FTP 检查

可以使用下列两种方法中的任何一种方法启用 FTP 检查:

  • 将 FTP 添加到默认/全局检查策略。

    1. 如果该策略不存在,请创建 inspection_default 类映射。

      PIX1#configure terminal
      PIX1(config)#class-map inspection_default
      PIX1(config-cmap)#match default-inspection-traffic
      PIX1(config-cmap)#exit
      
    2. 创建或编辑 global_policy 策略映射并为类 inspection_default 启用 FTP 检查。

      PIX1(config)#policy-map global_policy
      PIX1(config-pmap)#class inspection_default
      PIX1(config-pmap-c)#inspect dns preset_dns_map 
      PIX1(config-pmap-c)#inspect ftp 
      PIX1(config-pmap-c)#inspect h323 h225 
      PIX1(config-pmap-c)#inspect h323 ras 
      PIX1(config-pmap-c)#inspect rsh 
      PIX1(config-pmap-c)#inspect rtsp 
      PIX1(config-pmap-c)#inspect esmtp 
      PIX1(config-pmap-c)#inspect sqlnet 
      PIX1(config-pmap-c)#inspect skinny 
      PIX1(config-pmap-c)#inspect sunrpc 
      PIX1(config-pmap-c)#inspect xdmcp 
      PIX1(config-pmap-c)#inspect sip 
      PIX1(config-pmap-c)#inspect netbios 
      PIX1(config-pmap-c)#inspect tftp 
      
    3. 全局启用 global_policy

      PIX1(config)#service-policy global_policy global
      
  • 通过创建一个单独的检查策略启用 FTP。

    PIX1#configure terminal
    PIX1(config)#class-map ftp-traffic
    
    !--- Matches the FTP data traffic.
    
    PIX1(config-cmap)#match port tcp eq ftp
    PIX1(config-cmap)#exit
    
    PIX1(config)#policy-map ftp-policy
    PIX1(config-pmap)#class ftp-traffic
    
    
    !--- Inspection for the FTP traffic is enabled.
    
    PIX1(config-pmap-c)#inspect ftp
    PIX1(config-pmap)#exit
    PIX1(config)#exit
    
    
    !--- Applies the FTP inspection globally.
    
    PIX1(config)#service-policy ftp-policy global
    

获得有效服务合同

必须具有有效服务合同才能下载 PIX 软件。为了获得服务合同,请执行以下步骤:

  • 如果您有直接采购协议,请与您的 Cisco 客户团队联系。

  • 联系 Cisco 合作伙伴或经销商购买服务协议。

  • 使用配置文件管理器更新您的 Cisco.com 配置文件并请求与某个服务协议关联。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 63879