Switching de LAN : Dispositivos de seguridad Cisco PIX de la serie 500

Actualización PIX 6.3 a un nuevo ejemplo de la configuración del aparato PIX 7.0

17 Octubre 2016 - Traducción Automática
Otras Versiones: PDFpdf | Traducción Manual (15 Abril 2008) | Inglés (22 Agosto 2015) | Comentarios


Contenido


Introducción

Este documento explica cómo actualizar o mover una configuración desde un dispositivo de seguridad PIX que funcione con la versión de software 6.3 a un nuevo dispositivo de seguridad PIX que funcione con la versión de software 7.0.

Nota: Administradores que Actualizar software la versión 6.2 o 6.3 a la versión 7.0 en el mismo dispositivo PIX debe referir a la guía para los usuarios del Cisco PIX 6.2 y 6.3 que actualizan a la versión de software 7.0 del Cisco PIX.

prerrequisitos

Requisitos

Este documento se diseña para ayudar a los administradores con la migración de una configuración PIX a un nuevo dispositivo. Este documento no debe ser un reemplazo para los documentos enumerados aquí. Se recomienda fuertemente que usted lee y entiende estos dos documentos antes de que usted actualice y utilice la versión de software PIX 7.x.

Nota: Salve y copie sus configuraciones a un archivo de texto o a un servidor TFTP antes de cualquier intento de actualización. Para descargar la versión de software libre del servidor TFTP, Cisco recomienda que usted utiliza el TFTPD32leavingcisco.com .

Componentes Utilizados

La información que contiene este documento se basa en las siguientes versiones de software y hardware.

  • Dispositivo de seguridad PIX 515E con la versión de software 6.3.5

  • Dispositivo de seguridad PIX 515E con la versión de software 7.0.6

La información que contiene este documento se creó a partir de los dispositivos en un ambiente de laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron en funcionamiento con una configuración verificada (predeterminada). Si la red está funcionando, asegúrese de haber comprendido el impacto que puede tener cualquier comando.

Convenciones

Consulte Convenciones de Consejos TécnicosCisco para obtener más información sobre las convenciones del documento.

Configurar

En esta sección encontrará la información para configurar las funciones descritas en este documento.

Nota: Utilice la herramienta Command Lookup Tool (clientes registrados solamente) para obtener más información sobre los comandos utilizados en esta sección.

En este documento, se utilizan estas configuraciones:

Configuración de la versión de software PIX 6.3.5

El documento comienza con un PIX 515E y versión de software 6.3.5. La configuración incluye varias opciones encontradas típicamente en los entornos de producción.

pix515e#show version

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee

pix515e up 39 secs

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0012.4364.ea30, irq 10
1: ethernet1: address is 0012.4364.ea31, irq 11
2: ethernet2: address is 00e0.b602.fe67, irq 11
3: ethernet3: address is 00e0.b602.fe66, irq 10
4: ethernet4: address is 00e0.b602.fe65, irq 9
5: ethernet5: address is 00e0.b602.fe64, irq 5
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          10
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 
Running Activation Key: 0x8e62bc4d 0x20ffa2ba 0x52ea1945 0x9bb024fb 
Configuration has not been modified since last system restart.
Configuración PIX 6.3.5
pix515e#show running-config
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet3 vlan30 physical
interface ethernet3 vlan40 logical
interface ethernet3 vlan50 logical
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 vlan30 security85
nameif ethernet4 intf4 security8
nameif ethernet5 failover security99
nameif vlan40 vlan40 security90
nameif vlan50 vlan50 security90
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515e
domain-name companyx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network inside_networks 
  network-object 172.22.1.0 255.255.255.0 
  network-object 172.31.0.0 255.255.0.0 
  network-object 172.16.0.0 255.255.0.0 
access-list inside permit ip object-group inside_networks any 
access-list outside permit tcp any host 10.0.0.100 eq www 
access-list outside permit tcp any host 10.0.0.100 eq https 
access-list outside permit tcp any host 10.0.0.150 eq smtp 
access-list dmz permit tcp host 192.168.0.150 host 172.22.1.200 eq telnet 
access-list dmz deny ip any object-group inside_networks 
access-list dmz permit ip 192.168.0.0 255.255.255.0 any 
access-list vpn permit ip 172.22.1.0 255.255.255.0 10.255.1.0 255.255.255.0 
access-list vpn permit ip 10.255.1.0 255.255.255.0 172.22.1.0 255.255.255.0 
access-list inside_nonat permit ip any 3.3.3.0 255.255.255.0 
access-list inside_nonat permit ip 172.22.1.0 255.255.255.0 10.255.1.0 255.255.255.0 
pager lines 24
logging on
logging buffered debugging
logging trap informational
logging host dmz 192.168.0.2
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vlan30 1500
mtu intf4 1500
mtu failover 1500
ip address outside 10.0.0.1 255.255.255.0
ip address inside 172.22.1.159 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
ip address vlan30 172.22.30.1 255.255.255.0
no ip address intf4
ip address failover 1.1.1.1 255.255.255.252
ip address vlan40 172.22.40.1 255.255.255.0
ip address vlan50 172.22.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool migratepool 3.3.3.1-3.3.3.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 10.0.0.2
failover ip address inside 172.22.1.251
failover ip address dmz 192.168.0.2
failover ip address vlan30 172.22.30.2
no failover ip address intf4
failover ip address failover 1.1.1.2
failover ip address vlan40 172.22.40.2
failover ip address vlan50 172.22.50.2
failover link failover
pdm history enable
arp timeout 14400
global (outside) 1 10.0.0.50
global (dmz) 1 192.168.0.10
nat (inside) 0 access-list inside_nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (vlan30) 1 0.0.0.0 0.0.0.0 0 0
nat (vlan40) 1 0.0.0.0 0.0.0.0 0 0
nat (vlan50) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 10.0.0.100 192.168.0.100 netmask 255.255.255.255 0 0 
static (dmz,outside) 10.0.0.150 192.168.0.150 netmask 255.255.255.255 0 0 
static (inside,dmz) 172.22.1.200 172.22.1.200 netmask 255.255.255.255 0 0 
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
router ospf 100
  network 172.22.1.0 255.255.255.0 area 0 
  log-adj-changes
  redistribute connected
  redistribute static
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
aaa-server acs protocol tacacs+ 
aaa-server acs max-failed-attempts 3 
aaa-server acs deadtime 10 
aaa-server acs (inside) host 172.22.1.254 test timeout 10
aaa authentication ssh console acs
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set sha3des esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn
crypto map vpn 10 set peer 10.255.255.1
crypto map vpn 10 set transform-set sha3des
crypto map vpn 20 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 10.255.255.1 netmask 255.255.255.255 
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup migration address-pool migratepool
vpngroup migration idle-time 1800
vpngroup migration password ********
telnet 172.22.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
: end

Aplique una configuración de la versión de software PIX 6.3.5 a la versión de software PIX 7.0

Esta sección describe cómo mover la configuración de la versión de software PIX 6.3.5 a un nuevo PIX con la versión de software 7.0.

De PIX 6.3.5, transferencia la configuración a un servidor TFTP.

pix515e#write net 172.22.1.235:pix515e635 
Building configuration...
TFTP write 'pix515e635' at 172.22.1.235 on interface 1
[OK]
pix515e# 

Ahora que la configuración se ha guardado a un servidor TFTP, el nuevo PIX con la versión de software 7.0 puede extraer la configuración.

pixfirewall#configure terminal
pixfirewall(config)#interface e1
pixfirewall(config-if)#no shut
pixfirewall(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
pixfirewall(config-if)#ip address 172.22.1.159 255.255.255.0
pixfirewall(config-if)#exit

!--- The new appliance needs a temporary configuration 
!--- to allow the 6.3.5 configuration
!--- to be transfered (TFTP) to the new appliance. The new PIX can be assigned any
!--- available IP address.

pixfirewall(config)# 
pixfirewall(config)#exit
pixfirewall#copy tftp startup-config

Address or name of remote host []? 172.22.1.235

Source filename []? pix515e635

Accessing tftp://172.22.1.235/pix515e635...!!
Writing system file...
!!
5867 bytes copied in 0.180 secs
pixfirewall(config)#reload

!--- Disconnect the new appliance from the network. After the device reloads,
!--- the device has the IP address of the production PIX 6.3.5.  
!--- Disconnecting the new device prevents duplicate 
!--- IP addresses on the network.

Proceed with reload? [confirm] 
pixfirewall(config)# 


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system



***
*** --- SHUTDOWN NOW ---



Rebooting....


CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
128 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  00  00   8086   7192  Host Bridge        
 00  07  00   8086   7110  ISA Bridge         
 00  07  01   8086   7111  IDE Controller     
 00  07  02   8086   7112  Serial Bus         9
 00  07  03   8086   7113  PCI Bridge         
 00  0D  00   8086   1209  Ethernet           11
 00  0E  00   8086   1209  Ethernet           10
 00  13  00   1011   0026  PCI-to-PCI Bridge  
 01  00  00   8086   1229  Ethernet           11
 01  01  00   8086   1229  Ethernet           10
 01  02  00   8086   1229  Ethernet           9
 01  03  00   8086   1229  Ethernet           5

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E28F128J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 123392 bytes of image from flash.       

PIX Flash Load Helper

Initializing flashfs...
flashfs[0]: 5 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 16128000
flashfs[0]: Bytes used: 5483008
flashfs[0]: Bytes available: 10644992
flashfs[0]: Initialization complete.

Unable to locate boot image configuration

Booting first image in flash

Launching image flash:/pix706.bin
######################################################################
128MB RAM

Total NICs found: 6
mcwa i82559 Ethernet at irq 11  MAC: 0012.4364.ea31
mcwa i82559 Ethernet at irq 10  MAC: 0012.4364.ea30
mcwa i82558 Ethernet at irq 11  MAC: 00e0.b602.fe67
mcwa i82558 Ethernet at irq 10  MAC: 00e0.b602.fe66
mcwa i82558 Ethernet at irq  9  MAC: 00e0.b602.fe65
mcwa i82558 Ethernet at irq  5  MAC: 00e0.b602.fe64
BIOS Flash=am29f400b @ 0xd8000

Initializing flashfs...
flashfs[7]: 5 files, 2 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 16128000
flashfs[7]: Bytes used: 5483008
flashfs[7]: Bytes available: 10644992
flashfs[7]: flashfs fsck took 16 seconds.
flashfs[7]: Initialization complete.


Licensed features for this platform:
Maximum Physical Interfaces : 6         
Maximum VLANs               : 25        
Inside Hosts                : Unlimited 
Failover                    : Active/Active
VPN-DES                     : Enabled   
VPN-3DES-AES                : Enabled   
Cut-through Proxy           : Enabled   
Guards                      : Enabled   
URL Filtering               : Enabled   
Security Contexts           : 2         
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited 

This platform has an Unrestricted (UR) license.

  --------------------------------------------------------------------------
                                 .            .                             
                                 |            |                             
                                |||          |||                            
                              .|| ||.      .|| ||.                          
                           .:||| | |||:..:||| | |||:.                       
                            C i s c o  S y s t e m s                        
  --------------------------------------------------------------------------

Cisco PIX Security Appliance Software Version 7.0(6) 

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2006 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

!--- PIX version 7.x reports its progress in 
!--- converting the 6.x configuration that it encounters.

.WARNING: interface dmz security level is 50.
*** Output from config line 115, "logging host dmz 192.168..."
INFO: Only classful networks will be redistributed 
*** Output from config line 215, "  redistribute connected"
INFO: Only classful networks will be redistributed 
*** Output from config line 217, "  redistribute static"
.
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
           ^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 229, "timeout sip-disconnect 0..."
ERROR: This command is no longer needed. The LOCAL user database is always enabled.
 *** Output from config line 245, "aaa-server LOCAL protoco..."
ERROR: This command is no longer needed. The 'floodguard' feature is always enabled.
 *** Output from config line 265, "floodguard enable"
WARNING: the 'vpngroup' command has been deprecated, 
and will be converted to the corresponding tunnel-group and group-policy syntax
*** Output from config line 313, "vpngroup migration addre..."
WARNING: the 'vpngroup' command has been deprecated, 
and will be converted to the corresponding tunnel-group and group-policy syntax
*** Output from config line 315, "vpngroup migration idle-..."
WARNING: the 'vpngroup' command has been deprecated, 
and will be converted to the corresponding tunnel-group and group-policy syntax
*** Output from config line 317, "vpngroup migration passw..."

Cryptochecksum (changed): 183101e6 b5760521 21f9fe61 bc9d29ed 
INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol http 80' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands
Type help or '?' for a list of available commands.
pix515e> en
Password: 
pix515e#

Aplique una configuración de la versión de software PIX 6.3.5 a la versión de software 7.0 ASA

La conversión de un PIX 6.2 o la configuración 6.3 a un nuevo dispositivo de seguridad ASA es un Proceso manual. ASA/PIX requieren al administrador convertir el sintaxis PIX 6.x para hacer juego el sintaxis ASA y para teclear los comandos en la configuración ASA. Puede cortar y pegar algunos comandos, como access-list. Esté seguro de comparar de cerca el PIX 6.2 o la configuración 6.3 a la nueva configuración ASA para asegurarse que no se ha incurrido en ningunas equivocaciones en la conversión.

Nota: El proceso para actualizar a un nuevo dispositivo ASA es diferente de una actualización a un nuevo Dispositivo de PIX. Una tentativa de actualizar a un ASA con el proceso PIX genera varios Errores de configuración en el ASA.

Verificación

Verifique la configuración nuevamente actualizada al PIX 6.2 o la configuración 6.3 guardada antes de la actualización. Compare cada línea previamente de la configuración guardada con la nueva configuración. Aunque el sintaxis ha cambiado, las directivas del dispositivo (Seguridad, encaminamiento, interfaz, y así sucesivamente) deben ser lo mismo.

Troubleshooting

Actualmente, no hay información específica de troubleshooting disponible para esta configuración.


Información Relacionada


Document ID: 71928