Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Services Modules

Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1

Downloads

Table Of Contents

Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1

New Features

Upgrading the FWSM from Release 2.x to 3.1

Upgrade Requirements

Backing up the Configuration

Backing up the Single Mode Configuration or Multiple Mode System Configuration

Backing Up a Context Configuration in Flash Memory

Backing Up a Context Configuration within a Context

Copying the Configuration from the Terminal Display

Upgrading Maintenance Software to Release 2.1(2)

Checking the Maintenance Software Release

Upgrading the Maintenance Software

Upgrading the Application Software

Upgrading Application Software from the FWSM CLI

Upgrading Application Software Using the Maintenance Partition

Removing Unused Commands from the System Configuration

Upgrading from PDM to ASDM

Upgrade Examples

Single Mode Sample Configurations

Multiple Mode Sample Configurations

Restoring the FWSM to Release 2.x

Downloading Release 2.x to the Current Application Partition

Booting Release 2.x from the Backup Application Partition

Installing Release 2.x and Booting in to the Backup Application Partition

Changed and Deprecated Commands

Command Overview

Summary of Changes

CLI Processor

Show, Clear, and No Commands

Context-Sensitive Help Changes

Command Syntax Checking

Mode Navigation Changes

Documentation Terminology Changes

Application Inspection (fixup Command)

Mixed Routed and Transparent Firewall Mode

Transparent Mode Bridge Groups

Interfaces

AAA

MGCP

NAT

Miscellaneous Commands

Failover

Logging Commands

Device Management Commands

VPN Commands

Group Management

Remote Peers

Xauth

Public Key Infrastructure (PKI) Commands

Summary of Changes in the VPN Commands

Obtaining More Information

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1

This guide describes how to upgrade from FWSM Release 2.2 or 2.3 to FWSM Release 3.1. This guide describes the features and commands that have changed or been deprecated in FWSM Release 3.1.

This guide is written for FWSM administrators with an understanding of FWSM CLI commands and features and with experience configuring the FWSM. This document includes the following sections:

New Features

Upgrading the FWSM from Release 2.x to 3.1

Restoring the FWSM to Release 2.x

Changed and Deprecated Commands

Obtaining More Information

New Features

This section includes a brief summary of new features in Release 3.1. For more information on these features and the accompanying CLI commands, see the following documents:

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide

Online Help for ASDM (previously known as PDM for FWSM)

FWSM Release 3.1 introduces the following new functionality and features:

AAA

Support for simultaneous RADIUS accounting servers

Accounting for management traffic

Configuring an FTP authentication challenge

MAC address-based AAA exemption

Cut-through proxy authentication using the local database

Access Lists

Time-based ACEs

Modular Policy Framework

Access list editing with line numbers

Using the interface keyword as an address in access lists

NAT

Configurable NAT control

Overlapping static NAT configuration

Inspection Engines (Fixups)

TCP stream assembly for application inspection

Persistent TCP connections and TCP pools for URL filtering

Configurable application inspection engines

ESMTP application inspection

FTP command filtering

ActiveX and Java filtering

Enhanced PPTP PAT and application inspection

VoIP Inspection Engines (Fixups)

Enhanced H.323 application inspection (for T.38 and GKRCS)

MGCP NAT

GTP application inspection

SIP instant messaging application inspection

TAPI/CTIQBE application inspection

Skinny video support

Application Firewall

Enhanced HTTP application inspection

Detecting and blocking applications and attacks tunneled over HTTP

RFC compliance checking

HTTP command filtering

MIME type filtering

Checking for minimum and maximum size of the HTTP message, header length and URI

Content validation

HTTP message filtering based on keywords

High Availability

Active/Active failover

Preempt option for Active/Active failover

Scalability

Support for 250 security contexts

Save all context configurations from the system execution space

Increasing the number of global statements to 4 K

Enhanced access list memory

Sessions for non-TCP/UDP packets

Support up to ten DHCP relay statements

Support for 80 HTTPS sessions to ASDM

Network Integration

Mixed routed and transparent mode support for contexts

Multiple pairs of interfaces in transparent mode

Private VLAN support

Enabling DHCP relay on specific interfaces

Core IP Enhancements

IPv6

Asymmetric routing support

Multicast support in single mode

OSPF neighbor support

Monitoring and Management

SSHv2

Ping, logging, and memory management enhancements

Syslog server failure policy for TCP transport

4K certificate support

SNMPv2c

Additional MIBs

Enhanced parser and CLI

Extra information in the command prompt

Debug message timestamp

System execution space logging to external syslog server using the admin context

ACE information as part of message 106023

Upgrading the FWSM from Release 2.x to 3.1

This section describes how to upgrade the FWSM to 3.1, and includes the following topics:

Upgrade Requirements

Backing up the Configuration

Upgrading Maintenance Software to Release 2.1(2)

Upgrading the Application Software

Removing Unused Commands from the System Configuration

Upgrading from PDM to ASDM

Upgrade Examples

Upgrade Requirements

You must install maintenance software Release 2.1(2) before you upgrade to FWSM Release 3.1. See the "Upgrading Maintenance Software to Release 2.1(2)" section for more information.

Client PC operating system and browser requirements for ASDM Version 5.0F are listed in Table 1.

Table 1 Operating System and Browser Requirements for ASDM Version 5.0 

 
Operating System
Browser
Other Requirements

Windows1

Windows 2000 (Service Pack 4) or Windows XP operating systems

Internet Explorer 6.0 with Java Plug-in 1.4.2 or 1.5.0

Note HTTP 1.1—Settings for Internet Options Advanced HTTP 1.1 should use HTTP 1.1 for both proxy and non-proxy connections.

Netscape 7.1/7.2 with Java Plug-in 1.4.2 or 1.5.0

SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.

Sun Solaris

Sun Solaris 8 or 9 running CDE window manager

Mozilla 1.7.3 with Java Plug-in 1.4.2 or 1.5.0

Linux

Red Hat Linux 9.0 or Red Hat Linux WS, Version 3 running GNOME or KDE

Mozilla 1.7.3 with Java Plug-in 1.4.2 or 1.5.0

1 ASDM is not supported on Windows 3.1, 95, 98, ME or Windows NT4.


Backing up the Configuration

This section describes how to back up your configuration before beginning the upgrade procedure. You might need the original configuration if you have to restore Release 2.x. See the "Restoring the FWSM to Release 2.x" section.

Note If you are running failover, be sure to back up the configuration from both units; be sure to save the synchronized configuration on the secondary unit (use the write memory command) so that it can run independently with a full configuration.

To back up your configuration, use the following methods:

Backing up the Single Mode Configuration or Multiple Mode System Configuration

Backing Up a Context Configuration in Flash Memory

Backing Up a Context Configuration within a Context

Copying the Configuration from the Terminal Display

Note If you have contexts on an external server, make copies of the contexts on the server.

Backing up the Single Mode Configuration or Multiple Mode System Configuration

In single context mode or from the system configuration in multiple mode, you can copy the startup configuration or running configuration to an external server or to the local Flash memory:

To copy to a TFTP server, enter the following command: 

hostname# copy {startup-config | running-config} tftp://server[/path]/filename

To copy to a FTP server, enter the following command: 

hostname# copy {startup-config | running-config} 
ftp://[user[:password]@]server[/path]/filename

To copy to local Flash memory, enter the following command: 

hostname# copy {startup-config | running-config} disk:[path/]filename

Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.

Backing Up a Context Configuration in Flash Memory

In multiple context mode, copy context configurations that are on the local Flash memory by entering one of the following commands in the system execution space:

To copy to a TFTP server, enter the following command: 

hostname# copy disk:[path/]filename tftp://server[/path]/filename

To copy to a FTP server, enter the following command: 

hostname# copy disk:[path/]filename ftp://[user[:password]@]server[/path]/filename

To copy to local Flash memory, enter the following command: 

hostname# copy disk:[path/]filename disk:[path/]newfilename

Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.

For example, copy the admin.cfg file to a 2_3 subdirectory: 

hostname# mkdir 2_3

Create directory filename [2_3]?


Created dir disk:/2_3

hostname# copy disk:admin.cfg disk:2_3/admin.cfg

Backing Up a Context Configuration within a Context

In multiple context mode, from within a context, you can perform the following backups:

To copy the running configuration to the startup configuration server (connected to the admin context), enter the following command: 

hostname/contexta# copy running-config startup-config

To copy the running configuration to a TFTP server connected to the context network, enter the following command: 

hostname/contexta# copy running-config tftp:/server[/path]/filename

Copying the Configuration from the Terminal Display

To print the configuration to the terminal, enter the following command: 

hostname# show running-config

Copy the output from this command, then paste the configuration in to a text file.

Upgrading Maintenance Software to Release 2.1(2)

You must install maintenance software Release 2.1(2) or later before you upgrade to FWSM Release 3.1. The latest maintenance release also works with FWSM Release 2.x, so if you later have to restore the FWSM to Release 2.x, this procedure will not prevent it.

Note If you are running failover, be sure to upgrade the maintenance software on both units.

This section includes the following topics:

Checking the Maintenance Software Release

Upgrading the Maintenance Software

Checking the Maintenance Software Release

To determine the maintenance software release, boot in to the maintenance partition and view the release by performing the following steps:

Step 1 If necessary, end the FWSM session by entering the following command: 

hostname# exit


Logoff


[Connection to 127.0.0.31 closed by foreign host]

Router#

You might need to enter the exit command multiple times if you are in a configuration mode.

Step 2 To boot the FWSM into the maintenance partition, enter the command for your operating system at the switch prompt:

For Cisco IOS, enter the following command: 

Router# hw-module module mod_num reset cf:1

For Catalyst operating system software, enter the following command: 

Console> (enable) reset mod_num cf:1

Step 3 To session in to the FWSM, enter the command for your operating system:

Cisco IOS software 

Router# session slot number processor 1

Catalyst operating system software 

Console> (enable) session module_number

Step 4 To log in to the FWSM maintenance partition as root, enter the following command: 

Login: root

Step 5 Enter the password at the prompt: 

Password:

By default, the password is cisco.

The FWSM shows the version when you first log in, as in the following example: 

Maintenance image version: 2.1(2)

Step 6 To view the maintenance version after you log in, enter the following command: 

root@localhost# show version


Maintenance image version: 2.1(2)

mp.2-1-2.bin : Thu Nov 18 11:41:36 PST 2004 : integ@kplus-build-lx.cisco.com


Line Card Number :WS-SVC-FWM-1

Number of Pentium-class Processors :       2

BIOS Vendor: Phoenix Technologies Ltd.

BIOS Version: 4.0-Rel 6.0.9

Total available memory: 1004 MB

Size of compact flash: 123 MB

Daughter Card Info: Number of DC Processors: 3

Size of DC Processor Memory (per proc): 32 MB

Upgrading the Maintenance Software

To upgrade the maintenance software, perform the following steps. If you have a failover pair, upgrade the standby unit first, and then the active unit. The standby unit will become active while the formerly active unit is upgrading.

Step 1 Download the maintenance software from Cisco.com at the following URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-serv-maint

Put the software on a TFTP, HTTP, or HTTPS server that is accessible from the FWSM admin context (if you are using multiple context mode).

Step 2 If required, log out of the maintenance partition and reload the application partition by performing the following steps:

a. Log out of the maintenance partition by entering the following command: 

root@localhost# logout

b. If required, reboot the module into the application partition by entering the command for your operating system:

For Cisco IOS, enter the following command: 

Router# hw-module module mod_num reset

For Catalyst operating system software, enter the following command: 

Console> (enable) reset mod_num

c. To session in to the FWSM, enter the command for your operating system:

Cisco IOS software 

Router# session slot number processor 1

Catalyst operating system software 

Console> (enable) session module_number

The default password is cisco (see the password command). In single mode, you can configure Telnet authentication, so the username and password depends on your configuration.

Step 3 To upgrade the maintenance partition software, enter one of the following commands, directed to the appropriate download server. For multiple context mode, you must be in the system execution space.

To download the maintenance software from a TFTP server, enter the following command: 

hostname# upgrade-mp tftp[://server[:port][/path]/filename]

You are prompted to confirm the server information. If you do not supply it in the command, you can enter it in response to the prompt.

To download the maintenance software from an HTTP or HTTPS server, enter the following command: 

hostname# upgrade-mp http[s]://[user[:password]@]server[:port][/path]/filename

Passwords for the root and guest accounts of the maintenance partition are retained after the upgrade.

The following example shows the prompts for the TFTP server information: 

hostname# upgrade-mp tftp

Address or name of remote host [127.0.0.1]? 10.1.1.5 

Source file name [cdisk]? mp.2-1-0-3.bin.gz

copying tftp://10.1.1.5/mp.2-1-0-3.bin.gz to flash

[yes|no|again]? yes

!!!!!!!!!!!!!!!!!!!!!!!

Received 1695744 bytes.

Maintenance partition upgraded.

Step 4 Reload the FWSM to load the new maintenance software by entering the following command: 

hostname# reload

Alternatively, you can log out of the FWSM in preparation for booting in to the maintenance partition; from the maintenance partition, you can install application software to both application partitions. To end the FWSM session, enter the following command: 

hostname# exit


Logoff


[Connection to 127.0.0.31 closed by foreign host]

Router#

You might need to enter the exit command multiple times if you are in a configuration mode.

See the "Downloading Application Software Using the Maintenance Partition" section on page 12 to reload the FWSM into the maintenance partition.

Upgrading the Application Software

To upgrade the FWSM application software, use one of the following methods:

Upgrading Application Software from the FWSM CLI

The benefit of this method is you do not have to boot in to the maintenance partition; instead you log in as usual and copy the new software.

This method supports downloading from a TFTP, FTP, HTTP, or HTTPS server.

You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition.

You must have an operational configuration with network access. For multiple context mode, you need to have network connectivity through the admin context.

Upgrading Application Software Using the Maintenance Partition

The benefit of this method is you can copy software to both application partitions, and you do not have to have an operational network on the application configuration. You just need to configure some routing parameters in the maintenance partition so you can reach the server on VLAN 1. For example, you can leave Release 2.x on one partition and install 3.1 on the other partition, in case you need to restore the FWSM to 2.x.

The disadvantage is that you need to boot in to the maintenance partition, which might not be convenient if you have active connections.

This method supports downloading from an FTP server only.

Note If you do not have an activation key entered (0x000) before upgrading, then when you enter the show version command after upgrading, you see the following message: 

The running activation key is not valid

This cosmetic issue can be ignoredl; the FWSM is not affected.

Upgrading Application Software from the FWSM CLI

When you log in to the FWSM during normal operation, you can copy the application software to the current application partition from a TFTP, FTP, HTTP, or HTTPS server.

Note If you are running failover, be sure to upgrade the application software on both units.

To upgrade software to the current application partition from an FTP, TFTP, or HTTP(S) server, perform the following steps:

Step 1 Enter the following command to confirm access to the selected FTP, TFTP, or HTTP(S) server: 

hostname# ping ip_address

Step 2 To copy the application software, enter one of the following commands, directed to the appropriate download server.

To copy from a TFTP server, enter the following command: 

hostname# copy tftp://server[/path]/filename flash:

The flash keyword refers to the application partition on the FWSM. You can only copy an image and ASDM software to the flash partition. Configuration files are copied to the disk partition.

To copy from an FTP server, enter the following command: 

hostname# copy ftp://[user[:password]@]server[/path]/filename flash:

To copy from an HTTP or HTTPS server, enter the following command: 

hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename flash:

For example, to copy the application software from an FTP server, enter the following command: 

hostname# copy ftp://10.94.146.80/tftpboot/bnair/cdisk flash:


copying ftp://10.94.146.80/tftpboot/bnair/cdisk to flash:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!

Received 6128128 bytes.

Erasing current image.This may take some time..

Writing 6127616 bytes of image.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!

Image installed.

Step 3 To run the new software, you need to reload the system.

If you do not have a failover pair, enter the following command: 

hostname# reload

Proceed with reload? [confirm]

At the `Proceed with reload?' prompt, press Enter to confirm the command. 

Rebooting...

If you have a failover pair, perform the following steps:

a. Ensure that the secondary unit has a configuration saved to memory by entering the following command: 

secondary(config)# write memory

The saved configuration will load when you restart the secondary unit. This step is useful if the primary unit fails to start up correctly.

For multiple context mode, if the primary unit has context configurations in Flash memory, be sure to enter the write memory command in each primary unit context; the context will automiticallly be copied to the secondary unit Flash memory.

b. To load the new software, reload the primary unit and then reload the secondary unit before the primary unit comes online. Enter the following command separately on each unit: 

primary(config)# reload

Proceed with reload? [confirm]

At the `Proceed with reload?' prompt, press Enter to confirm the command. 

Rebooting...


secondary(config)# reload

Proceed with reload? [confirm]

While the units reload, all active connections are terminated. We recommend reloading both units at the same time because if both units are running, and the major version number does not match (2.x vs. 3.1), then both units become active. Two active units can cause networking problems.

After the upgrade to FWSM Release 3.1 is completed, the startup configuration will still be a Release 2.x configuration, but the running configuration will be the newly migrated 3.1 configuration. Once the FWSM is running the 3.1 image, you can no longer enter the Release 2.x commands.

Until you save the new configuration to Flash memory, the software will convert the old startup configuration automatically every time the FWSM reboots.

Step 4 To save the converted Release 3.1 configuration to Flash memory, enter the following command: 

hostname# write memory

In multiple context mode, enter the new write memory all command from the system execution space. This command saves all context configurations to which the FWSM has write access.

If the context configurations are on an HTTP/HTTPS server, or you otherwise do not have write access, use the show running-config command for each context and copy the new configuration so you can later update the context configuration on the server.

Upgrading Application Software Using the Maintenance Partition

You must install maintenance software Release 2.1(2) before you upgrade to FWSM Release 3.1.

If you log in to the maintenance partition, you can install application software to either application partition (cf:4 or cf:5).

Note The FWSM maintenance partition can only use VLAN 1 on the switch. The FWSM does not support 802.1Q tagging on VLAN 1.

To install application software from an FTP server while logged in to the maintenance partition, perform the following steps.

Note If you have a failover pair, upgrade the primary unit first, but then be sure to start the upgrade on the secondary unit before the primary unit comes online with the new version. If both units are running, and the major version number does not match (2.x vs. 3.1), then both units become active. Two active units can cause networking problems.

Step 1 Each application partition has its own startup configuration, so you need to make the 2.x configuration available to copy to the 3.1 application partition. You can either copy it to an available TFTP, FTP, or HTTP(S) server, or you can enter the show running-config command and cut and paste the configuration from the terminal. See the "Backing up the Single Mode Configuration or Multiple Mode System Configuration" section.

Step 2 If necessary, end the FWSM session by entering the following command: 

hostname# exit


Logoff


[Connection to 127.0.0.31 closed by foreign host]

Router#

You might need to enter the exit command multiple times if you are in a configuration mode.

Step 3 To view the current (2.x) boot partition, enter the command for your operating system. Note the current boot partition so you can set a new default boot partition.

Cisco IOS software 

Router# show boot device [mod_num]

For example: 

Router# show boot device

[mod:1 ]:

[mod:2 ]:

[mod:3 ]:

[mod:4 ]: cf:4

[mod:5 ]: cf:4

[mod:6 ]:

[mod:7 ]: cf:4

[mod:8 ]:

[mod:9 ]:

Catalyst operating system software 

Console> (enable) show boot device mod_num

For example: 

Console> (enable) show boot device 4

Device BOOT variable = cf:4

Step 4 To change the default boot partition to the backup, enter the command for your operating system:

Cisco IOS software 

Router(config)# boot device module mod_num cf:{4 | 5}

Catalyst operating system software 

Console> (enable) set boot device cf:{4 | 5} mod_num

Step 5 To boot the FWSM into the maintenance partition, enter the command for your operating system at the switch prompt:

For Cisco IOS, enter the following command: 

Router# hw-module module mod_num reset cf:1

For Catalyst operating system software, enter the following command: 

Console> (enable) reset mod_num cf:1

Step 6 To session in to the FWSM, enter the command for your operating system:

Cisco IOS software 

Router# session slot number processor 1

Catalyst operating system software 

Console> (enable) session module_number

Step 7 To log in to the FWSM maintenance partition as root, enter the following command: 

Login: root

Password:

By default, the password is cisco.

Step 8 To set network parameters, perform the following steps:

a. To assign an IP address to the maintenance partition, enter the following command: 

root@localhost# ip address ip _address netmask

This address is the address for VLAN 1, which is the only VLAN used by the maintenance partition.

b. To assign a default gateway to the maintenance partition, enter the following command: 

root@localhost# ip gateway ip_address

c. (Optional) To ping the FTP server to verify connectivity, enter the following command: 

root@localhost# ping ftp_address

Step 9 To download the application software from the FTP server, enter the following command: 

root@localhost# upgrade ftp://[user[:password]@]server[/path]/filename cf:{4 | 5}

cf:4 and cf:5 are the application partitions on the FWSM. Install the new software to the backup partition.

Follow the screen prompts during the upgrade.

Step 10 To log out of the maintenance partition, enter the following command: 

root@localhost# logout

Step 11 To reboot the FWSM into the 3.1 application partition (that you set as the default in Step 4), enter the command for your operating system:

For Cisco IOS, enter the following command: 

Router# hw-module module mod_num reset

For Catalyst operating system software, enter the following command: 

Console> (enable) reset mod_num

Step 12 To session in to the FWSM, enter the command for your operating system:

Cisco IOS software 

Router# session slot number processor 1

Catalyst operating system software 

Console> (enable) session module_number

By default, the password to log in to the FWSM is cisco (set by the password command). If this partition does not have a startup configuration, the default password is used.

Step 13 Enter privileged EXEC mode using the following command: 

hostname> enable

The default password is blank (set by the enable password command). If this partition does not have a startup configuration, the default password is used.

Step 14 Each application partition has its own startup configuration, so you need to copy the current 2.x configuration to the 3.1 application partition using one of the following methods:

If you paste the 2.x configuration at the command line, enter the following command to save it: 

hostname# write memory

To copy from a TFTP server, enter the following command: 

hostname# copy tftp://server[/path]/filename startup-config

To copy from an FTP server, enter the following command: 

hostname# copy ftp://[user[:password]@]server[/path]/filename startup-config

To copy from an HTTP or HTTPS server, enter the following command: 

hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename 
startup-config

Step 15 The default context mode is single mode, so if you are running in multiple context mode, set the mode to multiple in the 3.1 application partition using the following command: 

hostname# configuration terminal

hostname(config)# mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Confirm to reload the FWSM.

Note Be sure to back up your configurations because the switch to mutiple mode can overwrite the default configurations.

Step 16 If you did not change the mode and reload in Step 15, then reload the FWSM using the following command: 

hostname# reload

After you reload, the startup configuration will still be a Release 2.x configuration, but the running configuration will be the newly migrated 3.1 configuration. Once the FWSM is running the 3.1 image, you can no longer enter the Release 2.x commands.

Until you save the new configuration to Flash memory, the software will convert the old startup configuration automatically every time the FWSM reboots.

Step 17 To save the converted Release 3.1 configuration to Flash memory, enter the following command: 

hostname# write memory

In multiple context mode, enter the write memory all command from the system execution space. This command saves all context configurations to which the FWSM has write access.

If the context configurations are on an HTTP/HTTPS server, or you otherwise do not have write access, use the show running-config command for each context and copy the new configuration so you can later update the context configuration on the server.

Removing Unused Commands from the System Configuration

Most commands are converted automatically when you load Release 3.1. Some deprecated commands are left in your configuration so you can decide how to manage the changes. For example, you can no longer configure any logging commands in the system execution space. Instead, system messages (including failover messages) are output to the admin context. However, logging commands are not automatically removed from the system configuration.

When the FWSM loads deprecated commands, you see error messages; however, they do not affect the running of your configuration. To clean up your configuration, perform the following steps:

Step 1 To view deprecated commands, enter the following command: 

hostname# show startup-config errors

Step 2 To remove the commands, enter the no form of the command.

Upgrading from PDM to ASDM

To upgrade from PDM 4.x to ASDM 5.0F, which runs with application software Release 3.1, see the Cisco ASDM Release Notes.

Upgrade Examples

This section includes sample Release 2.3 configurations and converted Release 3.1 configurations. This section contains the following topics:

Single Mode Sample Configurations

Multiple Mode Sample Configurations

Single Mode Sample Configurations

The following is sample output from the show version command for a system running FWSM Release 2.3 before upgrading to FWSM Release 3.1: 

hostname(config)# show version


FWSM Firewall Version 2.3(2)9


Compiled on Thu 14-Jul-05 01:30 by dalecki


FWSM up 28 mins 48 secs


Hardware:   WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash  V1.01   SMART ATA FLASH DISK @ 0xc321, 20MB


0: gb-ethernet0: irq 5

1: gb-ethernet1: irq 7

2: ethernet0: irq 11


Licensed Features:

Failover:           Enabled

VPN-DES:            Enabled

VPN-3DES:           Enabled

Maximum Interfaces: 256

Cut-through Proxy:  Enabled

Guards:             Enabled

URL-filtering:      Enabled

Throughput:         Unlimited

ISAKMP peers:       Unlimited

Security Contexts:  2


This machine has an Unrestricted (UR) license.


Serial Number: SAD062302U5

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000

Configuration last modified by enable_15 at 06:36:55 Aug 24 2005

Table 2 shows the unmodified startup configuration and the converted running configuration after upgrading to Release 3.1.

Table 2 2.3 Startup Configuration and 3.1 Running Configuration 

2.3 Startup Configuration
3.1 Running Configuration 
FWSM(config)# show startup-config

: Saved

: Written by enable_15 at 06:37:02 Aug 24 2005


FWSM Version 2.3(2)9

nameif Vlan10 outside security100

nameif Vlan30 inside security0

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname FWSM

ftp mode passive

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

pager lines 24

logging buffer-size 4096

mtu outside 1500

mtu inside 1500

ip address outside 10.6.8.20 255.0.0.0

ip address inside 11.1.1.1 255.0.0.0

no failover

failover lan unit secondary

failover polltime unit 1 holdtime 15

failover polltime interface 15

failover interface-policy 50%

icmp permit any outside

no pdm history enable

arp timeout 14400

!

interface outside

!

interface inside


!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 
icmp 0:00:02 rpc

0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 
0:30:00 sip_media

0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

(continued...)

FWSM(config)# show running-config

: Saved

:

FWSM Version 3.1(0)78

!

hostname FWSM

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan10

 nameif outside

 security-level 100

 ip address 10.6.8.20 255.0.0.0

!

interface Vlan30

 nameif inside

 security-level 0

 ip address 11.1.1.1 255.0.0.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

failover lan unit secondary

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 
icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 
0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 
0:02:00 non_TCP_UDP

0:10:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup 
linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map class_sip_tcp

 match port tcp eq sip

class-map inspection_default

 match default-inspection-traffic

!

!

(continued...)

(...continued)

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp

floodguard enable

fragment size 200 outside

fragment chain 24 outside

fragment size 200 inside

fragment chain 24 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:c0c7b48ccf97530e2c57a90aeb5f9621


(...continued)

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny

  inspect smtp

inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

 class class_sip_tcp

  inspect sip

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c0c7b48ccf97530e2c57a90aeb5f9621

: end

The following is sample output from the show version command for a system after upgrading to FWSM Release 3.1: 

hostname(config)# show version


FWSM Firewall Version 3.1(0)78


Compiled on Tue 23-Aug-05 23:54 by bnair


FWSM up 20 mins 17 secs


Hardware:   WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash SMART ATA FLASH DISK @ 0xc321, 20MB

Disk Partition: ATA Compact Flash, 57MB


 0: Int: Not licensed        : irq 5

 1: Int: Not licensed