 Feedback
|
Table Of Contents
Upgrading the FWSM from Release 2.x to 3.1
Backing up the Single Mode Configuration or Multiple Mode System Configuration
Backing Up a Context Configuration in Flash Memory
Backing Up a Context Configuration within a Context
Copying the Configuration from the Terminal Display
Upgrading Maintenance Software to Release 2.1(2)
Checking the Maintenance Software Release
Upgrading the Maintenance Software
Upgrading the Application Software
Upgrading Application Software from the FWSM CLI
Upgrading Application Software Using the Maintenance Partition
Removing Unused Commands from the System Configuration
Single Mode Sample Configurations
Multiple Mode Sample Configurations
Restoring the FWSM to Release 2.x
Downloading Release 2.x to the Current Application Partition
Booting Release 2.x from the Backup Application Partition
Installing Release 2.x and Booting in to the Backup Application Partition
Changed and Deprecated Commands
Context-Sensitive Help Changes
Documentation Terminology Changes
Application Inspection (fixup Command)
Mixed Routed and Transparent Firewall Mode
Transparent Mode Bridge Groups
Public Key Infrastructure (PKI) Commands
Summary of Changes in the VPN Commands
Obtaining Documentation and Submitting a Service Request
Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1
This guide describes how to upgrade from FWSM Release 2.2 or 2.3 to FWSM Release 3.1. This guide describes the features and commands that have changed or been deprecated in FWSM Release 3.1.
This guide is written for FWSM administrators with an understanding of FWSM CLI commands and features and with experience configuring the FWSM. This document includes the following sections:
•
Upgrading the FWSM from Release 2.x to 3.1
•
•
•
New Features
This section includes a brief summary of new features in Release 3.1. For more information on these features and the accompanying CLI commands, see the following documents:
•
•
•
FWSM Release 3.1 introduces the following new functionality and features:
•
–
–
–
–
–
•
–
–
–
–
•
–
–
•
–
–
–
–
–
–
–
•
–
–
–
–
–
–
•
–
–
–
–
–
–
–
–
•
–
–
•
–
–
–
–
–
–
–
•
–
–
–
–
•
–
–
–
–
•
–
–
–
–
–
–
–
–
–
–
–
Upgrading the FWSM from Release 2.x to 3.1
This section describes how to upgrade the FWSM to 3.1, and includes the following topics:
•
•
•
Upgrade Requirements
•
•
Table 1 Operating System and Browser Requirements for ASDM Version 5.0
Windows1
Windows 2000 (Service Pack 4) or Windows XP operating systems
Internet Explorer 6.0 with Java Plug-in 1.4.2 or 1.5.0
Note
Netscape 7.1/7.2 with Java Plug-in 1.4.2 or 1.5.0
SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.
Sun Solaris
Sun Solaris 8 or 9 running CDE window manager
Mozilla 1.7.3 with Java Plug-in 1.4.2 or 1.5.0
Linux
Red Hat Linux 9.0 or Red Hat Linux WS, Version 3 running GNOME or KDE
Mozilla 1.7.3 with Java Plug-in 1.4.2 or 1.5.0
1 ASDM is not supported on Windows 3.1, 95, 98, ME or Windows NT4.
Backing up the Configuration
This section describes how to back up your configuration before beginning the upgrade procedure. You might need the original configuration if you have to restore Release 2.x. See the "Restoring the FWSM to Release 2.x" section.
Note
To back up your configuration, use the following methods:
•
•
•
•
Note
Backing up the Single Mode Configuration or Multiple Mode System Configuration
In single context mode or from the system configuration in multiple mode, you can copy the startup configuration or running configuration to an external server or to the local Flash memory:
•
hostname# copy {startup-config | running-config} tftp://server[/path]/filename•
hostname# copy {startup-config | running-config} ftp://[user[:password]@]server[/path]/filename•
hostname# copy {startup-config | running-config} disk:[path/]filenameBe sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.
Backing Up a Context Configuration in Flash Memory
In multiple context mode, copy context configurations that are on the local Flash memory by entering one of the following commands in the system execution space:
•
hostname# copy disk:[path/]filename tftp://server[/path]/filename•
hostname# copy disk:[path/]filename ftp://[user[:password]@]server[/path]/filename•
hostname# copy disk:[path/]filename disk:[path/]newfilenameBe sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.
For example, copy the admin.cfg file to a 2_3 subdirectory:
hostname# mkdir 2_3Create directory filename [2_3]?Created dir disk:/2_3hostname# copy disk:admin.cfg disk:2_3/admin.cfgBacking Up a Context Configuration within a Context
In multiple context mode, from within a context, you can perform the following backups:
•
hostname/contexta# copy running-config startup-config•
hostname/contexta# copy running-config tftp:/server[/path]/filenameCopying the Configuration from the Terminal Display
To print the configuration to the terminal, enter the following command:
hostname# show running-configCopy the output from this command, then paste the configuration in to a text file.
Upgrading Maintenance Software to Release 2.1(2)
You must install maintenance software Release 2.1(2) or later before you upgrade to FWSM Release 3.1. The latest maintenance release also works with FWSM Release 2.x, so if you later have to restore the FWSM to Release 2.x, this procedure will not prevent it.
Note
This section includes the following topics:
•
•
Checking the Maintenance Software Release
To determine the maintenance software release, boot in to the maintenance partition and view the release by performing the following steps:
Step 1
hostname# exitLogoff[Connection to 127.0.0.31 closed by foreign host]Router#You might need to enter the exit command multiple times if you are in a configuration mode.
Step 2
•
Router# hw-module module mod_num reset cf:1•
Console> (enable) reset mod_num cf:1Step 3
•
Router# session slot number processor 1•
Console> (enable) session module_numberStep 4
Login: rootStep 5
Password:By default, the password is cisco.
The FWSM shows the version when you first log in, as in the following example:
Maintenance image version: 2.1(2)Step 6
root@localhost# show versionMaintenance image version: 2.1(2)mp.2-1-2.bin : Thu Nov 18 11:41:36 PST 2004 : integ@kplus-build-lx.cisco.comLine Card Number :WS-SVC-FWM-1Number of Pentium-class Processors : 2BIOS Vendor: Phoenix Technologies Ltd.BIOS Version: 4.0-Rel 6.0.9Total available memory: 1004 MBSize of compact flash: 123 MBDaughter Card Info: Number of DC Processors: 3Size of DC Processor Memory (per proc): 32 MB
Upgrading the Maintenance Software
To upgrade the maintenance software, perform the following steps. If you have a failover pair, upgrade the standby unit first, and then the active unit. The standby unit will become active while the formerly active unit is upgrading.
Step 1
Put the software on a TFTP, HTTP, or HTTPS server that is accessible from the FWSM admin context (if you are using multiple context mode).
Step 2
a.
root@localhost# logoutb.
–
Router# hw-module module mod_num reset–
Console> (enable) reset mod_numc.
–
Router# session slot number processor 1–
Console> (enable) session module_numberThe default password is cisco (see the password command). In single mode, you can configure Telnet authentication, so the username and password depends on your configuration.
Step 3
•
hostname# upgrade-mp tftp[://server[:port][/path]/filename]You are prompted to confirm the server information. If you do not supply it in the command, you can enter it in response to the prompt.
•
hostname# upgrade-mp http[s]://[user[:password]@]server[:port][/path]/filenamePasswords for the root and guest accounts of the maintenance partition are retained after the upgrade.
The following example shows the prompts for the TFTP server information:
hostname# upgrade-mp tftpAddress or name of remote host [127.0.0.1]? 10.1.1.5Source file name [cdisk]? mp.2-1-0-3.bin.gzcopying tftp://10.1.1.5/mp.2-1-0-3.bin.gz to flash[yes|no|again]? yes!!!!!!!!!!!!!!!!!!!!!!!Received 1695744 bytes.Maintenance partition upgraded.Step 4
hostname# reloadAlternatively, you can log out of the FWSM in preparation for booting in to the maintenance partition; from the maintenance partition, you can install application software to both application partitions. To end the FWSM session, enter the following command:
hostname# exitLogoff[Connection to 127.0.0.31 closed by foreign host]Router#You might need to enter the exit command multiple times if you are in a configuration mode.
Upgrading the Application Software
To upgrade the FWSM application software, use one of the following methods:
•
The benefit of this method is you do not have to boot in to the maintenance partition; instead you log in as usual and copy the new software.
This method supports downloading from a TFTP, FTP, HTTP, or HTTPS server.
You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition.
You must have an operational configuration with network access. For multiple context mode, you need to have network connectivity through the admin context.
•
The benefit of this method is you can copy software to both application partitions, and you do not have to have an operational network on the application configuration. You just need to configure some routing parameters in the maintenance partition so you can reach the server on VLAN 1. For example, you can leave Release 2.x on one partition and install 3.1 on the other partition, in case you need to restore the FWSM to 2.x.
The disadvantage is that you need to boot in to the maintenance partition, which might not be convenient if you have active connections.
This method supports downloading from an FTP server only.
Note
The running activation key is not validThis cosmetic issue can be ignoredl; the FWSM is not affected.
Upgrading Application Software from the FWSM CLI
When you log in to the FWSM during normal operation, you can copy the application software to the current application partition from a TFTP, FTP, HTTP, or HTTPS server.
Note
To upgrade software to the current application partition from an FTP, TFTP, or HTTP(S) server, perform the following steps:
Step 1
hostname# ping ip_addressStep 2
•
hostname# copy tftp://server[/path]/filename flash:The flash keyword refers to the application partition on the FWSM. You can only copy an image and ASDM software to the flash partition. Configuration files are copied to the disk partition.
•
hostname# copy ftp://[user[:password]@]server[/path]/filename flash:•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename flash:For example, to copy the application software from an FTP server, enter the following command:
hostname# copy ftp://10.94.146.80/tftpboot/bnair/cdisk flash:copying ftp://10.94.146.80/tftpboot/bnair/cdisk to flash:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!Received 6128128 bytes.Erasing current image.This may take some time..Writing 6127616 bytes of image.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!Image installed.Step 3
•
hostname# reloadProceed with reload? [confirm]At the `Proceed with reload?' prompt, press Enter to confirm the command.
Rebooting...•
a.
secondary(config)# write memoryThe saved configuration will load when you restart the secondary unit. This step is useful if the primary unit fails to start up correctly.
For multiple context mode, if the primary unit has context configurations in Flash memory, be sure to enter the write memory command in each primary unit context; the context will automiticallly be copied to the secondary unit Flash memory.
b.
primary(config)# reloadProceed with reload? [confirm]At the `Proceed with reload?' prompt, press Enter to confirm the command.
Rebooting...secondary(config)# reloadProceed with reload? [confirm]While the units reload, all active connections are terminated. We recommend reloading both units at the same time because if both units are running, and the major version number does not match (2.x vs. 3.1), then both units become active. Two active units can cause networking problems.
After the upgrade to FWSM Release 3.1 is completed, the startup configuration will still be a Release 2.x configuration, but the running configuration will be the newly migrated 3.1 configuration. Once the FWSM is running the 3.1 image, you can no longer enter the Release 2.x commands.
Until you save the new configuration to Flash memory, the software will convert the old startup configuration automatically every time the FWSM reboots.
Step 4
hostname# write memoryIn multiple context mode, enter the new write memory all command from the system execution space. This command saves all context configurations to which the FWSM has write access.
If the context configurations are on an HTTP/HTTPS server, or you otherwise do not have write access, use the show running-config command for each context and copy the new configuration so you can later update the context configuration on the server.
Upgrading Application Software Using the Maintenance Partition
You must install maintenance software Release 2.1(2) before you upgrade to FWSM Release 3.1.
If you log in to the maintenance partition, you can install application software to either application partition (cf:4 or cf:5).
Note
To install application software from an FTP server while logged in to the maintenance partition, perform the following steps.
Note
Step 1
Step 2
hostname# exitLogoff[Connection to 127.0.0.31 closed by foreign host]Router#You might need to enter the exit command multiple times if you are in a configuration mode.
Step 3
•
Router# show boot device [mod_num]For example:
Router# show boot device[mod:1 ]:[mod:2 ]:[mod:3 ]:[mod:4 ]: cf:4[mod:5 ]: cf:4[mod:6 ]:[mod:7 ]: cf:4[mod:8 ]:[mod:9 ]:•
Console> (enable) show boot device mod_numFor example:
Console> (enable) show boot device 4Device BOOT variable = cf:4Step 4
•
Router(config)# boot device module mod_num cf:{4 | 5}•
Console> (enable) set boot device cf:{4 | 5} mod_numStep 5
•
Router# hw-module module mod_num reset cf:1•
Console> (enable) reset mod_num cf:1Step 6
•
Router# session slot number processor 1•
Console> (enable) session module_numberStep 7
Login: rootPassword:By default, the password is cisco.
Step 8
a.
root@localhost# ip address ip _address netmaskThis address is the address for VLAN 1, which is the only VLAN used by the maintenance partition.
b.
root@localhost# ip gateway ip_addressc.
root@localhost# ping ftp_addressStep 9
root@localhost# upgrade ftp://[user[:password]@]server[/path]/filename cf:{4 | 5}cf:4 and cf:5 are the application partitions on the FWSM. Install the new software to the backup partition.
Follow the screen prompts during the upgrade.
Step 10
root@localhost# logoutStep 11
•
Router# hw-module module mod_num reset•
Console> (enable) reset mod_numStep 12
•
Router# session slot number processor 1•
Console> (enable) session module_numberBy default, the password to log in to the FWSM is cisco (set by the password command). If this partition does not have a startup configuration, the default password is used.
Step 13
hostname> enableThe default password is blank (set by the enable password command). If this partition does not have a startup configuration, the default password is used.
Step 14
•
hostname# write memory•
hostname# copy tftp://server[/path]/filename startup-config•
hostname# copy ftp://[user[:password]@]server[/path]/filename startup-config•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename startup-configStep 15
hostname# configuration terminalhostname(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm]Confirm to reload the FWSM.
Note
Step 16
hostname# reloadAfter you reload, the startup configuration will still be a Release 2.x configuration, but the running configuration will be the newly migrated 3.1 configuration. Once the FWSM is running the 3.1 image, you can no longer enter the Release 2.x commands.
Until you save the new configuration to Flash memory, the software will convert the old startup configuration automatically every time the FWSM reboots.
Step 17
hostname# write memoryIn multiple context mode, enter the write memory all command from the system execution space. This command saves all context configurations to which the FWSM has write access.
If the context configurations are on an HTTP/HTTPS server, or you otherwise do not have write access, use the show running-config command for each context and copy the new configuration so you can later update the context configuration on the server.
Removing Unused Commands from the System Configuration
Most commands are converted automatically when you load Release 3.1. Some deprecated commands are left in your configuration so you can decide how to manage the changes. For example, you can no longer configure any logging commands in the system execution space. Instead, system messages (including failover messages) are output to the admin context. However, logging commands are not automatically removed from the system configuration.
When the FWSM loads deprecated commands, you see error messages; however, they do not affect the running of your configuration. To clean up your configuration, perform the following steps:
Step 1
hostname# show startup-config errorsStep 2
Upgrading from PDM to ASDM
To upgrade from PDM 4.x to ASDM 5.0F, which runs with application software Release 3.1, see the Cisco ASDM Release Notes.
Upgrade Examples
This section includes sample Release 2.3 configurations and converted Release 3.1 configurations. This section contains the following topics:
•
•
Single Mode Sample Configurations
The following is sample output from the show version command for a system running FWSM Release 2.3 before upgrading to FWSM Release 3.1:
hostname(config)# show versionFWSM Firewall Version 2.3(2)9Compiled on Thu 14-Jul-05 01:30 by daleckiFWSM up 28 mins 48 secsHardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHzFlash V1.01 SMART ATA FLASH DISK @ 0xc321, 20MB0: gb-ethernet0: irq 51: gb-ethernet1: irq 72: ethernet0: irq 11Licensed Features:Failover: EnabledVPN-DES: EnabledVPN-3DES: EnabledMaximum Interfaces: 256Cut-through Proxy: EnabledGuards: EnabledURL-filtering: EnabledThroughput: UnlimitedISAKMP peers: UnlimitedSecurity Contexts: 2This machine has an Unrestricted (UR) license.Serial Number: SAD062302U5Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000Configuration last modified by enable_15 at 06:36:55 Aug 24 2005Table 2 shows the unmodified startup configuration and the converted running configuration after upgrading to Release 3.1.
The following is sample output from the show version command for a system after upgrading to FWSM Release 3.1:
hostname(config)# show versionFWSM Firewall Version 3.1(0)78Compiled on Tue 23-Aug-05 23:54 by bnairFWSM up 20 mins 17 secsHardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHzFlash SMART ATA FLASH DISK @ 0xc321, 20MBDisk Partition: ATA Compact Flash, 57MB0: Int: Not licensed : irq 51: Int: Not licensed : irq 72: Int: Not licensed : irq 11The Running Activation Key is not valid, using default settings:Licensed features for this platform:Maximum Interfaces : 256Inside Hosts : UnlimitedFailover : Active/ActiveVPN-DES : EnabledVPN-3DES-AES : EnabledCut-through Proxy : EnabledGuards : EnabledURL Filtering : EnabledSecurity Contexts : 2GTP/GPRS : DisabledVPN Peers : UnlimitedSerial Number: SAD062302U5Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000Configuration has not been modified since last system restart.Multiple Mode Sample Configurations
The following is sample output from the show version command for a system running FWSM Release 2.3 before upgrading to FWSM Release 3.1:
hostname/admin(config)# show versionFWSM Firewall Version 2.3(2)20 <context>Compiled on Tue 20-Sep-05 02:29 by bnairFWSM up 4 mins 4 secsHardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHzFlash V1.01 SMART ATA FLASH DISK @ 0xc321, 20MB0: gb-ethernet0: irq 51: gb-ethernet1: irq 72: ethernet0: irq 11Licensed Features:Failover: EnabledVPN-DES: EnabledVPN-3DES: EnabledMaximum Interfaces: 256 (per security context)Cut-through Proxy: EnabledGuards: EnabledURL-filtering: EnabledThroughput: UnlimitedISAKMP peers: UnlimitedSecurity Contexts: 2This machine has an Unrestricted (UR) license.Serial Number: SAD062302U5Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000Configuration last modified by enable_15 at 04:46:56 Sep 20 2005Table 3 shows the unmodified system startup configuration and the converted system running configuration after upgrading to Release 3.1.
Table 4 shows the unmodified context startup configuration and the converted context running configuration after upgrading to Release 3.1.
Restoring the FWSM to Release 2.x
You can restore the FWSM to the 2.x release using the following methods:
•
•
•
Downloading Release 2.x to the Current Application Partition
If you want to replace Release 3.1 with Release 2.x, you can download the 2.x software over the 3.1 software in the current application partition. To restore 2.x, perform the following steps:
Step 1
•
hostname# write memory•
hostname# copy tftp://server[/path]/filename startup-config•
hostname# copy ftp://[user[:password]@]server[/path]/filename startup-config•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename startup-config•
hostname# copy disk:[path/]filename startup-configStep 2
•
hostname# copy tftp://server[/path]/filename disk:[path/]filename•
hostname# copy ftp://[user[:password]@]server[/path]/filename disk:[path/]filename•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filenameStep 3
•
hostname# copy tftp://server[/path]/filename flash:•
hostname# copy ftp://[user[:password]@]server[/path]/filename flash:•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename flash:Step 4
•
hostname# reloadProceed with reload? [confirm]At the `Proceed with reload?' prompt, press Enter to confirm the command.
Rebooting...•
a.
standby(config)# reloadAfter the standby unit restarts, the version mismatch causes failover to be disabled; because the standby unit sensed the version mismatch with an active unit, it continues to be in a standby state.
b.
active(config)# reloadCurrent connections to the active unit will be disconnected. New connections will be handled by the standby unit after you reenable failover.
c.
standby(config)# failoverThe standby unit senses that the failover link is down, and becomes active.
d.
formeractive(config)# failover activeBefore performing this step, ensure that the configuration and stateful connections are synchronized between the two units to minimize traffic loss.
Booting Release 2.x from the Backup Application Partition
If you already have Release 2.x and a current 2.x startup configuration on the backup application partition, perform the following steps.
Note
Step 1
•
hostname# copy tftp://server[/path]/filename disk:[path/]filename•
hostname# copy ftp://[user[:password]@]server[/path]/filename disk:[path/]filename•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filename•
hostname# copy disk:[path/]filename disk:[path/]newfilenameStep 2
hostname# exitLogoff[Connection to 127.0.0.31 closed by foreign host]Router#You might need to enter the exit command multiple times if you are in a configuration mode.
Step 3
•
Router# show boot device [mod_num]For example:
Router# show boot device[mod:1 ]:[mod:2 ]:[mod:3 ]:[mod:4 ]: cf:4[mod:5 ]: cf:4[mod:6 ]:[mod:7 ]: cf:4[mod:8 ]:[mod:9 ]:•
Console> (enable) show boot device mod_numFor example:
Console> (enable) show boot device 4Device BOOT variable = cf:4Step 4
•
Router(config)# boot device module mod_num cf:{4 | 5}•
Console> (enable) set boot device cf:{4 | 5} mod_numStep 5
•
Router# hw-module module mod_num reset•
Console> (enable) reset mod_numStep 6
•
Router# session slot number processor 1•
Console> (enable) session module_numberBy default, the password to log in to the FWSM is cisco (set by the password command).
Installing Release 2.x and Booting in to the Backup Application Partition
To preserve the 3.1 software image in the current application partition, you can install Release 2.x in the backup partition and then boot into the backup partition. To install software in the non-current application partition, you must boot in to the maintenance partition, where you can download software to either partition from an FTP server only.
The FWSM maintenance partition can only use VLAN 1 on the switch. The FWSM does not support 802.1Q tagging on VLAN 1.
To install 2.x software from an FTP server while logged into the maintenance partition then boot in to the backup partition, perform the following steps.
Note
Step 1
hostname# exitLogoff[Connection to 127.0.0.31 closed by foreign host]Router#You might need to enter the exit command multiple times if you are in a configuration mode.
Step 2
•
Router# show boot device [mod_num]For example:
Router# show boot device[mod:1 ]:[mod:2 ]:[mod:3 ]:[mod:4 ]: cf:4[mod:5 ]: cf:4[mod:6 ]:[mod:7 ]: cf:4[mod:8 ]:[mod:9 ]:•
Console> (enable) show boot device mod_numFor example:
Console> (enable) show boot device 4Device BOOT variable = cf:4Step 3
•
Router(config)# boot device module mod_num cf:{4 | 5}•
Console> (enable) set boot device cf:{4 | 5} mod_numStep 4
•
Router# hw-module module mod_num reset cf:1•
Console> (enable) reset mod_num cf:1Step 5
•
Router# session slot number processor 1•
Console> (enable) session module_numberStep 6
Login: rootPassword:By default, the password is cisco.
Step 7
a.
root@localhost# ip address ip _address netmaskThis address is the address for VLAN 1, which is the only VLAN used by the maintenance partition.
b.
root@localhost# ip gateway ip_addressc.
root@localhost# ping ftp_addressStep 8
root@localhost# upgrade ftp://[user[:password]@]server[/path]/filename cf:{4 | 5}Install the new software to the backup partition.
Follow the screen prompts during the upgrade.
Step 9
root@localhost# logoutStep 10
•
Router# hw-module module mod_num reset•
Console> (enable) reset mod_numStep 11
•
Router# session slot number processor 1•
Console> (enable) session module_numberBy default, the password to log in to the FWSM is cisco (set by the password command). If this partition does not have a startup configuration, the default password is used.
Step 12
hostname> enableThe default password is blank (set by the enable password command). If this partition does not have a startup configuration, the default password is used.
Step 13
•
hostname# copy tftp://server[/path]/filename disk:[path/]filename•
hostname# copy ftp://[user[:password]@]server[/path]/filename disk:[path/]filename•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filename•
hostname# copy disk:[path/]filename disk:[path/]newfilenameStep 14
•
•
hostname# copy tftp://server[/path]/filename running-config•
hostname# copy ftp://[user[:password]@]server[/path]/filename running-config•
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename running-config•
hostname# copy disk:[path/]filename running-configStep 15
hostname# write memoryStep 16
hostname# configuration terminalhostname(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm]Confirm to reload the FWSM.
Changed and Deprecated Commands
This section describes the changed and deprecated commands in FWSM Release 3.1 and includes the following topics:
•
•
•
•
•
•
Command Overview
Many existing FWSM commands have been extended with new keywords and other command-line options, as a result of the functionality introduced in FWSM Release 3.1 (see Table 5). FWSM Release 3.1 includes over 50 new features, listed in the "New Features" section and described in greater detail in the FWSM Release 3.1 documentation.
When you upgrade to FWSM 3.1, deprecated commands are automatically converted to the new syntax. After conversion, FWSM Release 3.1 accepts only the new commands. If you enter the old commands, a syntax error is displayed.
The automatic conversion of commands results in a change in your configuration. You should review the configuration changes after booting to verify that the automatic changes made by the software are acceptable. You should then save the configuration to Flash memory. Saving the new configuration to Flash memory prevents the system from converting your configuration again the next time FWSM Release 3.1 is booted.
Summary of Changes
Highlights of the changes in FWSM Release 3.1 include the following:
•
Modular Policy Framework is supported with the following features:
–
–
Configuring Modular Policy Framework consists of three tasks:
a.
b.
c.
By default, the 3.1 configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one.
•
•
•
•
•
•
•
•
Most changed and deprecated features and commands will be converted automatically when FWSM Release 3.1 boots on your system.
Table 5 lists the commands that were changed or deprecated.
CLI Processor
The CLI parser capabilities have been enhanced in FWSM Release 3.1 to include Cisco IOS software-like parser services, such as context-sensitive Help and command completion, resulting in some minor behavior changes compared to FWSM Release 2.x. FWSM Release 3.1 also introduces minor changes in mode navigation and terminology so that it is closer to the Cisco IOS software CLI.
This section describes the impact that the changes will have on the CLI commands in FWSM Release 3.1. It includes the following topics:
•
•
Show, Clear, and No Commands
The show and clear commands in FWSM Release 2.x were applied inconsistently. In some cases, these commands were used to show and clear configuration objects. In other cases they were used to show and clear operational data or statistics. To make the behavior consistent and distinguish between operations on configuration versus statistics, the show and clear commands have been modified to require additional keywords to show or clear configurations.
The no variant no longer removes multiple lines of configuration simultaneously. In FWSM Release 3.1, the no variant removes a single configuration line only. For clearing a configuration, FWSM Release 3.1 supports only the use of the clear configure cmd command in configuration mode.
For example, in FWSM Release 2.x, a single no access-list access-list name command removes the following commands:
access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.209 eq 37000access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.68 eq 37000access-list myaccesslist extended permit tcp host 10.175.28.98 host 10.180.210.68 eq 37000But in FWSM Release 3.1, the preceding commands are removed by using either the clear configure access-list access-list name command or by entering a no command for each line:
no access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.209 eq 37000no access-list myaccesslist extended permit tcp host 10.175.28.97 host 10.180.210.68 eq 37000no access-list myaccesslist extended permit tcp host 10.175.28.98 host 10.180.210.68 eq 37000The following examples illustrate the use of the clear configure command:
FWSM Release 2.x syntax:
clear access-list nameclear sshFWSM Release 3.1 syntax:
clear configure access-list nameclear configure sshIn this example, if you use the no access-list name command, you will receive an error message.
The show cmd command shows statistics, buffer, counters, and others. The show running-config cmd command shows the configuration.
For example, in FWSM Release 2.x, the show snmp-server command displayed the running configuration. In FWSM Release 3.1, the show running-config snmp-server command displays the running configuration and the show snmp-server statistics command displays run-time information about SNMP.
Context-Sensitive Help Changes
Table 6 lists the context-sensitive Help changes in FWSM Release 3.1:
Command Syntax Checking
Table 7 lists changes that occur as a result of the upgrade to FWSM Release 3.1:
Mode Navigation Changes
FWSM Release 3.1 introduces minor changes in mode navigation so that its behavior is more similar to Cisco IOS software CLI.
In Release 2.x, Ctrl+Z logs you out from the console. However, in Release 3.1, Ctrl+Z is not supported as an exit method. However, you can still use exit, quit, or logout commands as in FWSM Release 2.x. In FWSM Release 3.1, if you enter Ctrl+Z, the following error message is displayed:
ERROR:% Invalid input detected at '^' marker.Documentation Terminology Changes
FWSM Release 3.1 introduces minor changes in documentation terminology so that it is more similar to Cisco IOS documentation.
Table 8 describes the terminology changes between FWSM Release 2.x and FWSM Release 3.1.
Application Inspection (fixup Command)
The FWSM uses stateful application inspection, often called fixups, to ensure secure use of applications and services. In FWSM Release 3.1, the fixup command has been deprecated and replaced by the inspect command in the Modular Policy Framework.
Note
Modular Policy Framework is a CLI framework that lets you define traffic classes and apply feature-specific actions (policies) to them. This improves granularity and flexibility when configuring network policies.
When you upgrade to FWSM Release 3.1, each fixup command is automatically converted to the corresponding inspect command within the Modular Policy Framework. No manual intervention is required. All fixups that were previously non-configurable (such as NetBIOS) are also made configurable and converted to Modular Policy Framework commands.
In FWSM Release 3.1, fixup commands are still accepted at the CLI, but an informational message similar to the following appears:
hostname(config)# fixup protocol http 8080INFO: converting 'fixup protocol http 8080' to MPF commandsThe application inspection engines introduced in FWSM Release 3.1, such as CTIQBE, must be used with the inspect command in Modular Policy Framework.
Table 9 lists the inspect commands corresponding to each fixup command. Note that instead of applying application inspection to all traffic on all interfaces, you now configure a class map to determine the traffic, a policy map to apply the inspections to the traffic, and a service policy to apply the policy to one or more interfaces. In the case of the default policy that follows, the FWSM applies inspections to all traffic on the default port numbers on all interfaces, so that the default functionality is the same as in Release 2.x.
In the FWSM Release 3.1 column of Table 9, note that the inspect commands do not have port numbers, unlike the corresponding fixup commands in FWSM Release 2.x. The port numbers in this example are implicitly included in the default class map. Table 10 lists the default ports for each application inspection engine shown in Table 9.
Table 10 Default Ports for Table 9 Commands
ctiqbe
dns
ftp
gtp
h323 h225
h323 ras
http
icmp
ils
mgcp
netbios
rpc
rsh
rtsp
sip
skinny
smtp
sqlnet
tftp
xdmcp
tcp
udp
tcp
udp
tcp
udp
tcp
icmp
tcp
udp
udp
udp
tcp
tcp
tcp, udp
tcp
tcp
tcp
udp
udp
N/A
53
N/A
2123,3386
N/A
N/A
N/A
N/A
N/A
2427,2727
137-138
111
N/A
N/A
N/A
N/A
N/A
N/A
N/A
177
2748
53
21
2123,3386
1720
1718-1719
80
N/A
389
2427,2727
N/A
111
514
554
5060
2000
25
1521
69
177
Mixed Routed and Transparent Firewall Mode
FWSM Release 3.1 supports mixed firewall modes in different contexts. You can set the firewall mode independently for each context, so some contexts can be in routed mode and others in transparent mode. Therefore, the firewall mode is no longer set in the system configuration (the firewall transparent command) but is instead set in each context. The firewall transparent command (or the no form) is automatically added to each running context configuration.
To view the mode of all the contexts, enter the show firewall command in the system execution space. The following is sample output from the show firewall command.
hostname(config)# show firewallContext Mode-------------------------contexta Transparentcontextb RoutedTransparent Mode Bridge Groups
In FWSM Release 3.1, each pair of interfaces in transparent mode now belongs to a bridge group. You can configure up to eight bridge groups containing two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups. Traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM.
You might want to use more than one bridge group if you do not want the overhead of security contexts, or if you want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use separate security contexts with one bridge group in each context.
The new bridge-group command in interface configuration mode assigns the interface to a bridge group. The new interface bvi command sets the management IP address for the bridge group.
By default, when you upgrade, the interfaces in a transparent firewall are assigned to bridge group 1. The following CLI is added (in multimode, this is added to each transparent context):
interface vlan ybridge-group 1interface vlan zbridge-group 1interface bvi 1ip address n.n.n.n
Note
Interfaces
In FWSM Release 3.1, you use the interface vlan command instead of the interface name command. Also, in FWSM Release 3.1, the nameif, ip address, and security-level commands are now available in the interface configuration mode. The interface configuration mode facilitates other feature enhancements such as support for IPv6. The hierarchical output also improves the readability of a configuration file compared with the flat structure used in FWSM Release 2.x.
After upgrading to FWSM Release 3.1, for every VLAN that is allocated to a context with the allocate-interface command, interface commands are added to the system configuration as well as to each context. In the system configuration, you can shut down or enable an interface for all contexts.
The following example shows the syntax in FWSM Release 2.x and the corresponding configuration in FWSM Release 3.1:
FWSM Release 2.x
nameif vlan10 outside security0nameif vlan15 inside security100ip address outside 10.6.37.124 255.255.255.0ip address inside 192.16.1.1 255.255.255.0interface insideno shutdowninterface outsideshutdownFWSM Release 3.1
interface vlan 10nameif outsidesecurity-level 0ip address 10.6.37.124 255.255.255.0no shutdowninterface vlan 15nameif insidesecurity-level 100ip address 192.16.1.1 255.255.255.0no shutdownIn multiple context mode, the system configuration also includes the following:
interface vlan 10no shutdowninterface vlan 15no shutdownTable 11 summarizes the changes in the interface command syntax.
AAA
In FWSM Release 2.x, server parameters were configured per server group. In FWSM Release 3.1, server parameters can be configured per AAA server with some parameters being configurable only for the entire AAA server group. There is also a change in the way that AAA server groups are mapped to VPN tunnels.
In FWSM Release 3.1, the aaa-server command enables a configuration mode that lets you define the parameters for an AAA server group. To use an AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group and add one or more servers to the group. You identify AAA server groups by name. Each server group is specific to one type of protocol: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.
FWSM Release 3.1 allows most AAA server configuration parameters to be configured per server. The aaa-server command now has the following two configuration modes:
•
•
The following is an example:
aaa-server svrgrp1 protocol radiusaaa-server svrgrp1 host 10.10.10.1timeout 30retry 3exitaaa-server svrgrp1 host 10.10.10.2timeout 60retry 3exit
Note
Table 12 lists changes in the aaa-server, auth-prompt, and floodguard commands.
MGCP
With the introduction of Modular Policy Framework, all fixup commands including fixup mgcp have been converted to inspect commands (see the "Application Inspection (fixup Command)" section). Also, the existing Media Gateway Control Protocol (MGCP) commands have been moved under the mgcp-map command to work within the Modular Policy Framework.
The fixup mgcp and mgcp commands have been deprecated, and are replaced with the inspect mgcp and mgcp-map commands, along with commands within the MGCP-map configuration mode. When upgrading to FWSM Release 3.1, MGCP commands are converted automatically and manual intervention is not required. Table 13 summarizes the changes that have occured to the MGCP commands in FWSM Release 3.1.
NAT
In FWSM Release 3.1, a new command, nat-control, has been introduced to maintain FWSM Release 2.x NAT functionality. When you upgrade to FWSM Release 3.1, the new nat-control command is automatically incorporated into the configuration.
In FWSM Release 2.x, whenever hosts on a higher security interface communicate with hosts on a lower security interface, you must configure NAT on the higher security interface. In FWSM Release 3.1, this NAT control can be disabled. You can still configure NAT, but NAT is not required for communication. For example, if you disable NAT control, you do not need to configure a static NAT statement for outside hosts to connect to an inside host. When you upgrade from FWSM Release 2.x to Release 3.1, NAT control is enabled.
To disable NAT control, enter the no nat-control command.
Miscellaneous Commands
Failover
File system commands (rename, mkdir, rmdir, delete, copy running-config startup-config) are replicated to the standby unit in FWSM Release 3.1
When a file system command fails on the standby device, no configuration sync occurs between the active and standby devices because the file system commands are not part of the configuration. When a file system command fails on the standby device, an informational message is displayed, noting that the file system may be out of sync.
Both the write memory and the copy running-config startup-config commands are replicated. The format command is not replicated.
Logging Commands
You can no longer configure any logging commands in the system execution space. Instead, system messages (including failover messages) are output in the admin context. To differentiate system and admin messages, enter the following command in the admin context:
hostname/admin(config)# logging device-id context-name
Note
Device Management Commands
In FWSM Release 3.1, the device manager is called ASDM, and not PDM. All pdm commands are now asdm commands. These commands convert automatically when upgrading to FWSM Release 3.1. Manual intervention is not required.
Table 15 lists changes in these commands.
VPN Commands
This section describes the VPN commands that have changed in FWSM Release 3.1. It includes the following topics:
•
•
Group Management
The vpngroup command has been replaced by the tunnel-group and group-policy commands. Dividing configuration data between the tunnel-group and the group-policy commands is intended to facilitate the sharing of group policies.
The tunnel group is generally tied to a VPN peer or group of peers. The group policy is then applied to either a single tunnel group or to several tunnel groups. An additional benefit is that the group policy can be stored or maintained on an external policy server.
All uses of the vpngroup command are automatically converted to the tunnel-group and group-policy commands. The following is an example of some vpngroup commands converted to the new syntax:
FWSM Release 2.x syntax:
vpngroup group1 address-pool pool1vpngroup group1 password mypasswordFWSM Release 3.1 syntax:
tunnel-group group1 type ipsec-ratunnel-group group1 general-attributesaddress-pool pool1tunnel-group group1 ipsec-attributespre-shared-key mypasswordFWSM Release 2.x syntax:
crypto map map_name client authenticate aaa_server_group_nameFWSM Release 3.1 syntax:
tunnel-group group1 type ipsec-ratunnel-group group1 general-attributesauthentication-server-group myservergroupRemote Peers
After upgrading from FWSM Release 2.x to FWSM Release 3.1, connections fail on an FWSM that terminates the remote connections from Cisco IOS peers when using a dynamic crypto map with certificates. The solution is to change the configuration to force the connecting Cisco IOS peers into the ipsec-l2l group.
The following is sample output from the debug crypto isakmp 50 command, after you perform an upgrade to FWSM Release 3.1:
debug crypto isakmp 50...[IKEv1], IP = x.x.x.x , Connection landed on tunnel_group DefaultRAGroup[IKEv1], Group = DefaultRAGroup, IP = x.x.x.x Xauthrequired but selected Proposal does not support xauth, Checkpriorities of ike xauth proposals in ike proposal list,...Xauth
In FWSM Release 2.x, Xauth was disabled by default for dynamic or remote access (client) tunnels. If you did not use Xauth, there will be no indication of this in your configuration.
When you upgrade to FWSM Release 3.1, the default remote access tunnel group has Xauth enabled by default, and it attempts to authenticate tunnels from the local database.
In FWSM Release 2.x, if you terminate dynamic VPN tunnels without Xauth, you must add the following information to your configuration after upgrading to disable Xauth:
For the default group:
tunnel-group DefaultRAGroup general-attributesauthentication-server-group noneIf any additional tunnel groups were converted, you should add the following command to each tunnel group:
tunnel-group group_name general-attributesauthentication-server-group noneIn FWSM Release 3.1, the ISAKMP default policy is no longer hidden. The ISAKMP default policy is now visible in the running configuration, and you can retain, modify, or remove it.
FWSM Release 2.x syntax:
Default protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limitFWSM Release 3.1 syntax:
isakmp policy 65535 authentication rsa-sigisakmp policy 65535 encryption desisakmp policy 65535 hash shaisakmp policy 65535 group 1isakmp policy 65535 lifetime 86400Public Key Infrastructure (PKI) Commands
This section describes the PKI commands that are affected when upgrading to FWSM Release 3.1.
The certification authority (ca) commands were modified to incorporate more PKI features and to make them look more like Cisco IOS software commands.
The concept of a trustpoint is new for FWSM Release 3.1. A trustpoint is the representation of a certification authority (CA) certificate/identity certificate pair and includes the following information:
•
•
•
In FWSM Release 2.x, the functionality of trustpoints was provided through CA identities, configured with the ca identity command.
A trustpoint allows the configuration and use of multiple CA certificates and consequently multiple identity certificates in FWSM Release 3.1. FWSM Release 2.x only supported the configuration and use of a single identity certificate. The following is an example of how the CLI has changed:
FWSM Release 2.x syntax:
ca identity myca 10.10.10.100 10.10.10.110ca configure myca ca 3 3FWSM Release 3.1 syntax:
crypto ca trustpoint mycaenroll url 10.10.10.100enrollment mode caenrollment retry period 3enrollment retry count 3crl requiredcrlldap_defaults 10.10.10.110In FWSM Release 3.1, there are two key changes:
•
•
In FWSM Release 3.1, the clear configure crypto command removes all crypto configurations, including CA configurations.The behavior of any clear config keyword command is to remove all lines from the running configuration that are based on the keyword. To display CA information, enter the show crypto command.
In FWSM Release 2.x, the clear crypto command removed all crypto configurations other than certification authority (CA) configurations, such as trustpoints, certificates, and certificate maps.
The deprecated ca commands are converted automatically when upgrading to FWSM Release 3.1. There are also additional new ca commands. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information on the new ca commands.
The ca save all command has been removed and as with Cisco IOS software, keys and certificate data are saved at the same time that the configuration is written to memory.
Summary of Changes in the VPN Commands
Table 16 summarizes the changes that have occurred in the VPN commands between FWSM Release 2.x and FWSM Release 3.1.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
