PIX 515 Configuration
Download this chapter
PIX 515 ConfigurationPIX 515 Configuration
 Feedback

Table Of Contents

PIX 515 Configuration

PIX 515 LEDs

Downloading a PIX 515 Image over TFTP

monitor Command

TFTP Download Error Codes

Upgrading the PIX 515 Activation Key


PIX 515 Configuration

The PIX 515 provides a new chassis and a new way of downloading images and upgrading the activation key. Apart from these changes, all other configuration issues are the same between the PIX 515 and all previous PIX Firewall models.

This chapter includes the following sections:

PIX 515 LEDs

Downloading a PIX 515 Image over TFTP

Upgrading the PIX 515 Activation Key

PIX 515 LEDs

The PIX 515 has three LEDs in the front left of the chassis that are labeled as follows:

POWER—On when the unit has power.

ACT—On when the unit is the Active failover unit. If failover is not enabled, this light is on. If failover is present, the light is on when the unit is the Active unit and off when the unit is in Standby mode.

NETWORK—On when at least one network interface is passing traffic.

At the rear of the unit are connectors for the inside and outside Ethernet interfaces, for failover, and for the serial console. LEDs on either side of the Ethernet connectors indicate if 100 Mbps Ethernet is present, whether the link is active, and whether full duplex is present.

Downloading a PIX 515 Image over TFTP

The PIX 515 receives its boot image from either Flash memory or by downloading the image from a TFTP server. (Cisco sells an optional TFTP server, you can use the TFTP server provided with UNIX, or you can use a TFTP server available for your computer.)

This section describes the monitor command which you can invoke while the PIX 515 is booting by sending a BREAK character or pressing the Esc key.

This section includes the following topics:

monitor Command

TFTP Download Error Codes

monitor Command

Because the PIX 515 does not have a diskette drive, you need to send a binary image to the PIX 515 using Trivial File Transfer Protocol (TFTP). The PIX 515 has a special mode called monitor mode that lets you retrieve the binary image over the network. When you power on or reboot the PIX 515, it waits 10-seconds during which you can send a BREAK character or press the Escape key to activate monitor mode.

If you do not want to enter boot mode, press the space bar to start the normal boot immediately, or wait until the 10 seconds is done and the PIX 515 will boot normally.

While in monitor mode, you can enter commands that let you specify the location of the binary image, download it, and reboot the PIX 515 from the new image. If you do not activate monitor mode, the PIX 515 boots normally from Flash memory.

Monitor mode also lets you ping the TFTP server to see if it is online and to specify the IP address of the nearest router if the image is not on a subnet shared with a PIX 515 interface.

The monitor feature only works on the PIX 515 and not with earlier models of the PIX Firewall. TFTP does not perform authentication when transferring files, so a username and password on the TFTP server are not required.

If you are using Windows HyperTerminal, you can press the Esc (Escape) key or send a BREAK character by pressing the ctrl and break keys. From a Telnet session to a terminal server that has serial access to the PIX 515, use ctrl ] to get the Telnet command prompt, and then enter the send break command.

The maximum length of a filename is 122 characters.

If the TFTP service stops receiving data requests during a file transfer, it waits four seconds and then closes the connection.

To download an image over TFTP:

Step 1 Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the Esc (Escape) key.

Note   If you are using HyperTerminal with Windows 95, you can press the ctrl and break keys simultaneously to activate a BREAK. Depending on which service pack is installed, Windows NT HyperTerminal may not be able to send a BREAK character. Refer to the Windows NT documentation for more information.

The monitor> prompt appears.

Step 2 If desired, enter a question mark (?) to list the available commands.

Step 3 Use the interface command to specify which interface the ping traffic should use. If the PIX 515 has only two interfaces, the monitor command defaults to the inside interface.

Step 4 Use the address command to specify the IP address of the PIX Firewall's interface.

Step 5 Use the server command to specify the IP address of the remote server.

Step 6 Use the file command to specify the filename of the PIX Firewall image.

Step 7 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.

Step 8 If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing.

Step 9 Use the tftp command to start the download.

An example follows: 

Rebooting....

PIX BIOS (4.0) #47: Sat May  8 10:09:47 PDT 1999

Platform PIX-520

Flash=AT29C040A @ 0x300


Use BREAK or ESC to interrupt flash boot.

Use SPACE to begin flash boot immediately.

Flash boot interrupted.

0: i8255X @ PCI(bus:0 dev:13 irq:11)

1: i8255X @ PCI(bus:0 dev:14 irq:10)


Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1

Use ? for help.

monitor> ?

?                 this help message

address   [addr]  set IP address

file      [name]  set boot file name

gateway   [addr]  set IP gateway

help              this help message

interface [num]   select TFTP interface

ping      <addr>  send ICMP echo

reload            halt and reload system

server    [addr]  set server IP address

tftp              TFTP download

timeout           TFTP timeout

trace             toggle packet tracing

monitor> addr 192.168.1.1

address 192.168.1.1

monitor> serv 192.168.1.2

server 192.168.1.2

monitor> file cdisk

file cdisk

monitor> ping 192.168.1.2

Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds:

!!!!!

Success rate is 100 percent (5/5)

monitor> tftp

tftp cdisk@192.168.1.2................................

Received 626688 bytes


PIX admin loader (3.0) #0: Tue May 11 10:43:02 PDT 1999

Flash=AT29C040A @ 0x300

Flash version 4.9.9.1, Install version 4.4.1


Installing to flash

...

TFTP Download Error Codes

During a TFTP download, if tracing is on, non-fatal errors appear in the midst of dots that display as the configuration image downloads. The error code appears in inside angle brackets. lists the code values.

For example, bad blocks intermixed with good packets appear as follows: 

....<11>..<11>.<11>......<11>...

Also, tracing will show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.

lists the TFTP error codes.

Table 7-1 Error Code Numeric Values 

Error Code
Description

2

The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.

3

The received packet was not from the server specified in the server command.

4

The IP header length was not big enough to be a valid TFTP packet.

5

The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP.

6

The received IP packet's destination address did not match the address specified by the address command.

7

The UDP ports on either side of the connection did not match the expected values.  This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both.

8

The UDP checksum calculation on the packet failed.

9

An unexpected TFTP code occurred.

10

A TFTP transfer error occurred.

11

A TFTP packet was received out of sequence.


Note   Error codes 9 and 10 cause the download to stop.

Upgrading the PIX 515 Activation Key

Note   The activation key can only be entered after downloading a new image—not from the command line or without first rebooting.

To upgrade an activation key on the PIX 515:

Step 1 Acquire a PIX 4.4(n) image from Cisco Connection Online (CCO).

Step 2 Set up a TFTP server and transfer the image to the proper directory.

Step 3 Reboot the PIX 515.

Step 4 Press Escape or send the BREAK character to enter the boot ROM monitor.

Step 5 Download a TFTP image as described in the previous section, "Downloading a PIX 515 Image over TFTP."

Step 6 When prompted to "install new image," enter y.

Step 7 When prompted to "enter new key," enter y.

Step 8 Enter the four-part activation key.

If the key is correct, the system will boot and run correctly.