Recover, Upgrade and Reset a Cisco PIX

You have got an old PIX 515 that is locked down and you want to get it in a brand new state with the latest IOS release (7.x), then you are at the right place. Well you will also need access to the cisco.com site with a valid Cisco account to proceed.

Prerequisites

  • Install a serial terminal or a PC with terminal emulation software on the PIX console port
  • Install a TFTP server on a machine that will be accessible to one on the PIX interface
  • You will also need to retrieve files from the cisco.com web site using an cisco login account and drop them into the TFTP server root folder

To simplify our explanation, we will take some sample hypothesis that you will have to adapt to your own configuration:

  • the TFTP server will be connected to Ethernet1 of your PIX
  • We will use 192.168.1.1 for the PIX Ethernet1 IP.
  • The TFTP server has IP 192.168.1.20
  • Network mask is 255.255.255.0

Clean up the password

If you already have an full access to the PIX, you can skip to the next step to upgrade it and clean it.

  1. Connect to the PIX using your terminal and check that characters are flowing between the PIX and the terminal.
    2. Ideally, you should know the current version of your IOS software. Maybe you can use show version to retrieve that information from the console
    3. Retrieve the PIX Password Lockout Utility corresponding to your PIX software from the cisco website using the following URL: http://www.cisco.com/warp/customer/110/npXX.bin where XX is the first 2 digit of your software version without dots. The utility for version 6.3 is http://www.cisco.com/warp/customer/110/np63.bin, and we will use it later for this tutorial. Put the np63.bin file on the TFTP server.
    4. Power cycle your PIX and during the initial startup, just after power on, when prompted, push the BREAK or ESC key to enter monitor mode.
Cisco Secure PIX Firewall BIOS (x.x) #0: xxxx
Platform PIX-515E
System Flash=xxxxxxxxx @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.

Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
2: i8255X @ PCI(bus:0 dev:17 irq:11)

Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: xxxx.xxxx.xxxx
Use ? for help.
monitor>

5. The default network interface is Ethernet1, if you need to use another interface, use the interface command to change it.
6. To setup the interface, type the following commands at the prompt:

monitor> address 172.16.0.99
address 172.16.0.99
monitor> server 172.16.0.212
server 172.16.0.212
monitor> file np63.bin
file np63.bin

7. You may also use the {gateway} command if your TFTP server is not local.
8. Check access to the tftp server with

monitor> ping 172.16.0.212
Sending 5, 100-byte 0x6cb ICMP Echoes to 172.16.0.212, timeout is 4 seconds:
!!!!
Success rate is 80 percent (4/5)

9. Start the PIX Password Lockout Utility with

monitor> tftp tftp np63.bin@172.16.0.212...................................................... ................................................................................ ............................................... Received 92160 bytes Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003 System Flash=E28F128J3 @ 0xfff00000 BIOS Flash=am29f400b @ 0xd8000 Do you wish to erase the passwords? [yn] y

10. Confirm proposed deletions

    1. After this procedure, the default telnet password is "cisco" and there is no enable password and the PIX will reload.

Erase configuration

This procedure depend on your PIX software version.

Prior version 7.0 use:

  1. Connect to the PIX through the console and enter the enable mode, using {enable}. No password is required if you have follow the password recovery procedure.
    2. To clear the configuration use the {write erase} command then the {reload} command to reload.
    3. At reload, a wizard will help you to get a minimal configuration, and setup Ethernet1
     

Version 7.0

You may use in configuration mode the command

pixfirewall(config)# configure default-factory 192.168.1.1 255.255.255.0

This is explained later.

Upgrade from 6.x to 7.0 software

Most of the Cisco prerequisites are useless since we suppose to work on a cleanly configured PIX as explain earlier. WARNING! Upgrading a PIX with a working configuration is very different and Cisco explain that thoroughly on their site.

  1. Check with {show version} that you have at least 64Mb RAM and 16Mb Flash. You have to increase your memory if you do not reach this requirements. Note that simple DIMM SDRAM at 100Mhz of 64Mb or 128Mb should be compatible.
    2. Donwload the latest image from the Cisco web site for both the PIX software and the ASDM management interface. You should get two files like pix707.bin and asdm-507.bin, that you should make available through your TFTP server.
    3. Upload the new PIX software to your PIX:
pixfirewall> enable
pixfirewall# configure terminal
pixfirewall# copy tftp flash:image

4. enter ip of the tftp server, image name (pix707.bin) and confirm.
5. When upload is complete exit and reload.
6. After long reload, plenty of warning about configuration, clean up the configuration again using:

pixfirewall# configuration terminal
pixfirewall(config)# configure factory-default 192.168.1.1 255.255.255.0
pixfirewall(config)# boot system flash:/image.bin

7. You may need to also disable the DHCP server to avoid annoyances if you have an DHCP server on your network (you have to check config with show config to precisely complete the second command, it depends on your IP):

pixfirewall(config)# no dhcpd enable inside
pixfirewall(config)# no dhcpd address 172.16.0.xxx-172.16.0.xxx inside

8. Save configuration and reload
pixfirewall(config)# exit pixfirewall# write memory Building configuration... Cryptochecksum: xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxx bytes copied in 0.310 secs [OK] pixfirewall# reload

Install ASDM

This is the last step that is only required if you want to have access to the HTTP interface of your PIX.

  1. Get back into enable mode. Since you have just upgraded from an old configuration you have to make room in your flash for this instalation
    2. Check files in the flash:
pixfirewall# show flash

Directory of flash:/

5      -rw-  0           00:03:00 Jan 01 1993  image_old.bin
7      -rw-  5437440     00:05:51 Jan 01 1993  image
3      drw-  64          16:53:49 Sep 24 2007  lost+found
12     -rw-  1790        16:53:50 Sep 24 2007  downgrade.cfg
14     -rw-  5472312     16:55:02 Sep 24 2007  image.bin

16128000 bytes total (1961984 bytes free)

3. Be carefull to keep required files. The image.bin file should be or new image if you have followed carefully our tutorial. So, here we will delete image to make room, and image_old.bin which is useless.

pixfirewall# del flash:image

Delete filename [image]?

Delete flash:/image? [confirm]

pixfirewall# del flash:image_old.bin

Delete filename [image_old.bin]?

Delete flash:/image_old.bin? [confirm]

4. Install the asdm image and configure it

pixfirewall# copy tftp flash:asdm.bin

Address or name of remote host []? 172.16.0.212

Source filename []? asdm-507.bin

Destination filename [asdm.bin]?

Accessing tftp://172.16.0.212/asdm-507.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing current ASDM file flash:/asdm.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
6161700 bytes copied in 127.500 secs (48517 bytes/sec)
pixfirewall# configure terminal
pixfirewall(config)# asdm image flash:asdm.bin
pixfirewall(config)# exit

5. Save configuration and reload

pixfirewall(config)# exit
pixfirewall# write memory
Building configuration...
Cryptochecksum: xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx

xxxx bytes copied in 0.310 secs
[OK]

6. All is done, you may now access your PIX from the web interface at https://192.168.1.1. Just for the sake of security, I suggest that you fix passwords as soon as possible.