PIX IOS更新与密码恢复
一:IOS 升级
在PIX系统启动过程中,我们会看到如下画面提示:
Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Reading 102912 bytes of image from flash.
PIX Flash Load Helper
Initializing flashfs...
monitor>
通过BREAK或ESC键进入监控模式,类似如PC机的安全模式:
1.查看在monitor下可用的interface,肯定就是那两个FE口了。
monitor> interface
0: i8255X @ PCI(bus:0 dev:2 irq:255) 1: i8255X @ PCI(bus:0 dev:1 irq:255)
2.这里我选用第一个口,通常默认都用0口
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:2 irq:255) 1: i8255X @ PCI(bus:0 dev:1 irq:255)
Using 0: i82559 @ PCI(bus:0 dev:2 irq:255), MAC: 000c.0f4g.d2h8
3.配上接口地址,TFTP服务器地址等等,开始TFTP下载新版PIXOS。
monitor> address 10.0.0.9 (给PIX配置ip地址) address 10.0.0.9
monitor> server 10.0.0.8 (TFTP服务器的地址)
server 10.0.0.8
monitor> ping 10.0.0.8 (ping一下TFTP服务器,看是否通了)
Sending 5, 100-byte 0x7970 ICMP Echoes to 10.0.0.8, timeout is 4 seconds: !!!!!
Success rate is 100 percent (5/5)
monitor> file pix634.bin (想要升级到得PIX IOS文件,且该文件放在tftp中) file pix634.bin monitor> tftp
tftp pix634.bin@10.0.0.8............................ …………
Cisco PIX Security Appliance admin loader (3.0) #0: Thu Mar 28 10:13:22 PST 2005 #################################################### ……
1024MB RAM
Cisco PIX Security Appliance Software Version 8.0(4)
****************************** Warning ******************************* This product contains cryptographic features and is subject to United States and local country laws
完成第3步后,PIX会自动重启。你会发现IOS已经变成8.04版本了,但不代表结束了。
4.检查版本信息.
vicwin# sh version (进来查看PIX的版本) Cisco PIX Security Appliance Software Version 8.0(4) Compiled on Thu 07-Aug-08 19:42 by builders
System image file is \Unknown, monitor mode tftp booted image\
(注意:要是你的也是如此情况不要保存重启,请继续下面的操作) Config file at boot was \
5.将IOS拷贝到PIX的flash中。
vicwin#
vicwin# copy tftp://192.168.0.10/pix804.bin flash://image(将IOS拷贝到PIX的flash中) Address or name of remote host [192.168.0.10]? Source filename [pix804.bin]? Destination filename [image]?
因为我已经给我的PIX,已经装有那个IOS了在这我就不按回车了,因为PIX515E的flash就有16M,那个IOS已经是7M多了,请大家谅解。现象会是很多的!!!!!!!!!!。
tftp://192.168.0.10/pix804.bin!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!OK (现象基本就像上面,等叹号结束了那也就说明pix804.bin这个文件已经到你flash中了)
vicwin# sh flash Directory of flash:/
4 -rw- 1803 00:01:46 Jan 01 1993 downgrade.cfg 7 -rw- 1978424 00:02:05 Jan 01 1993 image_old.bin 11 -rw- 7538688 00:54:16 Jan 01 1993 image 16128000 bytes total (6602240 bytes free)
vicwin# vicwin#
vicwin(config)# boot system flash:?
configure mode commands/options:
flash:/downgrade.cfg flash:/image flash:/image_old.bin
vicwin(config)# boot system flash:/i
vicwin(config)# boot system flash:/image (将其作为启动加载) vicwin# write (保存) Building configuration...
Cryptochecksum: f2e0a429 d1090a81 33c74342 181b4214 2230 bytes copied in 0.400 secs [OK] vicwin#
vicwin# reload
Proceed with reload? [confirm] vicwin#
***
*** --- START GRACEFUL SHUTDOWN --- Shutting down isakmp Shutting down File system vicwin# sh ver
vicwin# sh version (重启之后查看版本)
Cisco PIX Security Appliance Software Version 8.0(4) Compiled on Thu 07-Aug-08 19:42 by builders
System image file is \flash:/image\ (不再是那个unknown,了) Config file at boot was \vicwin up 26 secs
到此,PIX IOS升级完成,已经成功升级到pix804版本!
二:密码恢复
步骤如下:
第一步,找一条控制台的专用线(rollover线)把PC与PIX连接起来。
第二步,用一条交叉线把控制台网卡与PIX的ehernet 0连接起来。
第三步,通过rollover线建立超级终端,开机检查是否能接入PIX。没问题,但是由于没有原来的口令,进不去特权模式。
第四步,在能够通过console口连通的情况下,重新启动PIX,在出现启动消息后,根据屏幕提示在9秒内按键盘BREAK或ESC键进入monitor模式。
第五步,在monitor>输入interface 0进入接口模式。
第六步,add 192.168.1.1 指定PIX端口的IP地址。
第七步,server 192.168.1.88 指定我的TFTP服务器的IP地址。
第八步,file np63.bin 指定预传送的口令恢复文件名(不知道就到TFTP目录下看一下)。
第九步,ping 192.168.1.88 测试到TFTP的三层连通性。不通的话,就得仔细检查一下网卡与PIX的连接了。
第十步,tftp 回车,开始传送文件。传送完成后,提示是否要删除口令,输入y,确认删除,系统删除口令成功后,会自动重启,enable口令默认为空了。
第十步,照样提示输入口令,不管它,回车,OK!~~大功告成!~~
第十一步,如果要改密码的话,按照上面说的用相关命令改就OK了。
Example ? Upgrading the PIX Firewall from Boothelper or Monitor Mode monitor> interface 1
0: i8255X @ PCI(bus:0 dev:14 irq:10) 1: i8255X @ PCI(bus:0 dev:13 irq:11)
Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 0002.b945.a23c monitor> address 172.18.124.154 address 172.18.124.154
monitor> server 172.18.125.3 server 172.18.125.3 monitor> file pix611.bin
file pix611.bin
monitor> ping 172.18.125.3
Sending 5, 100?byte 0xcde2 ICMP Echoes to 172.18.125.3, timeout is 4 seconds: !!!!!
Success rate is 100 percent (5/5) monitor> tftp
tftp pix611.bin@172.18.125.3......................................................... Received 2562048 bytes
Cisco Secure PIX Firewall admin loader (3.0) #0: Tue Dec 517:35:46 PST 2000 System Flash=E28F128J3 @ 0xfff00000 BIOS Flash=am29f400b @ 0xd8000 Flash version 6.1.1, Install version 6.1.1
Do you wish to copy the install image into flash? [n] y Installing to flash
Serial Number: 480380761 (0x1ca20759)
Activation Key: 760754d0 39f62229 a4a0245f b5b87e80 Do you want to enter a new activation key? [n] n Writing 2469944 bytes image into flash...