How do I upgrade the IOS on a Cisco Pix firewall from 4.4 to 6.3?

Hi Everyone,

The very first time I saw a Cisco Pix firewall was three days ago when
my boss put one on my desk and asked me to upgrade it to 6.35.

I have managed to deduce that it is currently running version 4.4, I
have configured an interface so that I can connect to tftp server but I
can find no command to upload the new binary file. I would normally
have expected a 'copy' command if this was a router. Can anyone point
me in the right direction please?

Thanks,
Danny...

Re: How do I upgrade the IOS on a Cisco Pix firewall from 4.4 to 6.3?

In article <1157928388.377345.52190@q16g2000cwq.googlegroups.com>,
wrote:

>The very first time I saw a Cisco Pix firewall was three days ago when
>my boss put one on my desk and asked me to upgrade it to 6.35.

>I have managed to deduce that it is currently running version 4.4, I
>have configured an interface so that I can connect to tftp server but I
>can find no command to upload the new binary file. I would normally
>have expected a 'copy' command if this was a router. Can anyone point
>me in the right direction please?

How's your relationship with your boss? Because what you should do
is tell him that the upgrade is more trouble than it is worth (or not
possible at all) See below.


PIX Classic: cannot be done -- does not run PIX 6.x software
PIX 10000: cannot be done -- does not run PIX 6.x software
PIX 510: cannot be done -- does not run PIX 6.x software

PIX 501, 506, 506E, 515E, 525, 535: not possible, as they never
ran 4.4 software.

PIX 520: requires flash memory upgrade to 16 Mb. Then see
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pi x_sw/v_63/config/upgrade.htm#wp1004236
for information on using the floppy drive to start the upgrade process.
- This device will likely require a new license key in order to be
used for 5.1(2) or later. This license key would be free (provided
it was still the same company that previously owned the device.)
- This device is End of Life, and all support contracts on it have
been terminated. It is thus not acceptable to Cisco to upgrade it now
to PIX 6.3 under the terms of any support contract. It is not acceptable
to Cisco to upgrade it to any software version that you "happen to have
lying around". The only acceptable upgrade, as far as I can tell,
would be a one-time purchase of the 6.3 software release; I was recently
informed that the list price for that is $US1000.
- PIX 6.3(5)112 is the last software release that will be supported
on this device (unless there is another 6.3 bug fix release.)


PIX 515:
Start the upgrade from monitor mode; see
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pi x_sw/v_63/config/upgrade.htm#wp1004008
- This device would definitely require a new license key in order to
be used for 5.1(2) or later. This license key would be free
(provided that it was still the same company that previous owned the device.)
- This model is still supportable, but PIX 4.4 was End of Life a long
time ago, so the device must not be under software support at this time.
It is not acceptable to Cisco to upgrade it to any software version that
you "happen to have lying around". You could go the one-time license
purchase route mentioned above. You -might- also be able to get a
support contract on it even now, but cisco would probably require
an "inspection fee" (several hundred dollars) if you tried to put it
under one of the usual support contracts. There is a software support
only contract that isn't particularily well known; the Cisco product
codes for that start with SASU- . I don't know
if Cisco would allow you to go directly to such a contract, or whether
they would insist that you do a one-time upgrade purchase due to your
version being so old. If you can manage to get into a CON- or
SASU- contract without paying an inspection fee or one-time upgrade
fee, then the cost to (legally) use the 6.3(5) software would probably
be noticably lower.
- This device is supported in PIX 7.x provided that it is upgraded
to sufficient RAM.


If the idea is just to give you practice with configuring a PIX,
a PIX 501 or 506E would probably be less trouble and expense -- though
neither will be supported in PIX 7.x. If studying forward for the
Cisco PIX "family" is the idea, then consider a Cisco ASA 5505
or 5510: the ASA software has the same base as PIX 7.x but the ASA
is newer, faster, less expensive, has more facilities...