Upgrade d’une carte FWSM
Voici dans cet article une petite procédure pour mettre à jour une carte FWSM, de A à Z.
Etant donnée que cette procédure m’a déjà “sauvé la vie” il y à quelques mois, je la partage ici.
Il faut commencer par créer un VLAN par lequel nous allons faire passer l’image entre notre PC, connecté au chassis Catalyst 6500 et la carte FWSM.
Notre PC sera connecté au port FastEthernet 3/1, dans le Vlan 100.
Cat6500#conf t !!! VLAN 1 can not be used for the FWSM !!! Cat6500(config)#vlan 100 Cat6500(config-vlan)#exit Cat6500(config)#interface fa 3/1 Cat6500(config-if)#switchport Cat6500(config-if)#switchport mode access Cat6500(config-if)#switchport access vlan 100 Cat6500(config-if)#no sh Cat6500(config-if)#exit Cat6500(config)#exit Cat6500#
Cat6500#sh ip int brief ... FastEthernet3/1 unassigned YES unset up up ...
Cat6500#
Cat6500#sh mod Mod
Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
3 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAL043310FK
6 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAD081102FM
9 6 Firewall Module WS-SVC-FWM-1 SAD093906RT
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
3 0001.9753.8040 to 0001.9753.806f 2.2 5.4(2) 8.3(0.110)TE Ok
6 000d.2910.332c to 000d.2910.332f 3.3 8.4(2) 12.2(17d)SXB Ok
9 0015.62a0.2842 to 0015.62a0.2849 3.0 7.2(1) 3.1(10) Ok
Mod Sub-Module Model Serial Hw Status
--- --------------------------- ------------------ ------------ ------- -------
6 Policy Feature Card 3 WS-F6K-PFC3A SAD083804BE 2.4 Ok
6 MSFC3 Daughterboard WS-SUP720 SAD0838026G 2.5 Ok
Mod Online Diag Status --- -------------------
3 Pass
6 Pass
9 Pass
Il faut ensuite assigner ce VLAN à la carte FWSM:
Cat6500# Cat6500#conf t Enter configuration commands, one per line. End with CNTL/Z. Cat6500(config)#firewall module 9 vlan-group 5 Cat6500(config)#firewall vlan-group 5 100 Cat6500(config)#exit Cat6500#
Vérifications:
Cat6500#sh firewall vlan-group
Group vlans
----- ------
5 100
Cat6500#sh firewall module 9 state
Firewall module 9:
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 100
Pruning VLANs Enabled: 2-1001
Vlans allowed on trunk:100
Vlans allowed and active in management domain: 100
Vlans in spanning tree forwarding state and not pruned: 100
Cat6500#
Cat6500#sh firewall module 9 vlan-group
Module Vlan-groups 9 5,
Et on se connecte à la carte FWSM:
Cat6500#session slot 9 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.91 ...
Open User Access Verification
Password: cisco
Type help or '?' for a list of available commands.
FWSM> enable
Password: <aucun password en configuration par défaut - taper enter>
FWSM#
FWSM# sh ver
FWSM Firewall Version 3.1(10)
Device Manager Version 5.2(4)F
Compiled on Mon 21-Apr-08 17:43 by fwsmbld
FWSM up 51 mins 19 secs
Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz Flash
TOSHIBA THNCF128MBA @ 0xc321, 20MB 0:
Int: Not licensed : irq 5 1:
Int: Not licensed : irq 7 2:
Int: Not licensed : irq 11
The Running Activation Key is not set,
using default settings: Licensed features for this platform:
Maximum Interfaces : 256
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
Serial Number: Sxxxxxxxxxx
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
Configuration last modified by benoit at 09:45:27.645 UTC Fri 02 10 2012
Il existe deux modes sur une carte FWSM, un mode “routed” (L3) et un mode “transparent” (L2).
Le mode routé est celui définis par défaut, et positionne la carte FWSM en tant que passerelle sur un réseau, alors que le mode transparent permet de faire fonctionner la carte FWSM sans avoir besoin de modifier les configurations des Gateway existantes, pratique pour un déploiement sur un réseau existant.
Nous allons ici laisser la carte en mode routé, et configurer une IP qui permettra d’établir la connexion avec le PC précédemment connecté.
FWSM# FWSM# conf t FWSM(config)# interface vlan 100 FWSM(config-if)# nameif inside FWSM(config-if)# security-level 100 FWSM(config-if)# ip address 192.168.0.2 255.255.255.0 FWSM(config-if)# no shutdown FWSM(config-if)# exit FWSM(config)# icmp permit any inside FWSM(config)# exit FWSM# ping 192.168.0.1 Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms FWSM# FWSM# copy ftp://anonymous:anonymous@192.168.0.1/c6svc-fwm-k9.4-0-8.bin;type=ip flash:image Address or name of remote host [192.168.0.1]? Source username [anonymous]? Source filename [c6svc-fwm-k9.4-0-8.bin]? Destination filename [image]? Accessing ftp://anonymous:anonymous@192.168.0.1/c6svc-fwm-k9.4-0-8.bin;type=ip...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ...
Pour des raisons diverses, le téléchargement se bloque à un moment et ne répond plus pendant quelques minutes… qui peuvent paraitre longues si vous êtes chez un client :) Pas de panique, vous pouvez essuyer cette goutte de sueur sur votre front, le téléchargement reprends ensuite et vous retrouverez votre fameux prompte. Juste un peu de patience.
... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! FWSM# wr Building configuration... Cryptochecksum: 29d92aac af9eb806 3f2e689a 28377b6e Buffering file.... Copying file to medium....! 1239 bytes copied in 0.380 secs [OK]
FWSM#
FWSM# exit
Logoff [Connection to 127.0.0.91 closed by foreign host]
Cat6500#
Cat6500# hw-module module 9 shutdown
Proceed with shutdown of module? [confirm]
% Shutdown request issued for module 9
Cat6500#
02:30:01: SP: The PC in slot 9 is shutting down.
Please wait ...
02:30:01: SP: PC shutdown completed for module 9
Cat6500#
Cat6500#sh mod 9
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
9 6 Firewall Module WS-SVC-FWM-1 SAD093906RT
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
9 0015.62a0.2842 to 0015.62a0.2849 3.0 7.2(1) 3.1(10) ShutDown
Mod Online Diag Status
--- -------------------
9 Pass
Cat6500#
Cat6500#hw-module module 9 reset
Device BOOT variable for reset = Warning: Device list is not verified.
Proceed with reload of module?[confirm]
% reset issued for module 9
02:31:58: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Reset)
Cat6500#sh mod 9
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
9 6 Firewall Module WS-SVC-FWM-1 SAD093906RT
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
9 0015.62a0.2842 to 0015.62a0.2849 3.0 7.2(1) 8.3(0.110)TE Other
Mod Online Diag Status
--- -------------------
9 Unknown
Cat6500#
02:33:35: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 9, opcode 0x330
02:33:41: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 9, opcode 0x330
02:33:53: %DIAG-SP-6-RUN_MINIMUM: Module 9: Running Minimum Diagnostics...
02:33:56: %SVCLC-5-FWVTPMODE: VTP mode is set to non-transparent
02:33:55: %DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics
02:33:56: %OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now online
Cat6500#session slot 9 proc 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.91 ...
Open User Access Verification
Password: cisco
Type help or '?' for a list of available commands.
FWSM> enable
Password:
FWSM#
FWSM# sh ver
FWSM Firewall Version 4.0(8)
Device Manager Version 5.2(4)F Compiled on Thu 22-Oct-09 15:47 by fwsmbld
FWSM up 3 mins 40 secs
Hardware: WS-SVC-FWM-1, 1024 MB RAM,
CPU Pentium III 1000 MHz Flash TOSHIBA THNCF128MBA @ 0xc321, 20MB 0:
Int: GigabitEthernet0 : address is 0014.1c70.ef00, irq 5 1: Int:
GigabitEthernet1 : address is 0014.1c70.ef00, irq 7 2: Int:
EOBC0 : address is 0000.1900.0000, irq 11
The Running Activation Key is not set, using default settings:
Licensed features for this platform:
Maximum Interfaces : 256
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
BGP Stub : Disabled
Service Acceleration : Disabled
VPN Peers : Unlimited
Serial Number: xxxxxxxxxxx
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
Configuration has not been modified since last system restart.
FWSM#
Additional links:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/upgrade.html
Password Recovery d’une carte FWSM
Comments are Disabled