packetfu.org

• Home
• Bookshelf
• Images
• About

Remote PIX upgrade over a VPN tunnel

Posted by creining | Filed under Security

I was looking into doing PIX code upgrades over a VPN tunnel and finally came up with the right commands in order to do this. The first problem I encountered in trying to do this was by using the outside public IP to initiate the upgrade (via TFTP) over the tunnel. I had marked the outside IP as ‘interesting’ traffic so traffic initiated on the PIX to the TFTP server would be tunneled over the VPN to the concentrator and on to the server. However, I hadn’t thought out the return traffic from the TFTP server in that it would have a destination IP of this public IP and would go right out our default gateway to the internet. It seemed the easiest way to make this all work would be to force the traffic to come from the inside IP of the PIX, over the tunnel, through the concentrator and to the server. That way the return traffic to that RFC1918 IP of the inside interface of the PIX would be routed back through the concentrator as internal routes point it that way. Here’s what I ended doing:

1) Copy the PIX Firewall binary image (pixnnn.bin) to the /tftpboot directory on the TFTP server.

2) Issue the ‘tftp-server’ command on the PIX:

pixfirewall> enPassword: ************pixfirewall> config tpixfirewall(config)# write mempixfirewall(config)# tftp-server inside [tftp-server IP] [pix hostname]

3) Issue the management-access command:

pixfirewall(config)# management-access inside

4) Copy the existing configuration to the TFTP server:

pixfirewall(config)# write net

5) Retreive the new PIX binary file:

pixfirewall(config)# exitpixfirewall# copy tftp flashAddress or name of remote host [tftp-server IP]?Source file name [cdisk]? pix635.bincopying tftp://[tftp-server IP]/pix635.bin to flash:image[yes|no|again]? yes!!!!!!!!!!!!!!!!!!! [...]Received 2101248 bytesErasing current imageWriting 1978424 bytes of image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [...]Image installed

6) Reload:

pixfirewall# write mempixfirewall# reloadProceed with reload? [confirm]

Permalink | February 2nd, 2006

Comments are closed.

Topics

• Financial Independence (4)
• Flying (6)
• Food (18)
• Linux/BSD (27)
• Personal (11)
• Photography (5)
• Security (131)
• Travel (17)
• Uncategorized (33)

Histories Forgotten

• January 2012
• December 2011
• November 2011
• July 2011
• June 2011
• May 2011
• March 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• May 2010
• April 2010
• January 2010
• November 2009
• July 2009
• February 2009
• January 2009
• November 2008
• October 2008
• September 2008
• April 2008
• March 2008
• February 2008
• December 2007
• November 2007
• October 2007
• September 2007
• July 2007
• June 2007
• May 2007
• April 2007
• October 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005
• August 2005
• July 2005
• May 2005
• March 2005
• February 2005
• January 2005
• December 2004
• November 2004
• October 2004
• September 2004
• August 2004
• July 2004
• June 2004
• May 2004
• April 2004
• March 2004
• February 2004
• January 2004
• December 2003
• November 2003
• October 2003
• September 2003
• August 2003
• July 2003
• June 2003
• May 2003
• April 2003