Upgrade d’une carte FWSM

Voici dans cet article une petite procédure pour mettre à jour une carte FWSM, de A à Z.
Etant donnée que cette procédure m’a déjà “sauvé la vie” il y à quelques mois, je la partage ici.

Il faut commencer par créer un VLAN par lequel nous allons faire passer l’image entre notre PC, connecté au chassis Catalyst 6500 et la carte FWSM.

Notre PC sera connecté au port FastEthernet 3/1, dans le Vlan 100.

Cat6500#conf t !!! VLAN 1 can not be used for the FWSM !!!
Cat6500(config)#vlan 100
Cat6500(config-vlan)#exit
Cat6500(config)#interface fa 3/1
Cat6500(config-if)#switchport
Cat6500(config-if)#switchport mode access
Cat6500(config-if)#switchport access vlan 100
Cat6500(config-if)#no sh
Cat6500(config-if)#exit
Cat6500(config)#exit
Cat6500#
Cat6500#sh ip int brief
... FastEthernet3/1 unassigned      YES unset  up up ...
Cat6500#
Cat6500#sh mod Mod
Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
3   48  48 port 10/100 mb RJ45                 WS-X6348-RJ-45         SAL043310FK
6    2  Supervisor Engine 720 (Active)      WS-SUP720-BASE      SAD081102FM
9 6  Firewall Module                              WS-SVC-FWM-1         SAD093906RT

Mod MAC addresses                       Hw    Fw           Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
3  0001.9753.8040 to 0001.9753.806f   2.2   5.4(2)       8.3(0.110)TE Ok
6  000d.2910.332c to 000d.2910.332f   3.3   8.4(2)       12.2(17d)SXB Ok
9 0015.62a0.2842 to 0015.62a0.2849   3.0   7.2(1)       3.1(10) Ok

Mod Sub-Module                  Model              Serial        Hw     Status
--- --------------------------- ------------------ ------------ ------- -------
6 Policy Feature Card 3       WS-F6K-PFC3A       SAD083804BE   2.4    Ok
6 MSFC3 Daughterboard         WS-SUP720          SAD0838026G   2.5    Ok

Mod Online Diag Status --- -------------------
3 Pass
6 Pass
9 Pass

Il faut ensuite assigner ce VLAN à la carte FWSM:

Cat6500#
Cat6500#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cat6500(config)#firewall module 9 vlan-group 5
Cat6500(config)#firewall vlan-group 5 100
Cat6500(config)#exit
Cat6500#

Vérifications:

Cat6500#sh firewall vlan-group
Group vlans
-----      ------
5          100
Cat6500#sh firewall module 9 state
Firewall module 9:
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 100
Pruning VLANs Enabled: 2-1001
Vlans allowed on trunk:100
Vlans allowed and active in management domain: 100
Vlans in spanning tree forwarding state and not pruned: 100
Cat6500#

Cat6500#sh firewall module 9 vlan-group
Module Vlan-groups 9    5,

Et on se connecte à la carte FWSM:

Cat6500#session slot 9 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.91 ...

Open User Access Verification
Password: cisco
Type help or '?' for a list of available commands.
FWSM> enable
Password: <aucun password en configuration par défaut - taper enter>
FWSM#
FWSM# sh ver
FWSM Firewall Version 3.1(10)
Device Manager Version 5.2(4)F
Compiled on Mon 21-Apr-08 17:43 by fwsmbld
FWSM up 51 mins 19 secs
Hardware:   WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz Flash
TOSHIBA THNCF128MBA @ 0xc321, 20MB 0:
Int: Not licensed        : irq 5 1:
Int: Not licensed        : irq 7 2:
Int: Not licensed        : irq 11
The Running Activation Key is not set,
using default settings: Licensed features for this platform:
Maximum Interfaces          : 256
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

Serial Number: Sxxxxxxxxxx
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
Configuration last modified by benoit at 09:45:27.645 UTC Fri 02 10 2012

Il existe deux modes sur une carte FWSM, un mode “routed” (L3) et un mode “transparent” (L2).
Le mode routé est celui définis par défaut, et positionne la carte FWSM en tant que passerelle sur un réseau, alors que le mode transparent permet de faire fonctionner la carte FWSM sans avoir besoin de modifier les configurations des Gateway existantes, pratique pour un déploiement sur un réseau existant.

Nous allons ici laisser la carte en mode routé, et configurer une IP qui permettra d’établir la connexion avec le PC précédemment connecté.

FWSM#
FWSM# conf t
FWSM(config)# interface vlan 100
FWSM(config-if)# nameif inside
FWSM(config-if)# security-level 100
FWSM(config-if)# ip address 192.168.0.2 255.255.255.0
FWSM(config-if)# no shutdown
FWSM(config-if)# exit
FWSM(config)# icmp permit any inside
FWSM(config)# exit

FWSM# ping 192.168.0.1
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

FWSM#
FWSM# copy ftp://anonymous:anonymous@192.168.0.1/c6svc-fwm-k9.4-0-8.bin;type=ip flash:image
Address or name of remote host [192.168.0.1]?
Source username [anonymous]?
Source filename [c6svc-fwm-k9.4-0-8.bin]?
Destination filename [image]?
Accessing ftp://anonymous:anonymous@192.168.0.1/c6svc-fwm-k9.4-0-8.bin;type=ip...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ...

Pour des raisons diverses, le téléchargement se bloque à un moment et ne répond plus pendant quelques minutes… qui peuvent paraitre longues si vous êtes chez un client :) Pas de panique, vous pouvez essuyer cette goutte de sueur sur votre front, le téléchargement reprends ensuite et vous retrouverez votre fameux prompte. Juste un peu de patience.

... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
FWSM# wr
Building configuration...
Cryptochecksum: 29d92aac af9eb806 3f2e689a 28377b6e
Buffering file....
Copying file to medium....! 1239 bytes copied in 0.380 secs [OK]
FWSM#
FWSM# exit
Logoff [Connection to 127.0.0.91 closed by foreign host]

Cat6500#
Cat6500# hw-module module 9 shutdown
Proceed with shutdown of module? [confirm]
% Shutdown request issued for module 9

Cat6500#
02:30:01: SP: The PC in slot 9 is shutting down.
Please wait ...
02:30:01: SP: PC shutdown completed for module 9

Cat6500#
Cat6500#sh mod 9
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
9    6  Firewall Module                        WS-SVC-FWM-1       SAD093906RT

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
9 0015.62a0.2842 to 0015.62a0.2849   3.0   7.2(1)       3.1(10)      ShutDown

Mod Online Diag Status
--- -------------------
9 Pass

Cat6500#
Cat6500#hw-module module 9 reset
Device BOOT variable for reset = Warning: Device list is not verified.
Proceed with reload of module?[confirm]
% reset issued for module 9

02:31:58: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Reset)

Cat6500#sh mod 9
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
9    6  Firewall Module                        WS-SVC-FWM-1       SAD093906RT

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
9 0015.62a0.2842 to 0015.62a0.2849   3.0   7.2(1)       8.3(0.110)TE Other

Mod Online Diag Status
---    -------------------
9      Unknown

Cat6500#
02:33:35: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 9, opcode 0x330
02:33:41: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 9, opcode 0x330
02:33:53: %DIAG-SP-6-RUN_MINIMUM: Module 9: Running Minimum Diagnostics...
02:33:56: %SVCLC-5-FWVTPMODE: VTP mode is set to non-transparent
02:33:55: %DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics
02:33:56: %OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now online

Cat6500#session slot 9 proc 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.91 ...

Open User Access Verification
Password: cisco
Type help or '?' for a list of available commands.
FWSM> enable
Password:

FWSM#
FWSM# sh ver
FWSM Firewall Version 4.0(8)
Device Manager Version 5.2(4)F Compiled on Thu 22-Oct-09 15:47 by fwsmbld
FWSM up 3 mins 40 secs
Hardware:   WS-SVC-FWM-1, 1024 MB RAM,
CPU Pentium III 1000 MHz Flash TOSHIBA THNCF128MBA @ 0xc321, 20MB 0:
Int: GigabitEthernet0    : address is 0014.1c70.ef00, irq 5 1: Int:
GigabitEthernet1    : address is 0014.1c70.ef00, irq 7 2: Int:
EOBC0 : address is 0000.1900.0000, irq 11

The Running Activation Key is not set, using default settings:
Licensed features for this platform:
Maximum Interfaces          : 256
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
BGP Stub                    : Disabled
Service Acceleration        : Disabled
VPN Peers                   : Unlimited
Serial Number: xxxxxxxxxxx
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
Configuration has not been modified since last system restart.
FWSM#

Additional links:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/upgrade.html
Password Recovery d’une carte FWSM

Benoit

Network engineer at CNS Communications. CCIE #47705, focused on R&S, Data Center, SD-WAN & Automation.

More Posts - Website

Follow Me:
TwitterLinkedIn

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *