Thoughts on PIX v7 cont...
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
Thoughts on PIX v7 cont...

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
RS
Guest
Posted: Fri Dec 09, 2005 5:20 pm    Post subject: Thoughts on PIX v7 cont... Reply with quote
ORIGINAL--
Currently running 6.3(4) on 525 FO configuration.

Tested conversion on 515 with a copy of our live config - noticed a
few commands did not "port" over properly. Not a big problem - but a
problem none the less.

Given that, here is my take on how to migrate:
-Since we have a FO config - turn off SECONDARY and upgrade the
PRIMARY.
-Fix any issues, and run the PRIMARY for a few days. (Note: NO config
changes are to be made during that period.)
-If the are problems, turn off the PRIMARY and run the SECONDARY with
the 6.3(4) code on it. Figure out what went wrong - downgrade the
PRIMARY if necessary.
-If all is well, turn off the PRIMARY and upgrade the SECONDARY.

Appreciate any and all feedback.
---
RESPONSE---
We did this upgrade back in August. We're running 7.02. Unfortunately
this account does all their management through the PDM. And this has
resulted in a lot of misconfiguration of the PIX. I can't believe
Cisco still claims they even have a gui. Using the latest and greatest
still feels like a beta product.

The upgrade required a line by line comparison of the NAT, STATIC and
ACLS. A lot of rules were invalidated. Two ACCESS-GROUP commands
detached ACLs. Lierally re-entered at least a hundred commands. Our
PIX config is 4800 lines long, so it was only about 2%.

Going into production without doing the compare would have been
disastrous.

DiGiTAL_ViNYL (no email)

----

REPLY-


To DiG ViN-
That is why were are going to upgrade a single PIX in the failover set.
(Leave the "un-upgraded" off) If there are a boat load of problems
like that - we can revert to the 6.3x ver with minimal downtime. Work
on the ver 7 config offline.

I've seen the commands changed a bit. Seems like nothing too major.
Any commands/major changes that I should be aware of tho??

Thanks.
RS
Back to top
Walter Roberson
Guest
Posted: Fri Dec 09, 2005 5:20 pm    Post subject: Re: Thoughts on PIX v7 cont... Reply with quote
In article <1134145927.063497.165600@g47g2000cwa.googlegroups.com>,
RS <ricosuave.info@gmail.com> wrote:
Quote:
Given that, here is my take on how to migrate:
-Since we have a FO config - turn off SECONDARY and upgrade the
PRIMARY.
-Fix any issues, and run the PRIMARY for a few days. (Note: NO config
changes are to be made during that period.)

Sounds like you must not be running in a "production environment".

A less risky strategy would be to sever the failover link, logically
put the secondary on the lab bench, change it's outside IPs to test IPs,
install 7.0, do a careful cross-checking of the resulting configuration,
run the configuration through as many tests as you can think of,
and only -then- consider putting it live.
--
"law -- it's a commodity"
-- Andrew Ryan (The Globe and Mail, 2005/11/26)
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB