Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 - Downgrade Procedure [Cisco ASA 5500-X Series Next-Generation Firewalls]

Table Of Contents

Downgrade Procedure

Guidelines for Downgrading

Downgrade Procedure

Downgrading Examples

Example of a Downgrade Procedure

Example with a Zero Actkey

Example with No Actkey in the Source Image

Example to Abort the Downgrade at the Final Prompt

Example Using an Invalid Actkey

Example Without Specifying an Actkey and No 4-Tuple Actkey Stored in Flash

Example Using a Security Appliance Version 7.0

Example Using an Image with No Verified Actkey

Example Using a Flash 4-Tuple Key without All the Features of the Current 5-Tuple Key

Example Where the Entered Actkey Does Not Have the Features of the Current 5-Tuple Key

Downgrade Procedure

You can downgrade from a PIX Security appliance Version 7.0 image to return to a PIX Version 6.3 image, using the downgrade command. This command changes the Flash layout to a format that the PIX images can understand.

This chapter includes the following topics:

•Guidelines for Downgrading

•Downgrade Procedure

•Downgrading Examples

Guidelines for Downgrading

•A PIX downgrade is not possible from the monitor prompt. The downgrade command must be used from a running PIX Security appliance Version 7.0 image to perform the downgrade.

•A PIX upgrade/downgrade can be done remotely only if there is no interruption to the process. A power failure during the process may result in a corrupt Flash that requires console access to recover. To prevent loss of data, it is recommended that all data be stored externally before starting the process.

•If the PIX had previously been upgraded from a PIX Version 6.3 version, the 4-tuple activation key is stored in Flash and does not need to be reentered. Even if the PIX Security appliance Version 7.0 code license had been subsequently updated using a 5-tuple activation key, the 4-tuple key is still saved.

The downgrade command verifies and uses the 4-tuple key, if it exists. Otherwise, the activation key needs to be input in the CLI for the command to succeed.

•We recommend using the show activation-key command to display the current activation key.

•The downgrade command automatically reloads the PIX after it is complete.

Downgrade Procedure

To perform a downgrade to a PIX Version 6.3 image, use the downgrade command from a running PIX Security appliance Version 7.0 image as follows:
downgrade [/noconfirm] <image_url> [activation-key (flash|file|<4-part-actkey>)] [config
<start_config_url>] 
Note The downgrade command is not available in user context mode.

where:

•<image_url>—A filename in Flash or a network URL (all network URL are supported by the copy command) that points to a PIX image. This must be an image that is before PIX Security appliance Version 7.0 release.

•<start_config_url>—Any URL which could be a network or local Flash that points to a start up configuration file to be used after the reboot. The configuration must be for the version of the image file used in the downgrade.

•activation-key—Specifies the activation key to be used on the downgraded image, using one of the following methods:

–flash—Use the 4-tuple activation key that may have been used in the device. This is the default if the activation-key is not specified in the command line.

–file—Allowed only on a PIX Version 6.3 image that was stored in Flash memory during the upgrade process. Such an image contains the activation key in the image itself and could be used after downgrade as well.

–<4-part-actkey>—The activation key to be written to the image.

Note If the activation-key keyword is present, then you must enter one of the three options: flash, file, or <4-part-actkey>.

•/noconfirm—The presence of this option suppresses the confirmation dialogue.

Note In most cases, you use the downgrade <image_url> command to downgrade, where <image_url> is the TFTP server location of the downgraded image. If the TFTP server is 192.168.1.20 and the filename in the TFTP root directory is pix633.bin, the command would look like the following:

downgrade tftp://192.168.1.20/pix633.bin

If the activation-key keyword is not specified in the command line and there is no default activation key for the image, the command will be rejected. If the activation key is found and could be used with the image, it will be stored in the image for use after the downgrade. If you are using an image file that was saved during the upgrade process (file image_old.bin), you could use the activation-key file option.

The data file containing cryptographic keys used before upgrading to PIX Security appliance Version 7.0 will be restored if the Flash has not been formatted or erased since the upgrade.

The flash option for the activation key is the last 4-tuple activation key used in the system. This key might have been overridden by a 5-tuple key, in which case, a warning with the list of features that might be potentially lost by going back to the 4-tuple key will be generated. If the system Flash has been reformatted or erased for some reason, the last 4-tuple key used will not be available and there will be no default key for the downgrade. The CLI notifies you to enter an activation key in the command line.

If the config keyword is not present, then the default is to use the downgrade.cfg file, if present. Otherwise, the PIX will boot without a configuration file.

If the downloaded image is not a PIX image or is lower than PIX Version 6.2, the command fails and an error message is generated.

If /noconfirm is not present, the CLI prompts for confirmation and reboots the device after the downgrade operation is complete.

To downgrade using the CLI perform the following steps:

Step 1 Download the image from the network to RAM and check for validity. Proceed to Step 2 if the image passes.

Step 2 Get the activation key using the flash, file, or <4-part-actkey> method previously described.

Step 3 Verify the activation key if possible, and write it on the downloaded image.

Step 4 Obtain the startup configuration from the URL or downgrade.cfg file, if any exists.

Step 5 Read the data files from the downgrade.dat file (raw read, no format) and buffer it in RAM.

Step 6 Erase the entire Flash.

Step 7 Write the PIX image in RAM at the beginning of the Flash (sector 0).

Step 8 Write the startup configuration in RAM to the next sector(s) after the image (raw write).

Step 9 Write the data files in RAM to the next sector(s) (raw write).

Step 10 Reboot.

When the PIX image boots up, it checks for the PIX filesystem magic. As the magic is not present, the system rebuilds the filesystem by gleaning the data from Flash. It detects the image, startup configuration file, and data files by the presence of the respective magics. The appropriate filesystem header is created in Flash using the information discovered.

The startup configuration is specified in the CLI in case there is no downgrade.cfg file in the Flash and remote connectivity is desired after the reboot.

The design assumes that the downgrade procedure has been successful only if there are no interruptions to the process, such as no user or power interruptions, and the Flashfs filesystem in Flash is not corrupt. PDM and crash information are not copied over.

Downgrading Examples

This section includes the following configuration examples:

•Example of a Downgrade Procedure

•Example with a Zero Actkey

•Example with No Actkey in the Source Image

•Example to Abort the Downgrade at the Final Prompt

•Example Using an Invalid Actkey

•Example Without Specifying an Actkey and No 4-Tuple Actkey Stored in Flash

•Example Using a Security Appliance Version 7.0

•Example Using an Image with No Verified Actkey

•Example Using a Flash 4-Tuple Key without All the Features of the Current 5-Tuple Key

•Example Where the Entered Actkey Does Not Have the Features of the Current 5-Tuple Key

Example of a Downgrade Procedure

The following example is for a downgrade going from PIX Security appliance Version 7.0 to PIX Version 6.3(4). The PIX Version 6.3 image is coming from a TFTP server.
Conduit# downgrade tftp://192.168.1.100/pix634.bin
 This command will reformat the flash and automatically reboot the system.
 Do you wish to continue? [confirm] 
 Buffering image
 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 Buffering startup config
 All items have been buffered successfully.
 If the flash reformat is interrupted or fails, data in flash will be lost
 and the system might drop to monitor mode.
 Do you wish to continue? [confirm] 
 Acquiring exclusive access to flash
 Installing the correct file system for the image and saving the buffered data
 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 Flash downgrade succeeded
Rebooting....
 CISCO SYSTEMS PIX FIREWALL
 Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
 Compiled by xxxxxx
 64 MB RAM
 PCI Device Table.
 Bus Dev Func VendID DevID Class              Irq
  00  00  00   8086   7192  Host Bridge        
  00  07  00   8086   7110  ISA Bridge         
  00  07  01   8086   7111  IDE Controller     
  00  07  02   8086   7112  Serial Bus         9
  00  07  03   8086   7113  PCI Bridge         
  00  0D  00   8086   1209  Ethernet           11
  00  0E  00   8086   1209  Ethernet           10
  00  11  00   14E4   5823  Co-Processor       11
  00  13  00   8086   B154  PCI-to-PCI Bridge  
  01  04  00   8086   1229  Ethernet           11
  01  05  00   8086   1229  Ethernet           10
  01  06  00   8086   1229  Ethernet           9
  01  07  00   8086   1229  Ethernet           5
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E28F128J3 @ 0xfff00000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot in 10 seconds.           9 seconds.          8 seconds.          7 seconds.          
6 seconds.          5 seconds.          4 seconds.          3 seconds.          2 seconds.          
1 seconds.
 Reading 1962496 bytes of image from flash.
##########################################################################################
#####################
64MB RAM
mcwa i82559 Ethernet at irq 11  MAC: 0011.937e.0650
mcwa i82559 Ethernet at irq 10  MAC: 0011.937e.064f
mcwa i82559 Ethernet at irq 11  MAC: 000d.88ee.dfa0
mcwa i82559 Ethernet at irq 10  MAC: 000d.88ee.dfa1
mcwa i82559 Ethernet at irq  9  MAC: 000d.88ee.dfa2
mcwa i82559 Ethernet at irq  5  MAC: 000d.88ee.dfa3
System Flash=E28F128J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000
Crypto5823 (revision 0x1)
  -----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                         c i s c o S y s t e m s 
                        Private Internet eXchange
  -----------------------------------------------------------------------
                        Cisco PIX Firewall
Cisco PIX Firewall Version 6.3(4)
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          10
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited
This PIX has an Unrestricted (UR) license.
  ****************************** Warning *******************************
  Compliance with U.S. Export Laws and Regulations - Encryption.
  This product performs encryption and is regulated for export
  by the U.S. Government.
  This product is not authorized for use by persons located
  outside the United States and Canada that do not have prior
  approval from Cisco Systems, Inc. or the U.S. Government.
  This product may not be exported outside the U.S. and Canada
  either by physical or electronic means without PRIOR approval
  of Cisco Systems, Inc. or the U.S. Government.
  Persons outside the U.S. and Canada may not re-export, resell
  or transfer this product by either physical or electronic means
  without prior approval of Cisco Systems, Inc. or the U.S.
  Government.
  ******************************* Warning *******************************
Copyright (c) 1996-2003 by Cisco Systems, Inc.
                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706
.
Cryptochecksum(unchanged): 629e8fc8 b6e63516 1c253178 e5d91814 
Type help or '?' for a list of available commands.
After performing the PIX Security appliance Version 7.0 downgrade, enter the enable command to enter configuration mode, then enter your password, and finally enter the show run command. The output is as follows:
Conduit> enable 
 Password: 
 Conduit# show version
 Cisco PIX Firewall Version 6.3(4)
 Compiled on Fri 02-Jul-04 00:07 by xxxxxx
 Conduit up 23 secs
 Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
 Flash E28F128J3 @ 0x300, 16MB
 BIOS Flash AM29F400B @ 0xfffd8000, 32KB
 Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: ethernet0: address is 0011.937e.064f, irq 10
 1: ethernet1: address is 0011.937e.0650, irq 11
 2: ethernet2: address is 000d.88ee.dfa0, irq 11
 3: ethernet3: address is 000d.88ee.dfa1, irq 10
 4: ethernet4: address is 000d.88ee.dfa2, irq 9
 5: ethernet5: address is 000d.88ee.dfa3, irq 5
 Licensed Features:
 Failover:                    Enabled
 VPN-DES:                     Enabled
 VPN-3DES-AES:                Enabled
 Maximum Physical Interfaces: 6
 Maximum Interfaces:          10
 Cut-through Proxy:           Enabled
 Guards:                      Enabled
 URL-filtering:               Enabled
 Inside Hosts:                Unlimited
 Throughput:                  Unlimited
 IKE peers:                   Unlimited
 This PIX has an Unrestricted (UR) license.
 Serial Number: 808300261 (0x302daee5)
 Running Activation Key: 0x8a9a2457 0xd91de491 0x48534d65 0xa648750a 
 Configuration has not been modified since last system restart.
Enter the show run command to display output from your PIX Version 6.3 configuration. Output from the PIX Version 6.3 configuration follows:
Conduit# show run
 : Saved
 :
 PIX Version 6.3(4)
 interface ethernet0 100full
 interface ethernet1 100full
 interface ethernet2 auto shutdown
 interface ethernet3 auto shutdown
 interface ethernet4 auto shutdown
 interface ethernet5 auto shutdown
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 dmz security50
 nameif ethernet3 intf3 security6
 nameif ethernet4 intf4 security8
 nameif ethernet5 intf5 security10
 enable password 8Ry2YjIyt7RRXU24 encrypted
 passwd 2KFQnbNIdI.2KYOU encrypted
 hostname Conduit
 domain-name ciscopix.com
 fixup protocol dns maximum-length 512
 fixup protocol ftp 21
 fixup protocol h323 h225 1720
 fixup protocol h323 ras 1718-1719
 fixup protocol http 80
 fixup protocol rsh 514
 fixup protocol rtsp 554
 fixup protocol sip 5060
 fixup protocol sip udp 5060
 fixup protocol skinny 2000
 fixup protocol smtp 25
 fixup protocol sqlnet 1521
 fixup protocol tftp 69
 names
 name 172.16.1.75 Linux
 no pager
 logging on
 logging trap informational
 logging host inside 192.168.1.99
 icmp permit any outside
 icmp permit any inside
 mtu outside 1500
 mtu inside 1500
 mtu dmz 1500
 mtu intf3 1500
 mtu intf4 1500
 mtu intf5 1500
 ip address outside 172.16.1.161 255.255.255.0
 ip address inside 192.168.1.161 255.255.255.0
 no ip address dmz
 no ip address intf3
 no ip address intf4
 no ip address intf5
 ip audit info action alarm
 ip audit attack action alarm
 no failover
 failover timeout 0:00:00
 failover poll 15
 no failover ip address outside
 no failover ip address inside
 no failover ip address dmz
 no failover ip address intf3
 no failover ip address intf4
 no failover ip address intf5
 pdm location 192.168.1.99 255.255.255.255 inside
 pdm history enable
 arp timeout 14400
 global (outside) 1 172.16.1.210-172.16.1.212
 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 static (inside,outside) 172.16.1.111 192.168.1.5 netmask 255.255.255.255 0 0 
 conduit permit icmp any any 
 conduit permit tcp host 172.16.1.111 eq www any 
 conduit permit tcp host 172.16.1.49 eq smtp host 209.165.201.2 
 route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 timeout uauth 0:05:00 absolute
 aaa-server TACACS+ protocol tacacs+ 
 aaa-server TACACS+ max-failed-attempts 3 
 aaa-server TACACS+ deadtime 10 
 aaa-server RADIUS protocol radius 
 aaa-server RADIUS max-failed-attempts 3 
 aaa-server RADIUS deadtime 10 
 aaa-server LOCAL protocol local 
 http server enable
 http 0.0.0.0 0.0.0.0 outside
 http 0.0.0.0 0.0.0.0 inside
 no snmp-server location
 no snmp-server contact
 snmp-server community public
 no snmp-server enable traps
 floodguard enable
 telnet 192.168.1.0 255.255.255.0 inside
 telnet timeout 5
 ssh timeout 5
 console timeout 0
 dhcpd address 192.168.1.100-192.168.1.102 inside
 dhcpd lease 3600
 dhcpd ping_timeout 750
 dhcpd enable inside
 terminal width 80
 Cryptochecksum:629e8fc8b6e635161c253178e5d91814
 : end
 Conduit# 
Example with a Zero Actkey

Enter a zero actkey:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key 0 0 0 
0 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! 
Error: activation key entered is invalid.
Example with No Actkey in the Source Image

Enter the file option when there is no actkey in the source image, which happens if the source is in TFTP server:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key file 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] 
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! 
Activation key does not exist in the source image. 
Please use the activation-key option to specify an activation key.
Example to Abort the Downgrade at the Final Prompt

Abort the downgrade at the final prompt:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!
Buffering startup config
All items have been buffered successfully. 
If the flash reformat is interrupted or fails, data in flash will be lost 
and the system might drop to monitor mode. 
Do you wish to continue? [confirm] ===<typed n here> 
Downgrade process terminated.
Example Using an Invalid Actkey

Enter an invalid actkey for the platform:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key 
0xaaf93e75 0xc1d21188 c2e18f2 0x162a8a80 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! 
Warning: activation key entered is invalid 
Do you wish to continue? [confirm] 
Downgrade process terminated.
Example Without Specifying an Actkey and No 4-Tuple Actkey Stored in Flash

Downgrade without specifying an actkey in the command line when there is no 4-tuple actkey stored in Flash:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! 
Warning: 4 tuple activation key in flash is invalid. 
Do you wish to continue? [confirm] 
Downgrade process terminated. 
Please enter an activation-key in the command line.
Example Using a Security Appliance Version 7.0

Use a PIX Security appliance Version 7.0 image with the downgrade:
PIX# downgrade tftp://17.13.2.25//scratch/views/test/target/f1/pix704.bin 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Error: Need to use an image with version less than 7-0-0-0.
Example Using an Image with No Verified Actkey

Use an image for which we do not verify actkey:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.4.4.1-rel 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Image checksum has not been verified 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Warning: Activation key not verified. 
Key 32c261f3 633fe24 c94ef2ea e299a3f might be incompatible with the image version 
4-4-1-0. 
Do you wish to continue? [confirm] 
Downgrade process terminated. 
Please enter an activation-key in the command line.
Example Using a Flash 4-Tuple Key without All the Features of the Current 5-Tuple Key

The Flash 4-tuple key does not have all features of the current 5-tuple key:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! 
The following features available in current activation key in flash 
are NOT available in 4 tuple activation key in flash: 
   VPN-3DES-AES 
   GTP/GPRS 
   5 Security Contexts 
Failover is different: 
   current activation key in flash: UR(estricted) 
   4 tuple activation key in flash: R(estricted) 
Some features might not work in the downgraded image if this key is used. 
Do you wish to continue? [confirm] 
Downgrade process terminated. 
Please enter an activation-key in the command line.
Example Where the Entered Actkey Does Not Have the Features of the Current 5-Tuple Key

The entered actkey does not have all features of the current 5-tuple key:
PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key 
0x32c261f3 0x062afe24 0xc94ef2ea 0x0e299a3f 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] [Press Enter to confirm]
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! 
The following features available in current activation key in flash 
are NOT available in activation key entered: 
   VPN-3DES-AES 
   GTP/GPRS 
   5 Security Contexts 
Failover is different: 
   current activation key in flash: UR(estricted) 
   activation key entered: R(estricted) 
Some features might not work in the downgraded image if this key is used. 
Do you wish to continue? [confirm] 
Downgrade process terminated. 
Please enter an activation-key in the command line.

	Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0
	Downgrade Procedure
Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 About This Guide Before You Begin New Features Changed and Deprecated Features and Commands Upgrade Procedure Downgrade Procedure Syslog Message Changes and Deletions	Download this chapter Downgrade Procedure Download the complete book Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco Security Appliance Software Version 7.0-Whole Book PDF (PDF - 2 MB) Feedback Table Of Contents Downgrade Procedure Guidelines for Downgrading Downgrade Procedure Downgrading Examples Example of a Downgrade Procedure Example with a Zero Actkey Example with No Actkey in the Source Image Example to Abort the Downgrade at the Final Prompt Example Using an Invalid Actkey Example Without Specifying an Actkey and No 4-Tuple Actkey Stored in Flash Example Using a Security Appliance Version 7.0 Example Using an Image with No Verified Actkey Example Using a Flash 4-Tuple Key without All the Features of the Current 5-Tuple Key Example Where the Entered Actkey Does Not Have the Features of the Current 5-Tuple Key Downgrade Procedure You can downgrade from a PIX Security appliance Version 7.0 image to return to a PIX Version 6.3 image, using the downgrade command. This command changes the Flash layout to a format that the PIX images can understand. This chapter includes the following topics: •Guidelines for Downgrading •Downgrade Procedure •Downgrading Examples Guidelines for Downgrading •A PIX downgrade is not possible from the monitor prompt. The downgrade command must be used from a running PIX Security appliance Version 7.0 image to perform the downgrade. •A PIX upgrade/downgrade can be done remotely only if there is no interruption to the process. A power failure during the process may result in a corrupt Flash that requires console access to recover. To prevent loss of data, it is recommended that all data be stored externally before starting the process. •If the PIX had previously been upgraded from a PIX Version 6.3 version, the 4-tuple activation key is stored in Flash and does not need to be reentered. Even if the PIX Security appliance Version 7.0 code license had been subsequently updated using a 5-tuple activation key, the 4-tuple key is still saved. The downgrade command verifies and uses the 4-tuple key, if it exists. Otherwise, the activation key needs to be input in the CLI for the command to succeed. •We recommend using the show activation-key command to display the current activation key. •The downgrade command automatically reloads the PIX after it is complete. Downgrade Procedure To perform a downgrade to a PIX Version 6.3 image, use the downgrade command from a running PIX Security appliance Version 7.0 image as follows: downgrade [/noconfirm] <image_url> [activation-key (flash\|file\|<4-part-actkey>)] [config <start_config_url>] Note The downgrade command is not available in user context mode. where: •<image_url>—A filename in Flash or a network URL (all network URL are supported by the copy command) that points to a PIX image. This must be an image that is before PIX Security appliance Version 7.0 release. •<start_config_url>—Any URL which could be a network or local Flash that points to a start up configuration file to be used after the reboot. The configuration must be for the version of the image file used in the downgrade. •activation-key—Specifies the activation key to be used on the downgraded image, using one of the following methods: –flash—Use the 4-tuple activation key that may have been used in the device. This is the default if the activation-key is not specified in the command line. –file—Allowed only on a PIX Version 6.3 image that was stored in Flash memory during the upgrade process. Such an image contains the activation key in the image itself and could be used after downgrade as well. –<4-part-actkey>—The activation key to be written to the image. Note If the activation-key keyword is present, then you must enter one of the three options: flash, file, or <4-part-actkey>. •/noconfirm—The presence of this option suppresses the confirmation dialogue. Note In most cases, you use the downgrade <image_url> command to downgrade, where <image_url> is the TFTP server location of the downgraded image. If the TFTP server is 192.168.1.20 and the filename in the TFTP root directory is pix633.bin, the command would look like the following: downgrade tftp://192.168.1.20/pix633.bin If the activation-key keyword is not specified in the command line and there is no default activation key for the image, the command will be rejected. If the activation key is found and could be used with the image, it will be stored in the image for use after the downgrade. If you are using an image file that was saved during the upgrade process (file image_old.bin), you could use the activation-key file option. The data file containing cryptographic keys used before upgrading to PIX Security appliance Version 7.0 will be restored if the Flash has not been formatted or erased since the upgrade. The flash option for the activation key is the last 4-tuple activation key used in the system. This key might have been overridden by a 5-tuple key, in which case, a warning with the list of features that might be potentially lost by going back to the 4-tuple key will be generated. If the system Flash has been reformatted or erased for some reason, the last 4-tuple key used will not be available and there will be no default key for the downgrade. The CLI notifies you to enter an activation key in the command line. If the config keyword is not present, then the default is to use the downgrade.cfg file, if present. Otherwise, the PIX will boot without a configuration file. If the downloaded image is not a PIX image or is lower than PIX Version 6.2, the command fails and an error message is generated. If /noconfirm is not present, the CLI prompts for confirmation and reboots the device after the downgrade operation is complete. To downgrade using the CLI perform the following steps: Step 1 Download the image from the network to RAM and check for validity. Proceed to Step 2 if the image passes. Step 2 Get the activation key using the flash, file, or <4-part-actkey> method previously described. Step 3 Verify the activation key if possible, and write it on the downloaded image. Step 4 Obtain the startup configuration from the URL or downgrade.cfg file, if any exists. Step 5 Read the data files from the downgrade.dat file (raw read, no format) and buffer it in RAM. Step 6 Erase the entire Flash. Step 7 Write the PIX image in RAM at the beginning of the Flash (sector 0). Step 8 Write the startup configuration in RAM to the next sector(s) after the image (raw write). Step 9 Write the data files in RAM to the next sector(s) (raw write). Step 10 Reboot. When the PIX image boots up, it checks for the PIX filesystem magic. As the magic is not present, the system rebuilds the filesystem by gleaning the data from Flash. It detects the image, startup configuration file, and data files by the presence of the respective magics. The appropriate filesystem header is created in Flash using the information discovered. The startup configuration is specified in the CLI in case there is no downgrade.cfg file in the Flash and remote connectivity is desired after the reboot. The design assumes that the downgrade procedure has been successful only if there are no interruptions to the process, such as no user or power interruptions, and the Flashfs filesystem in Flash is not corrupt. PDM and crash information are not copied over. Downgrading Examples This section includes the following configuration examples: •Example of a Downgrade Procedure •Example with a Zero Actkey •Example with No Actkey in the Source Image •Example to Abort the Downgrade at the Final Prompt •Example Using an Invalid Actkey •Example Without Specifying an Actkey and No 4-Tuple Actkey Stored in Flash •Example Using a Security Appliance Version 7.0 •Example Using an Image with No Verified Actkey •Example Using a Flash 4-Tuple Key without All the Features of the Current 5-Tuple Key •Example Where the Entered Actkey Does Not Have the Features of the Current 5-Tuple Key Example of a Downgrade Procedure The following example is for a downgrade going from PIX Security appliance Version 7.0 to PIX Version 6.3(4). The PIX Version 6.3 image is coming from a TFTP server. Conduit# downgrade tftp://192.168.1.100/pix634.bin This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Buffering startup config All items have been buffered successfully. If the flash reformat is interrupted or fails, data in flash will be lost and the system might drop to monitor mode. Do you wish to continue? [confirm] Acquiring exclusive access to flash Installing the correct file system for the image and saving the buffered data !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Flash downgrade succeeded Rebooting.... CISCO SYSTEMS PIX FIREWALL Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73 Compiled by xxxxxx 64 MB RAM PCI Device Table. Bus Dev Func VendID DevID Class Irq 00 00 00 8086 7192 Host Bridge 00 07 00 8086 7110 ISA Bridge 00 07 01 8086 7111 IDE Controller 00 07 02 8086 7112 Serial Bus 9 00 07 03 8086 7113 PCI Bridge 00 0D 00 8086 1209 Ethernet 11 00 0E 00 8086 1209 Ethernet 10 00 11 00 14E4 5823 Co-Processor 11 00 13 00 8086 B154 PCI-to-PCI Bridge 01 04 00 8086 1229 Ethernet 11 01 05 00 8086 1229 Ethernet 10 01 06 00 8086 1229 Ethernet 9 01 07 00 8086 1229 Ethernet 5 Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001 Platform PIX-515E System Flash=E28F128J3 @ 0xfff00000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot in 10 seconds. 9 seconds. 8 seconds. 7 seconds. 6 seconds. 5 seconds. 4 seconds. 3 seconds. 2 seconds. 1 seconds. Reading 1962496 bytes of image from flash. ########################################################################################## ##################### 64MB RAM mcwa i82559 Ethernet at irq 11 MAC: 0011.937e.0650 mcwa i82559 Ethernet at irq 10 MAC: 0011.937e.064f mcwa i82559 Ethernet at irq 11 MAC: 000d.88ee.dfa0 mcwa i82559 Ethernet at irq 10 MAC: 000d.88ee.dfa1 mcwa i82559 Ethernet at irq 9 MAC: 000d.88ee.dfa2 mcwa i82559 Ethernet at irq 5 MAC: 000d.88ee.dfa3 System Flash=E28F128J3 @ 0xfff00000 BIOS Flash=am29f400b @ 0xd8000 Crypto5823 (revision 0x1) ----------------------------------------------------------------------- \|\| \|\| \|\| \|\| \|\|\|\| \|\|\|\| ..:\|\|\|\|\|\|:..:\|\|\|\|\|\|:.. c i s c o S y s t e m s Private Internet eXchange ----------------------------------------------------------------------- Cisco PIX Firewall Cisco PIX Firewall Version 6.3(4) Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 6 Maximum Interfaces: 10 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has an Unrestricted (UR) license. **************************** Warning *************************** Compliance with U.S. Export Laws and Regulations - Encryption. This product performs encryption and is regulated for export by the U.S. Government. This product is not authorized for use by persons located outside the United States and Canada that do not have prior approval from Cisco Systems, Inc. or the U.S. Government. This product may not be exported outside the U.S. and Canada either by physical or electronic means without PRIOR approval of Cisco Systems, Inc. or the U.S. Government. Persons outside the U.S. and Canada may not re-export, resell or transfer this product by either physical or electronic means without prior approval of Cisco Systems, Inc. or the U.S. Government. *************************** Warning ***************************** Copyright (c) 1996-2003 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 . Cryptochecksum(unchanged): 629e8fc8 b6e63516 1c253178 e5d91814 Type help or '?' for a list of available commands. After performing the PIX Security appliance Version 7.0 downgrade, enter the enable command to enter configuration mode, then enter your password, and finally enter the show run command. The output is as follows: Conduit> enable Password: Conduit# show version Cisco PIX Firewall Version 6.3(4) Compiled on Fri 02-Jul-04 00:07 by xxxxxx Conduit up 23 secs Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB Encryption hardware device : VAC+ (Crypto5823 revision 0x1) 0: ethernet0: address is 0011.937e.064f, irq 10 1: ethernet1: address is 0011.937e.0650, irq 11 2: ethernet2: address is 000d.88ee.dfa0, irq 11 3: ethernet3: address is 000d.88ee.dfa1, irq 10 4: ethernet4: address is 000d.88ee.dfa2, irq 9 5: ethernet5: address is 000d.88ee.dfa3, irq 5 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 6 Maximum Interfaces: 10 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has an Unrestricted (UR) license. Serial Number: 808300261 (0x302daee5) Running Activation Key: 0x8a9a2457 0xd91de491 0x48534d65 0xa648750a Configuration has not been modified since last system restart. Enter the show run command to display output from your PIX Version 6.3 configuration. Output from the PIX Version 6.3 configuration follows: Conduit# show run : Saved : PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto shutdown interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Conduit domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 172.16.1.75 Linux no pager logging on logging trap informational logging host inside 192.168.1.99 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 172.16.1.161 255.255.255.0 ip address inside 192.168.1.161 255.255.255.0 no ip address dmz no ip address intf3 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm location 192.168.1.99 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 172.16.1.210-172.16.1.212 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 172.16.1.111 192.168.1.5 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 172.16.1.111 eq www any conduit permit tcp host 172.16.1.49 eq smtp host 209.165.201.2 route outside 0.0.0.0 0.0.0.0 172.16.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.100-192.168.1.102 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:629e8fc8b6e635161c253178e5d91814 : end Conduit# Example with a Zero Actkey Enter a zero actkey: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key 0 0 0 0 This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Error: activation key entered is invalid. Example with No Actkey in the Source Image Enter the file option when there is no actkey in the source image, which happens if the source is in TFTP server: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key file This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Activation key does not exist in the source image. Please use the activation-key option to specify an activation key. Example to Abort the Downgrade at the Final Prompt Abort the downgrade at the final prompt: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Buffering startup config All items have been buffered successfully. If the flash reformat is interrupted or fails, data in flash will be lost and the system might drop to monitor mode. Do you wish to continue? [confirm] ===<typed n here> Downgrade process terminated. Example Using an Invalid Actkey Enter an invalid actkey for the platform: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key 0xaaf93e75 0xc1d21188 c2e18f2 0x162a8a80 This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Warning: activation key entered is invalid Do you wish to continue? [confirm] Downgrade process terminated. Example Without Specifying an Actkey and No 4-Tuple Actkey Stored in Flash Downgrade without specifying an actkey in the command line when there is no 4-tuple actkey stored in Flash: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Warning: 4 tuple activation key in flash is invalid. Do you wish to continue? [confirm] Downgrade process terminated. Please enter an activation-key in the command line. Example Using a Security Appliance Version 7.0 Use a PIX Security appliance Version 7.0 image with the downgrade: PIX# downgrade tftp://17.13.2.25//scratch/views/test/target/f1/pix704.bin This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Error: Need to use an image with version less than 7-0-0-0. Example Using an Image with No Verified Actkey Use an image for which we do not verify actkey: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.4.4.1-rel This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image checksum has not been verified !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Warning: Activation key not verified. Key 32c261f3 633fe24 c94ef2ea e299a3f might be incompatible with the image version 4-4-1-0. Do you wish to continue? [confirm] Downgrade process terminated. Please enter an activation-key in the command line. Example Using a Flash 4-Tuple Key without All the Features of the Current 5-Tuple Key The Flash 4-tuple key does not have all features of the current 5-tuple key: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! The following features available in current activation key in flash are NOT available in 4 tuple activation key in flash: VPN-3DES-AES GTP/GPRS 5 Security Contexts Failover is different: current activation key in flash: UR(estricted) 4 tuple activation key in flash: R(estricted) Some features might not work in the downgraded image if this key is used. Do you wish to continue? [confirm] Downgrade process terminated. Please enter an activation-key in the command line. Example Where the Entered Actkey Does Not Have the Features of the Current 5-Tuple Key The entered actkey does not have all features of the current 5-tuple key: PIX# downgrade tftp://17.13.2.25//tftpboot/mananthr/pix704.bin.6.3.3 activation-key 0x32c261f3 0x062afe24 0xc94ef2ea 0x0e299a3f This command will reformat the flash and automatically reboot the system. Do you wish to continue? [confirm] [Press Enter to confirm] Buffering image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! The following features available in current activation key in flash are NOT available in activation key entered: VPN-3DES-AES GTP/GPRS 5 Security Contexts Failover is different: current activation key in flash: UR(estricted) activation key entered: R(estricted) Some features might not work in the downgraded image if this key is used. Do you wish to continue? [confirm] Downgrade process terminated. Please enter an activation-key in the command line.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks