The PIX firewall licensing is unique compared to some of Cisco's otherproducts. PIX licensing usually doesn't require the installation of newsoftware, unlike licensing for Cisco routers. The PIX uses activation keys toenable extra features such as adding more RAM, failover, extra interface cards,and so on. Activation keys are acquired by sending Cisco your serial number andthe feature you want enabled (oh, and don't forget the cash, too!). Ciscothen sends you a unique activation key computed from both the hardware serialnumber and the required new feature. Because the activation key is unique toeach feature, you must get a new activation key if you replace your flash.
Displaying activation key information is straightforward. By using theshow version command, you can display information such as the softwareversion, hardware platform, enabled licensed features, serial number, andrunning activation key. Listing 3.1 displays the show version commandand its output.
Cisco Pix Activation Key
what am i doing wrong? i'm in command mode, i type in activation-key 00000000 00000000 00000000 00000000 (the hex key i was given by licensing) when i hit enter - i get "type help or ? for a list of commands.
Thank you for your reply Rahul. I did that and they sent me the key that was already installed. When I run show activation-key, it shows VPN-3DES-AES Disabled. I emailed Cisco support and they say it is Enabled. I replied showing them that it is disabled and asked how to enable it and was told:
Enter the serial number of the Cisco ASA. You can get this by looking on the chassis, or doing a show version or a show activation-key. The license key will be emailed to you, and then all you have to do is enter it into the ASA with the activation-key command.
CiscoASA# show activation-key Serial Number: ************ Running Activation Key: 0x7905c844 0x2c16a53f 0xe430dd6c 0xa6e428a8 0x05260b8b Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 50 Inside Hosts : UnlimitedFailover : DisabledVPN-DES : Enabled VPN-3DES-AES : Disabled Security Contexts : 0 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 250 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has a Base license. The flash activation key is the SAME as the running key. CiscoASA#
Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.
Yizhar Hurwitz RE: TFTP - Bad Magic Number? MJNSBF (TechnicalUser)(OP)20 Nov 02 13:35Hi Yizhar,I used the write net command to upload to the tftp server.Will obtaining another image from my Cisco dealer cost additional money? We just bought this 2 months ago..... RE: TFTP - Bad Magic Number? yizhar (MIS)20 Nov 02 15:47HI.> I used the write net command to upload to the tftp serverThis is your problem - you are uploading the configuration file, then trying to use it as the OS image.Good thing that the pix won't allow you that.> Will obtaining another image from my Cisco dealer cost additional money?It should not cost you.If you currently have pix version 6.2x, then you can upgrade the activation key without the tftp proccess.Bye Yizhar Hurwitz RE: TFTP - Bad Magic Number? MJNSBF (TechnicalUser)(OP)20 Nov 02 16:51Thanks Yizhar!Yes, thank goodness pix won't allow!I have version 6.1....is there a way (command) to upload the OS, or is contacting my dealer a better way to go?Again, thanks for your help!!! RE: TFTP - Bad Magic Number? yizhar (MIS)20 Nov 02 17:11HI.I don't know of such command to upload the OS image. If you find one please let us know.Ask you dealer for the file - it should be quick and easy.Bye Yizhar Hurwitz RE: TFTP - Bad Magic Number? berford (Vendor)20 Nov 02 17:25MJNSBF,Until you have 6.2 you cannot copy the OS image off the PIX. With v6.2 you can copy the OS image via HTTPS.I believe the instruction was probably about making a backup copy of your configuration. That makes more sense since you are upgarding the OS image.Liberty for All,Brian googletag.cmd.push(function() googletag.display('div-gpt-ad-1406030581151-2'); ); Red Flag This PostPlease let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.CancelRed Flag SubmittedThank you for helping keep Tek-Tips Forums free from inappropriate posts.The Tek-Tips staff will check this out and take appropriate action.
Specify a host for firewall console access via Secure Shell (SSH). (Configuration mode.)[no] ssh disconnect session_id[no] ssh ip_address [netmask] [interface_name][no] ssh timeout mmshow ssh [sessions [ip_address]]show ssh timeoutclear sshSyntax Description ip_address IP address of the host or network authorized to initiate an SSH connection to the firewall. netmask Network mask for ip_address. If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of ip_address. interface_name firewall interface name on which the host or network initiating the SSH connection resides. mm The duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. The allowable range is from 1 to 60 minutes. session_id SSH session ID number available from the show ssh sessions command. Usage Guidelines The ssh ip_address command specifies the host or network authorized to initiate an SSH connection to the firewall. The ssh timeout command allows you to specify the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. Use the show ssh sessions command to list all active SSH sessions on the firewall. The ssh disconnect command allows you to disconnect a specific session you observed from the show ssh sessions command. Use the clear ssh command to remove all ssh command statements from the configuration. Use the no ssh command to remove selected ssh command statements from the configuration.You must generate an RSA key-pair for the firewall before clients can connect to the firewall console. To use SSH, the firewall must have a DES or 3DES activation key.To gain access to the firewall console via SSH, at the SSH client, enter the username as pix and enter the Telnet password. You can set the Telnet password with the passwd command; the default Telnet password is cisco. To authenticate using AAA server instead, configure the aaa authenticate ssh console command. SSH permits up to 100 characters in a username and up to 50 characters in a password. When starting an SSH session, a dot (.) displays on the firewall console before the SSH user authentication prompt appears. The dot appears as follows: pixfirewall(config)# . pixfirewall(config)# . The display of the dot does not affect the functionality of SSH. The dot appears on at the console when generating a server key or decrypting a message using private keys during SSH key exchange, before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the firewall is busy and has not hung. show ssh sessions Command The show ssh sessions command provides the following display:Session ID Client IP Version Encryption State Username 0 172.16.25.15 1.5 3DES 4 - 1 172.16.38.112 1.5 DES 6 pix 2 172.16.25.11 1.5 3DES 4 - The Session ID is a unique number that identifies an SSH session. The Client IP is the IP address of the system running an SSH client. The Version lists the protocol version number that the SSH client supports. The Encryption column lists the type of encryption the SSH client is using. The State column lists the progress the client is making as it interacts with the firewall. The Username column lists the login username that has been authenticated for the session. The "pix" username appears when non-AAA authentication is used. The following table lists the SSH states that appear in the State column: Number SSH State
CCSP Self-Study: Cisco Secure PIX Firewall Advanced(CSPFA), Second Edition, is part of a recommended learning pathfrom Cisco Systems that can include simulation and hands-ontraining from authorized Cisco Learning Partners and self-studyproducts from Cisco Press. To find out more about instructor-ledtraining, e-learning, and hands-on instruction offered byauthorized Cisco Learning Partners worldwide, please visitwww.cisco.com/go/authorizedtraining. 2ff7e9595c
Comments