Hey everyone? I'm new to cisco and I have a problem. I am also new to the company and they have an ASA 5505, but the firmware 'has a big.
Introduction
This document describes how to upgrade a software image on the Cisco ASA 5500 Series Adaptive Security Appliances using the Cisco Adaptive Security Device Manager (ASDM).
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
- Cisco ASA 5500 and ASA5500-X 9.1(2) and later
- Cisco ASDM 7.1 and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with Cisco ASA 5500-X Series Security Appliance Software Version 9.x.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Download Software
You can download your required release version of ASA Software images and ASDM Software images using these links:
- Cisco ASA Software Release Download (registered customers only)
- Cisco ASDM Software Release Download (registered customers only)
Note: You need to have valid Cisco user credentials in order to download this software from Cisco.com.
Compatibility between ASA and ASDM
Refer the below link which is updated with the compatibility and cisco recommended ASDM release for each version of ASA.
ASA Upgrade Path
Refer the below link which provides the upgrade path for ASA. Some versions require an interim upgrade before you can upgrade to the latest version.
Upgrade a ASA Software Image using ASDM 7.x
Complete these steps to upgrade a software image on the ASA 5500 using ASDM.
1. If ASA is in Single context mode. Select Tools > Upgrade Software from Local Computer... from the Home window of the ASDM.
If ASA is running Multiple context mode, the Upgrade Software from Local Computer option under Tools is available only from System context.
2. Select ASA as the image type to upload from the drop-down menu.
3. Click Browse Local Files... or type the path in the Local File Path field to specify the location of the software image on your PC.
4. Click Browse Flash....
5. A Browse Flash Dialog window appears with the file name entered automatically. If the file name does not appear, enter it manually in the File Name field. Click OK when you are done.
6. Once both the local and remote file names are specified, click Upload Image.
7. A Status window appears while ASDM writes the image to Flash. Once completed, an Information window appears that indicates a successful upload and if the image should be set as boot image. Select Yes
Click OK in the Information window and then Close in the Upload Image from Local PC window.
8. Choose Tools > System Reload from the Home window to reload the device.
A new window appears that asks you to verify the details of the reload. Select Save the running configuration at the time of reload and then choose a time to reload.
- Now—Reboot the device immediately.
- Delay By—Specify in how many minutes or hours from now to reload the device.
- Schedule at—Specify a time and date to reload the device.
![Asa 5505 Ios Download Asa 5505 Ios Download](https://www.cisco.com/c/dam/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200142-ASA-9-x-Upgrade-a-Software-Image-using-18.png)
You can also specify whether or not the device should force a reload immediately if a scheduled reload fails. Check On Reload failure, force an immediate reload after and then specify a maximum hold time. This is the amount of time that the security appliance waits to notify other subsystems before a shutdown or reboot. After this time elapses, a quick (forced) shutdown/reboot occurs. Click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
Note: Start ASDM again after the ASA reloads.
Upgrade ASDM Image using ASDM 7.x.
Complete these steps to upgrade a software image on the ASA 5500 using ASDM.
1. Select Tools > Upgrade Software from Local Computer... from the Home window of the ASDM.
2. Select ASDM as the image type to upload from the drop-down menu.
3. Click Browse Local Files... or type the path in the Local File Path field to specify the location of the software image on your PC.
Click Browse Flash....
A Browse Flash Dialog window appears with the file name entered automatically. If the file name does not appear, enter it manually in the File Name field. Click OK when you are done.
4. Click OK once the image is updated with the new image.
5. Select File > Save Running Configuration to Flash from the Home window of the ASDM.
Exit the ASDM and login back again to manage the ASA with the upgraded ASDM image.
Upgrading the ASA and ASDM by downloading image directly from CCO
Complete these steps to upgrade a ASA and ASDM image directly from CCO.
1. Select Tools > Check for ASA/ASDM Updates... from the Home window of the ASDM.
2. When the username and password prompt appears, provide the Cisco.com credentials and click Login.
3. The Cisco.com Upgrade Wiazard appears. In te Overview section, click Next.
4. In the Select Software section, check the software which needs to be upgraded. If both ASA and ASDM needs to be upgraded, check both options.
5. In the ASA version dropdown, select the version to which the ASA upgrade has to be performed.
6. In the ASDM version dropdown, select the version to which the ASDM upgrade has to be performed. Click Next once the appropriate versions are selected.
7. In the Review Changes section, Review the changes and Click Next .
8. The Installation of the images start and the overall progress can be seen as below. Once completed click Finish.
In the Results section, check the 'Save configuration and reload device now' option. Click Finish.
9. The Reload status screen appears while the device reloads.
10. Click 'Exit ASDM' and login back again once the device comes up after reload.
Upgrade a Software Image and ASDM Image using CLI
A TFTP server is required to upgrade or downgrade a software image as well as an ASDM image for a ASA. Refer to TFTP Server Selection and Use in order to learn more about TFTP server selection.
The copy tftp flash command enables you to download a software image into the Flash memory of the firewall via TFTP. You can use the copy tftp flash command with any security appliance model. The image you download can now be used upon the next reboot , by changing the boot system variable to point to this image.
This is the output from the copy tftp flash command:
For multiple context mode, perform these steps in the system execution space.
Note: For ASA, keyword disk0 replaces flash in the copy command.
If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS® software. If you only enter a colon, parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values are used in place of the corresponding tftp-server command setting. If any of the optional parameters, such as a colon and anything after it are supplied, the command runs without a prompt for user input.
The location is either an IP address or a name that resolves to an IP address via the security appliance naming resolution mechanism, which is currently static mappings via the name and names commands. The security appliance must know how to reach this location via its routing table information. This information is determined by the IP address, the route, or the RIP commands. This depends on your configuration.
The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces set to the directory in the TFTP server instead of in the copy tftp flash command, and if your TFTP server is configured to point to a directory on the system from which you download the image, you only need to use the IP address of the system and the image filename. The TFTP server receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance.
These commands are needed to upgrade the software image as well as the ASDM image and make it as a boot image at the next reload.
Example:
Note: When you try to upgrade the image on the ASA from an FTP server, you can use the copy ftp flash command. This command allows you to specify parameters, such as remote IP address and source file name. This procedure is similar to TFTP. However, one limitation with is that you can not modify the remote IP/source interface (like you can with TFTP). In TFTP mode, options specified with the tftp-server command can be pulled and executed. But with FTP, there is no such option. The source interface should always be the outside by default, which cannot be modified. That is, the FTP server should be reachable from the outside interface.
Verify
Use this section to confirm that your software upgrade was successful.
The Cisco CLI Analyzer (registered customers only) supports certain show commands. Use the Cisco CLI Analyzer in order to view an analysis of show command output.
After the ASA reloads and you have successfully logged into ASDM again, you can verify the version of the image that runs on the device. See the General tab on the Home window for this information.
These CLI commands are used in order to verify the upgrade:
- Show version—This shows the current image with which the ASA is booted.
- Show bootvar—This shows the priority of the image to be used after reload.
- Show asdm image—This shows the current asdm image used by ASA.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Last week Cisco recently released the latest version of the Cisco Adaptive Security Appliance (ASA) 5500 firmware Version 8.3(1). It has been about 6 months since release 8.2(1) was released and a lot of effort has gone into this latest version. There are several new features and several enhancements with this new version that you are likely to take advantage of. This article covers the new features and enhancements that I think most people will find useful.
Downloading the Image
The new software was made available for downloading on March 8, 2010 and the new software is just as easy to use as previous versions. There are file that you will want to download is asa831-k8.bin if you have an ASA 5505, 5510, 5520, 5540, or 5550. If you have an ASA 5580-20 or ASA 5580-40 then you need a different image file 'asa831-smp-k8.bin. Don't forget to download the current Adaptive Security Device Manager (ASDM) version 6.3(1) file 'asdm-631.bin' and place that on the ASA's flash. This version of ASDM will work for ASAs that are running either version 8.0, 8.1, 8.2, or 8.3.
Documentation
Cisco has also put out new documentation for ASA release 8.3. Cisco has a new configuration guide, an ASDM configuration guide. The new Command Reference guide. Cisco has documentation on migrating and getting started. There is even documentation on managing licenses and open-source licenses. I'm glad to see that management documentation wasn't forgotten. There is a guide for NetFlow collectors and SNMPv3, and even syslog messages.
IPv6 LAN-to-LAN Manually-Configured Tunnels
While many of you may not be migrating to IPv6 right now you should still be forming your IPv6 transition strategy today. One of those strategies may involve creating a tunnel through your lame IPv4-only service provider to an ISP that has IPv6 capabilities. If you have a router outside your firewall then this is where you would most-likely configure this tunnel. However, if you have an environment where your handoff to your current ISP is the outside Ethernet interface on your ASA, now you can configure an IPv6 LAN-to-LAN tunnel.
IPv6-Enabled Stateful Failover
Early adopters of IPv6 on their ASAs have been familiar with this limitation for a while now. In release 8.2(1) and earlier, there were limitations on how you could configure an HA pair of ASA firewalls that had IPv6-addressed interfaces. The new version eliminates these issues and allows interfaces using IPv6 addresses to perform in the stateful active/passive failover.
Smart Call Home
Smart Call Home Version 3.0(1) allows for speedier communication with Cisco TAC and faster MTBF for troubleshooting instances. It allows proactive diagnostics and real-time alerts to be sent to the experts at Cisco TAC for speedy problem resolution. Below are some of the commands you will use to configure this feature.
service call-homecall-homecontact-email-addr priority 10profile TAC-ASA-TESTdestination address email [email protected] transport-method emailsubscribe-to-alert-group diagnosticsubscribe-to-alert-group environmentsubscribe-to-alert-group inventory periodic monthlysubscribe-to-alert-group configuration periodic monthlysubscribe-to-alert-group telemetry periodic daily
When you are done with the configuration you can use the 'show call-home [detail]' command
Clientless SSL Browser Support
ASA version 8.3(1) provides greater support for new browser versions with clientless SSL VPN. Version 8.3(1) now supports the following browsers and operating system platforms. This is good news for organizations that want to provide SSL VPN services to the broadest range of remote users.
- Win7 32 & 64-bit IE 8.X and Firefox 3.X
- Vista 64-bit IE 7.X & 8.X and Firefox 3.X
- Vista 32-bit SP1/2 IE 6.X, 7.X, 8.X and Firefox 3.X
- Windows XP 64-bit IE 6.X, 7.X, 8.X and Firefox 3.X
- Windows XP 32-bit SP2/3 IE 6.X, 7.X and Firefox 3.X
- Mac OS X 32/64-bit Safari 3.X & 4.X and Firefox 3.X
- Linux with Firefox 3.X
Smart Tunnel Enhancements
Smart Tunnels are SSL-based VPN connections that allow TCP applications to connect through an ASA like a proxy server. They over better performance than a browser plug-in but still allows for clientless VPN access that doesn't require the user to have administrative rights on their computer. Smart tunnels can be configured using the 'smart-tunnel list', 'smart-tunnel network', and 'smart-tunnel tunnel-policy' commands. However, I feel that it is easier to configure these types of clientless VPN features using ASDM.
NAT Simplification
NAT configuration has been redesigned to allow for simpler configuration and increased flexibility. Gone are the 'nat-control', 'static', 'global', and 'alias' commands. The new syntax uses the 'dat dynamic' and 'nat static' commands. Therefore, there will be some migration of your nat statements when you migrate to version 8.3.
Botnet Traffic Filter
While not solely an 8.3 version feature, the Botnet Traffic Filter is something worth exploring. Botnet Traffic Filter has been available since ASA version 8.2(1). The Botnet Traffic Filter inspects outbound network traffic for connections to blacklisted sites and for malware connecting to a command-and-control system. It is a subscription-based service that provides updated dynamic database of malware DNS and IP addresses. You can also adjust the database and add your own IP addresses and ranges to it. User connections to these blacklist addresses are automatically blocked. It is pretty easy to configure and will definitely help your organization observe botnet command and control traffic and identify botnet infected computers within your organization. Just like other features on the ASA, you can configure it with the CLI, but this feature may be easier to get going with the ASDMinterface. Cisco has put together a video to help you learn how to configure this feature.
Increased Memory Required
One of the down-sides to running 8.3 is that it will require additional memory on ASA models 5505, 5510, 5520 and 5540. The minimum memory on ASA 5505s is 512MB of RAM, while 5510s will need 1GB or RAM and ASA 5520s and 5540s will need 2GB of RAM. Check out the Memory Requirements section of this release guide document.
Conclusion
The new 8.3 release of the ASA firmware provides some useful features that continue to build upon the solid foundation of the ASA. Hopefully you will be able to order your memory upgrades, and then schedule some maintenance to install that memory and get the latest version of firmware and ASDM installed on your ASAs. Be sure to check the release notes before migrating to make sure that this new version won't cause any problems for your systems.
Scott
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.