09-02-2011 02:13 AM - edited 03-11-2019 02:20 PM
Hi Friends,
I have never touched a firewall box before but i need to upgrade the IOS on 2 ASAs that are running in production. I am upgrading from 8.2(2) to 8.2 (5). Just to point out, one of the firewalls is having SSM module with it. Below in the end is the "sh inventory" output.
I have downloaded the asa825-k8.bin and asdm-645-106.bin files already on my computer.
Two queries to clear off:
1. Wanted to know if I need to download any more files. Like some feature licenses or anything else? I did "dir flash: to see what contents it had already and this was it:
28 -rwx 16275456 02:18:46 Nov 07 2010 asa821-k8.bin
129 -rwx 11348300 04:34:32 Nov 07 2010 asdm-621.bin
3 drwx 4096 08:03:46 Jan 01 2003 log
10 drwx 4096 08:04:00 Jan 01 2003 crypto_archive
11 drwx 4096 08:04:32 Jan 01 2003 coredumpinfo
131 -rwx 12105313 04:19:40 Nov 07 2010 csd_3.5.841-k9.pkg
132 drwx 4096 04:19:42 Nov 07 2010 sdesktop
133 -rwx 2857568 04:19:44 Nov 07 2010 anyconnect-wince-ARMv4I-
134 -rwx 3203909 04:19:46 Nov 07 2010 anyconnect-win-2.4.1012-
135 -rwx 4832344 04:19:48 Nov 07 2010 anyconnect-macosx-i386-2
136 -rwx 5209423 04:19:50 Nov 07 2010 anyconnect-linux-2.4.101
137 -rwx 16459776 10:52:44 Apr 28 2011 asa822-k8.bin
138 -rwx 14240396 10:53:12 Apr 28 2011 asdm-631.bin
139 -rwx 11862220 11:10:12 Apr 28 2011 asdm-625.bin
143 -rwx 48299 15:03:20 Sep 02 2011 10.80.24.74
2. How to I take a complete backup like it works in ASDM v6.2 "Tools->Backup configurations". I was reading thru the RN for doing that and what I could understand, it was talking about some "export" thing but it did not make much sense to me.
Below is the sh version and sh inventory from both the ASAs, would be highly appreciable if someone can help me filling in the gaps for my understanding and also so that i can do this job smoothly.
FW01# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
RHHQAPFW01 up 102 days 1 hour
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is c471.fe8a.45f6, irq 9
1: Ext: GigabitEthernet0/1 : address is c471.fe8a.45f7, irq 9
2: Ext: GigabitEthernet0/2 : address is c471.fe8a.45f8, irq 9
3: Ext: GigabitEthernet0/3 : address is c471.fe8a.45f9, irq 9
4: Ext: Management0/0 : address is c471.fe8a.45f5, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1504L1DG
Running Activation Key: <Deleted for security reason>
Configuration register is 0x1
Configuration last modified by admin at 09:19:08.880 WST Fri Sep 2 2011
RHHQAPFW01#
RHHQAPFW01# sh inventory
Name: "Chassis", DESCR: "ASA 5520 Adaptive Security Appliance"
PID: ASA5520 , VID: V06 , SN: JMX1504L1DG
Name: "power supply", DESCR: "ASA/IPS 180W AC Power Supply"
PID: ASA-180W-PWR-AC , VID: V03 , SN: DTN143882JS
Firewall 2:
RHHQAPFW03# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
RHHQAPFW03 up 102 days 1 hour
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is c84c.75df.5966, irq 9
1: Ext: GigabitEthernet0/1 : address is c84c.75df.5967, irq 9
2: Ext: GigabitEthernet0/2 : address is c84c.75df.5968, irq 9
3: Ext: GigabitEthernet0/3 : address is c84c.75df.5969, irq 9
4: Ext: Management0/0 : address is c84c.75df.5965, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1445L2F1
Running Activation Key: <Deleted for security concern>
Configuration register is 0x1
Configuration last modified by didata at 10:08:08.217 WST Thu Aug 25 2011
RHHQAPFW03# sh inventory
Name: "Chassis", DESCR: "ASA 5520 Adaptive Security Appliance"
PID: ASA5520 , VID: V06 , SN: JMX1445L2F1
Name: "slot 1", DESCR: "ASA 5500 Series Security Services Module-20"
PID: ASA-SSM-20 , VID: V02 , SN: JAF1443CBDA
Name: "power supply", DESCR: "ASA/IPS 180W AC Power Supply"
PID: ASA-180W-PWR-AC , VID: V03 , SN: DTN143384VA
Solved! Go to Solution.
09-02-2011 03:33 AM
Hi Mohit,
1. To upgrade an interim version, you don't need to download any extra files. Just copy the image file to the flash and boot it.
2. To backup your configuration, you copy the running config to a tftp server by using the command "copy run tftp" on the ASA.
Use TFTPd32 as the tftp server. You can download it at:
http://tftpd32.jounin.net/tftpd32_download.html
Let me know if you have more queries.
Regards,
Anu
09-02-2011 04:42 AM
Hi Mohit,
With the upgrade, you will not lose your running config. However, it is always best to have a backup copy of the "sh run" output. If you need to restore your configuration, you need only the "sh run" from the ASA. You can copy paste the configuration from the text file to the CLI.
Hope this helps! Let me know if you have more queries.
Regards,
Anu
P.S. Please mark this question as answered if it has been resolved.Do rate helpful posts.
09-02-2011 07:13 AM
Worst case...unit reloading and going into rommon >
Your ID shows up as Cisco partner so, please open a proactive TAC case so, you will have assitance if needed.
Good luck and hope the upgrade goes smoothly.
-KS
09-02-2011 03:33 AM
Hi Mohit,
1. To upgrade an interim version, you don't need to download any extra files. Just copy the image file to the flash and boot it.
2. To backup your configuration, you copy the running config to a tftp server by using the command "copy run tftp" on the ASA.
Use TFTPd32 as the tftp server. You can download it at:
http://tftpd32.jounin.net/tftpd32_download.html
Let me know if you have more queries.
Regards,
Anu
09-02-2011 03:45 AM
Hi Anu
First of all thanks for the quick reply
Also wanted to know about the complete backup. As I mentioned in my original query. What would happen if I need to roll back, my planning was to take a complete backup and do a restore in case I need to.
Regards,
Mohit
Sent from iPhone
09-02-2011 04:42 AM
Hi Mohit,
With the upgrade, you will not lose your running config. However, it is always best to have a backup copy of the "sh run" output. If you need to restore your configuration, you need only the "sh run" from the ASA. You can copy paste the configuration from the text file to the CLI.
Hope this helps! Let me know if you have more queries.
Regards,
Anu
P.S. Please mark this question as answered if it has been resolved.Do rate helpful posts.
09-02-2011 04:52 AM
Hi Anu
Thanks again, but wouldn’t I need to worry abt the feature license or anything related. And how about the SSM upgrade?
Regards
Mohit Chauhan
Communications Engineer
While L7 employs various programs to alert us to the presence of computer viruses, we cannot guarantee that this email and any files transmitted with it are free from malicious content. Any person who opens any attached file or link does so at their own risk. This communication is intended only for the person to whom it is addressed and may contain confidential and/or legally privileged material. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of L7 Solutions. Any review, retransmission, dissemination, reliance on or other use of, this communication by persons other than the intended recipient is prohibited. If you received this communication in error, please inform L7 Solutions immediately by return email and delete all copies. Please direct any queries on our policy to privacy@L7.com.au
09-02-2011 06:07 AM
Mohit,
If you have never done an upgrade before, pls. try this out in the lab before upgrading the production boxes. It is very simple yet, I suggest trying this out in the lab.
That said, SSM module upgrade is exlusive of the ASA upgrade. You can leave it alone or choose to upgrade it. I am not sure if this is CSC-SSM or IPS-SSM. Only thing to keep in mind is that when you upgrade the SSM module and reload it, it will trigger a failover if the module in the active units gets reloaded. You mentioned 2 ASAs so, I am assuming it is a failover pair.
You can follow this link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1057338
-KS
09-02-2011 06:20 AM
Hi KS
Sorry if I had not mentioned that before, they are not a failover pair. Otherwise I would have imagined having SSM module on both the firewalls.
It's actually an internal firewall (SSM) and an external firewall(without SSM).
I understand should be good to have lab experience at least once, but that's not possible with the circumstances in place. What would be worse case scenario we can imagine here? And what's the best approach to mitigate that risk?
Regards,
Mohit
09-02-2011 07:13 AM
Worst case...unit reloading and going into rommon >
Your ID shows up as Cisco partner so, please open a proactive TAC case so, you will have assitance if needed.
Good luck and hope the upgrade goes smoothly.
-KS
09-22-2011 06:29 PM
Sorry for coming back late- the firewall upgrade went all smooth. there were 2 ASAs and one of them had SSM Module but it wasnt being used. So I left it aside.
Thanks for your help KS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide