After writing about how to upgrade a Cisco ASA license, I received a few messages asking about upgrading the Cisco ASA software.
Fortunately, just like upgrading IOS on a Cisco router, it’s an easy, straightforward process that you can knock out in a few minutes.
In this walkthrough, we’ll be upgrading the the ASA software via the command-line interface (CLI). As an added bonus — at no extra charge for lucky Evil Routers readers — we’ll also upgrade ASDM while we’re at it.
Okay, enough bullshit. Let’s get to it!
Download the software
First things first. In order to upgrade the software, you’re going to actually acquire the software. As long as you have a valid service contract, you should be able to login to cisco.com and download it (unless Cisco’s doing something stupid again). If you don’t have the ability to download it from Cisco, well, you’re on your own.
Check for free space
Depending on your ASA hardware version (and what you already have saved in there), the amount of flash memory you have available will vary. Before proceeding, you’ll want to verify that you have enough space available to hold the ASA software (and ASDM, if you’re going to upgrade that too).
ciscoasa# show flash: | include free 127111168 bytes total (93192192 bytes free)
Here, I have a little over 93 MB available which is plenty. If you don’t have enough free space, you’ll need to delete some other crap you’re hoarding there in order to make enough space.
Dump the software on a TFTP server
I’ll be copying the software over from a TFTP server and I’ve already made it available there. If you don’t have a TFTP server available it’s also possible to put it on a web server and use HTTP or HTTPS to transfer it to your ASA.
As last resorts, you can also copy it from a Windows fileshare (using SMB/CIFS) or, $deity forbid, Xmodem.
Do the needful
Alright, now we’re to the good part.
ciscoasa# show version | include image System image file is "disk0:/asa822-k8.bin" ciscoasa# show asdm image Device Manager image file, disk0:/asdm-635.bin ciscoasa#
As you can see, this ASA is currently running version 8.2(2) along with ASDM version 6.3.5. Because Cisco recommends that you stay within the same major version (unless you need the features introduced in newer major versions), I’m going to upgrade to 8.2(5). We’ll also upgrade ASDM to version 6.4.5 as well.
For example, here’s the information we need to complete the upgrade process:
- TFTP server IP address: 198.18.42.125
- ASA 8.2(5) filename: asa825-k8.bin
- ASDM 6.4.5 filename: asdm-645.bin
Here we go!
ciscoasa# copy tftp flash Address or name of remote host []? 198.18.42.125 Source filename []? asa825-k8.bin Destination filename [asa825-k8.bin]? Accessing tftp://198.18.42.125/asa825-k8.bin...!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/asa825-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 15390720 bytes copied in 42.870 secs (366445 bytes/sec) ciscoasa#
Perfect. Now, let’s copy over the updated version of ASDM as well.
ciscoasa# copy tftp flash Address or name of remote host [198.18.42.125]? Source filename [asa825-k8.bin]? asdm-645.bin Destination filename [asdm-645.bin]? Accessing tftp://198.18.42.125/asdm-645.bin...!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/asdm-645.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 16280544 bytes copied in 46.120 secs (353924 bytes/sec) ciscoasa#
Tell the ASA which software you want to run
If the ASA and ASDM software that you just transferred to your ASA are the only copies in flash then the below steps aren’t completely necessary. Any time you have more than one copy in flash, however, it’s a good idea to explicitly specify which software you want the ASA to actually run.
If you don’t specify, it will use the first version that it finds in flash which may — or may NOT — be the one you want it to.
For good measure, let’s explicitly specify that we want to use the new versions that we just copied onto flash.
ciscoasa# configure terminal ciscoasa(config)# boot system flash:/asa825-k8.bin INFO: Converting flash:/asa825-k8.bin to disk0:/asa825-k8.bin ciscoasa(config)# asdm image flash:/asdm-645.bin ciscoasa(config)#
Easy enough, right?
Reload
At this point, the only thing that remains to do is to save your changes and reload your ASA so that it will boot into the new version of the software (and make use of the new version of ASDM).
ciscoasa(config)# end ciscoasa# write memory Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd 2713 bytes copied in 1.450 secs (2713 bytes/sec) [OK] ciscoasa# reload Proceed with reload? [confirm]
Once the ASA comes back up, verify that it did, in fact, boot from the new software.
ciscoasa# show version | include image System image file is "disk0:/asa825-k8.bin" ciscoasa# show asdm image Device Manager image file, disk0:/asdm-645.bin
Success!
That’s all there is to it! Now, you can take these instructions and pass off the mundane task of upgrading ASA software to the intern or junior guy!
{ 2 comments… read them below or add one }
Don’t forget to check your release notes… Some IOS upgrades involve changes to NAT and other technologies that require extensive prep work before the upgrade process, or you’ll be spending hours upon hours trying to figure out what went wrong (8.2.x to 8.3.2 and up in particular)
I am getting an error when I try to load asdm:
Accessing tftp://10.10.10.2/asdm-645.bin…
WARNING: TFTP download incomplete!
%Error reading tftp://10.10.10.2/asdm-645.bin (Unspecified Error)
Any clue what I can do to solve this. I have turned off the firewall, and I have also tried different tftp server.