Scenario:
Make: Cisco ASA
Model: ASA 5506-X, ASA 5506 W-X, ASA 5508-X
Mode: CLI (Command Line Interface)
Description: In this article, we will discuss the stepwise method to upgrade and/or downgrade the IOS of Cisco ASA Firewalls. This article contains the CLI method of upgrading Cisco IOS. We can upgrade the IOS via GUI as well. Follow the link to get GUI method to upgrade IOS of ASA. Select the IOS Version and download it from the Cisco Software Download Center and save it in the local Computer.
ASA Image Upgrade
Step1: Login
Login to the Firewall via CLI
Step2: Current Version
To check the current version of the ASA follows the command shown below.
edledge-asa# sh version
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)
Compiled on Sun 27-Aug-17 13:06 PDT by builders
System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"
edledge-asa up 8 days 18 hours
Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1
<.......Overall output of the "sh version" command wil be long hence it has been shorten and only
top few lines are showed.....>
Step3: Check Flash
Check “flash:” to know free available space and also the files it already has. Follow the steps shown below
edledge-asa# sh flash:
--#-- --length-- -----date/time------ path
94 108563072 Jan 04 2020 00:03:20 asa982-lfbff-k8.SPA
95 26970456 Jan 04 2020 00:03:40 asdm-782.bin
96 33 Jan 26 2021 11:07:55 .boot_string
11 4096 Jan 04 2020 00:07:00 log
13 625 Jan 25 2021 15:24:46 log/asa-appagent.log
21 4096 Jan 04 2020 00:07:52 crypto_archive
22 4096 Jan 04 2020 00:07:54 coredumpinfo
23 59 Jan 04 2020 00:07:54 coredumpinfo/coredump.cfg
7859437568 bytes total (4393017344 bytes free)
Step4: TFTP Connection
Check and ensure TFTP is accessible. Let us consider here TFTP host IP is 192.168.1.5
edledge-asa# ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Step5: Transfer IOS File
Since TFTP is accessible, we can transfer the IOS file to the ASA. Follow the commands shown below.
edledge-asa# copy tftp flash:
Address or name of remote host []? 192.168.1.5
Source filename []? asa9-13-1-10-lfbff-k8.SPA
Destination filename [asa9-13-1-10-lfbff-k8.SPA]? [ENTER]
Accessing tftp://192.168.1.5/asa9-13-1-10-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asa9-13-1-10-lfbff-k8.SPA...
Computed Hash SHA2: 5555f952834545f95222b4545f952cc8
Embedded Hash SHA2: 5555f952834545f95222b4545f952cc8
Digital signature successfully validated
Writing file disk0:/asa9-13-1-10-lfbff-k8.SPA...
107571680 bytes copied in 125.180 secs (860573 bytes/sec)
Step6: Boot System
Check the current boot system
edledge-asa# sh boot
BOOT variable = disk0:/asa982-lfbff-k8.SPA
Current BOOT variable = disk0:/asa982-lfbff-k8.SPA
CONFIG_FILE variable =
Current CONFIG_FILE variable =
Step7: Change Boot System
Change the boot system to new uploaded IOS as shown below
edledge-asa(config)# boot system flash:asa9-13-1-10-lfbff-k8.SPA
INFO: Converting flash:asa9-13-1-10-lfbff-k8.SPA to disk0:/asa9-13-1-10-lfbff-k8.SPA
edledge-asa(config)#
Step8: Confirm Boot System
Check and confirm that the boot system is set for the new IOS image.
edledge-asa# sh boot
BOOT variable =
Current BOOT variable = disk0:/asa9-13-1-10-lfbff-k8.SPA
CONFIG_FILE variable =
Current CONFIG_FILE variable =
Step9: Save Change & Reload
Save the changes so that the latest boot settings should be saved and then reload the ASA to boot with the latest ISO image.
<save the config>
edledge-asa# wr
Building configuration...
Cryptochecksum: 845e144f f45e143e 945e144f 945e144f
3384 bytes copied in 0.170 secs
[OK]
<reload the ASA>
edledge-asa# reload
Proceed with reload? [confirm]
ASDM Image Upgrade
Follow Steps 1 to 4 Same as earlier as mentioned above.
Step10: Load the “ASDM” image. As shown below:
edledge-asa# copy tftp flash:
Address or name of remote host []? 192.168.1.5
Source filename []? asdm-openjre-7131-101.bin
Destination filename [asdm-openjre-7131-101.bin]? [ENTER]
Accessing tftp://192.168.1.5/asdm-openjre-7131-101.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-openjre-7131-101.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm-openjre-7131-101.bin...
INFO: No digital signature found
110660520 bytes copied in 130.940 secs (851234 bytes/sec)
Step11: ASDM Boot System
Change the ASDM boot system to latest ASDM image.
edledge-asa(config)# asdm image flash:asdm-openjre-7131-101.binStep12: Check and Save ASDM Boot File
<check asdm boot image>
edledge-asa# sh asdm image
Device Manager image file, disk0:/asdm-openjre-7131-101.bin
<save running configuration>
edledge-asa# wr
Building configuration...
Cryptochecksum: 845e144f e144f13e e144f44f e144f44f
3384 bytes copied in 0.160 secs
[OK]
Reload the ASA. After reloading the ASA will have a new ASA and ASDM image.
There are many types of IOS available on the Cisco Software Download Center and it creates confusion about which is the best. Refer to Cisco IOS or Firmware Release Types to understand the different types of IOS.
Source: Cisco, Knowledge Base, Internet
EA00042