Cisco ASA Firewall Firmware Upgrade Process

Before upgrading the ASA, you should perform the following preparation:

  • Check compatibility between different versions of operating systems; for example, make sure that the ASA version is compatible with the ASA Firepower module version.
  • Check the upgrade path for the current version to the target version; ensure you plan for any intermediate versions required for each operating system.
  • Check for guidelines and limitations that affect your intermediate and target versions, or that affect failover and clustering zero downtime upgrading.
  • Download all software packages required from Cisco.com.
  • Back up your configurations, especially if there is a configuration migration.

Step 1: Check current running version of ASA and ASDM.

Go to device and type command “Show version

It will show the ASA and ASDM version as above.

You can also check available images in device itself

“Show Disk0:”

It will show all available images

Check on ASDM > Tools > File Management

Step 2: Check the latest release from Cisco. Always check with cisco TAC for stable version.

Note: Please always refer release notes for know errors and bug fixes.

Follow the ASA upgrade path

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_59039

Need to check following:

  1. Any interim version requires to upgrade from current to proposed version or you can directly go to proposed version
  • Any configuration migration requires or not

Note: This only require if you are going for major release changes like, 8.x to 9.x version

  • ASDM version compatibility with proposed version.

Step 3: Once you finalize the target version of ASA and ASDM, download the latest images from the cisco portal.

https://software.cisco.com/download/home

Select a Product -> enter ASA – > Select Adaptive Security Appliances

Select product model (I’m using the ASA virtual appliances)

click on ASA software to download latest version of ASA software image.

Or click on ASA Device Manager to download ASDM image

Download the .bin file

Hover the file and copy MD5 checksum for intigrity checks in later part.Download ASDM image

Download ASDM image

Step 4: Upload images to device

Note: Please upload same image on both the devices if it is in HA mode

  1. Using CLI

You can upload images using the CLI, you need TFTP, FTP and HTTP server in case of if you are uploading the images using the CLI.

In privileged EXEC mode, copy the ASA software to flash memory.

Copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Via ASDM

Tools > File Management > File transfer > Between > Between Local PC and Flash

to check image integrity, you can run below command

verify /md5 disk0:/image name

Compare the MD5 checksum with provided checksum. If it not matching with Cisco image checksum it means image is got corrupted, please remove the file and upload new image.

Set Boot Image

To check boot image “show running-config boot system”

To set new boot image “boot system disk0:/image name”

Set ASDM image if require

asdm image diskn:/[path/]asdm_image_name

You can only configure one ASDM image to use; in this case, you do not need to first remove the existing configuration.

Example:

ciscoasa(config)# asdm image disk0:/asdm-7141.bin

To apply new image, reload your firewall after reload you can see new image has been successfully install on this ASA firewall.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: