The upgrade of ASA 5520
Has just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I copied the Flash files, but when I run "asdm image flash: / asdm521.bin ' I get an error that it is not an image file and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.
Try this,
To update/install the ASDM follow the example of the procedure,
ASA (config) # copy tftp flash
Address or name of remote host [xxxx]?
Source [pix704.bin] file name? ASDM - 504.bin
Destination file name [asdm - 504.bin]?
Access t... ftp://x.x.x.x/asdm-504.bin!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing flash file: / asdm - 504.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
5958324 bytes copied in 165,460 seconds (36111 bytes/s)
ASA (config) #.
ASA (config) # sh flash
Directory of flash: /.
7 rw-5437440 21:12:42 pix704.bin 24 November 2005
5919340 - rw - 11 20:59:06 November 24, 2005 asdm - 504.bin
-7017 rw-13 14:00:58 22 July 2005 admin.cfg
ASDM - 504.bin is now copied into the flash. We should now set to use PIX
This image to load ASDM.
ASA (config) # asdm image flash: / asdm - 504.bin
Final steps involve configuration running record in memory as we
changes to boot files and reload the PIX.
ASA (config) # write memory
Building configuration...
Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
4807 bytes copied in 3.20 seconds (1602 bytes/s)
[OK]
ASA (config) # reload
Once the PIX comes back to the top, we can check that upgradation succeeded
using the command 'show version '.
Consult the ASDM upgrade procedure
I hope this helps... all the best... the rate of responses if deemed useful...
REDA
Tags: Cisco Security
Similar Questions
-
UPDATED TO VERSION 8.2 ASA 5520 TO 9.0
Hello friends,
I am planning to upgrade my ASA 5520 with version 8.2 to 9.0, so I'll enjoy the benefits of anyconnect for mobile devices. Clearly, I understand that I must pay special attention to:
- NAT rules.
- Memory RAM: 2 GB.
- Add references to the rule over the new versions for mobile and anyconnect
L-ASA-AC-E-5520 =
ASA-AC-M-5520 =.
am I missing anything else? Requirement of Flash? Or pay attention to some other configurations?
Any comments or document will be appreciated.
Kind regards!
You can run the latest version of the AnyConnect client - including mobile clients - with these licenses, even on a SAA with the current code of 8.2-8.2 (5) from now on. While it is a bit old and lack some of the new features, it is a strong and stable version.
That could save you the trouble to migrate the configuration of your NAT (and other songs) and the upgrade memory.
Since the series ASA 5500 (5510, 5520 etc.) is end of sales past you have a future limited on these platforms. For example, ASA 9.1 (x) is the last series of releases of code which will be available for them. (The current software on the 5500-X is 9.3 (1).)
-
Upgrade to Cisco ASA 5520 8.2.5 to 9.1.7
Hello
I have an upgrade tonight for a customer to upgrade a StandAlone ASA 5520 in version 8.2.5 in 9.1.7. I have the same upgrade week next to the same client for a failover pair.
I already have this kind of process of 8.2.x upgrade to 9.1.x so I know the entire process, since I have to take a first step 8.2.5 8.4.6 then 9.1.7. In addition this customer has no statement of Nat therefore normally an easy process.
But today during my routine to prepare for the upgrade (I prefer to make a double or triple check before) I found this bug:
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCuh19234;JSESSIONID=0A69...
This bug is fixed in version 8.4.7, and 8.4.6.99. But it is not recommended by the upgrade process for a 8.2.5 to 8.4.7 jump and I can not find the 8.4.6.99 version.
I don't want to have any problems during my upgrade with something I can avoid.
As I said I already have this updated in the past without any problem and with a more complex configuration.
Has anyone as a return to this process for the last months? Should I do an extra step? (before first 8.2.5 to 8.4.5 8.4.6 or 8.4.7)
Thank you in advance for your answer.
There are a few incidents reported for ASA 5520 8.2.5 hit this defect running.
You can go for an extra for 8.4.x upgrade as you mentioned to avoid default we can't say for sure if you will encounter this situation or not. 8.4.6.99 can be a picture of development so be unavailable unless you want to call TAC and confirm or obtain any other image in 8.4.x train.
Maybe add another upgrade code can't hurt as that hit the bug.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Hello
We have an ASA 5520 running the 8.x version which currently has 512 MB of DRAM.
I would like to upgrade memory 1 GB DRAM
Issues related to the:
1 how many slots slots DRAM the 5520 there?
2. I found this part:
http://www.MemoryX.NET/asa5520mem1gb.html
Seeking to be good. Is there anywhere I can OLA to be sure? I was looking and looking, but I can't find any hard documentation about the DRAM modules, I can use for my 5520.
Thank you 1 million,
Pedro
There should be four.
http://www.Cisco.com/en/us/docs/security/ASA/HW/maintenance/guide/procs.html#wp1076043
The only supported memory upgrade must come from Cisco ASA5510-MEM-512 = manufacturer
There is no 'Cisco' part number to memoryx in the price list of Cisco. Also I think it's for the AIP, not the chassis module. I think that the chassis only supports 512 MB chips. The link below is the one you want.
http://www.MemoryX.NET/ASA5520.html
It shows that he have a single good Bank. I have not a 5520 in lab to take a look, but the documentation must be accurate.
-
the upgrade of IPS chains, ASA-SSM - 10 module
I'll have a difficult time, the upgrade of the module ASA IPS SSM-10. I down loaded the IPS-GIS-s327-req - e1.pkg to the FTP Win XP (my workstation). The following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
"error: execUpgradeSoftware: connection failed. Any suggestion would be appreciated.
Also, have you been able to update your signature?
-
Steps from the date of the beginning of the planning of a DMZ on ASA 5520
Hi all
Can someone direct me to a good documentation planning and creation of a DMZ on an ASA 5520? Any advice or suggestions are greatly welcome.
TIA,
Gary
Hi Gary
Take a look at the following link,
I hope this helps.
Cordially MJ
-
ASA 5520 8.0 (4) port depending on the ACLs vpn works not
Hi all
I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)
Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.
THX in advance
Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:
-
How to accompany the IDS in ASA 5505 and 5520?
Dear All;
We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?
Part number: Description QTY. ASA5505-BUN-K9
ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES
1
CON-SNT-AS5BUNK9
SMARTNET 8X5XNBD ASA5505-BUN-K9
1
SF-ASA5505 - 8.2 - K8
ASA 5505 Series Software v8.2
1
CAB-AC-C5
Power supply cord Type C5 U.S.
1
ASA5500-BA-K9
ASA 5500 license (3DES/AES) encryption
1
ASA5505-PWR-AC
ASA 5505 power adapter
1
ASA5505-SW-10
ASA 5505 10 user software license
1
SSC-WHITE
ASA 5505 hood SSC of the location empty
1
ASA-ANYCONN-CSD-K9
ASA 5500 AnyConnect Client + Cisco Security Office software
1
Part number: Description QTY. ASA5520-BUN-K9
ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES
2
CON-SNT-AS2BUNK9
SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES
2
ASA5520-VPN-PL
ASA 5520 VPN over 750 IPsec User License (7.0 only)
2
ASA-VPN-CLNT-K9
Cisco VPN Client (Windows Solaris Linux Mac) software
2
SF - ASA - 8.2 - K8
ASA 5500 Series Software v8.2
2
CAB - ACU
Power supply cord (UK) C13 BS 1363 2.5 m
2
ASA-180W-PWR-AC
Power supply ASA 180W
2
ASA5500-BA-K9
ASA 5500 license (3DES/AES) encryption
2
ASA-ANYCONN-CSD-K9
ASA 5500 AnyConnect Client + Cisco Security Office software
2
SSM-WHITE
ASA/IPS SSM hood of the location
2
Thanks in advance.
Rashed Ward.
Okay, I was not quite correct in my first post.
These modules - modules only available for corresponding models of ASA.
They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.
When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.
When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.
In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.
To better understand, familiarize themselves with this link:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html
-
I'm halfway to the upgradation of windows7 for windows8 in my laptop Dell Inspiron 5520. I wonder to uninstall software for USB 3.0, Dell stage, Bluetooth, ports etc. of windows7, citing compatibility problems. How do I proceed? Similar software will be installed during the process once I have finished installing windows8? Because now, my internet connection is through the USB data card. Please advice of emergency
What I suggest you do is download Windows 8 and create a bootable on a Flash DRIVE or DVD you can do an offline installation. Although the wizard upgrade of Windows 8 is the first download before to actually copy the files.
You can uninstall the proposed components that affect the download installation files.
See:
then:
-
the upgrade of 7.2 to 8.0 (3) firmware on asa 5505
I'm about to upgrade from my asa to version 8 of 7. I see a lot of instructions on the use of tftp to achieve this. I also see in the GUI where I can download the image files for version 8. is there a downside to use the GUI instead of a tftp server? Everything seems easier through the GUI.
With TFTP, you will be able to see the progress of the file transfer as well as the upgrade and with the ASDM, it will not really give you any progress and you can just wait blindly.
-
Cisco ASA 5520, 8.02, 4GE SSM, IPS?
I have an ASA 5520 with 4GE SSM module.
The ASDM, I see IPS basic signatures... anyway to upgrade these signatures, add to, etc.?
Not really, you must purchase the AIP - SSM module for this.
Concerning
Farrukh
-
The upgrade 25 users VPN license for 50 users.
Hello
Currently I have ASA5500-SSL-25 = license installed on my ASA 5520.
I want the same for 50 users now.
Please help me with the part number for a 25 to 50 users upgrade path.
The order code is "L-ASA-SSL-25-50 =".
-
Hi all. In our company we have recently upgraded our PIX 515 firewall to ASA 5520, and we started to live a thing strange event. On one of the sites we host, I saw a lot of outdated SSM messages popping up and I think that they are the source of the problem when they surf the site (mainly surfing works fine, but sometimes people cannot content etc.).
I found the Cisco solution for this problem by using the MPF, but one thing confuses me. If I ask a MPF allowing adults MSS on the external interface of the ASA does this political conflict with the comprehensive policy that is on the SAA by default or can they both at the same time?
Thanks in advance for any help.
You can have a single policy per interface and another - global, that by default applies to default-inspection-traffic.
See http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html for more details.
-
Update software remotely active / standby ASA 5520
Hello
We have a pair of 5510 s and a pair of 5520 s, each active mode / standby. I would like to upgrade the ASDM and ASA software on these, but can't find any documentation that advise on how this can be done without physical access to devices. There I am on the site, but we will deploy these all throughout our network and I would like to be able to perform this type of maintenance without having to travel to each site.
We use CSM and ASDM to manage these most of the time, but are certainly capable of configuration via the CLI.
The question may be my understanding lack the foundations of the ASA, but I really don't understand how the software can be copied to the ASAs individual of the pair so that they can be reloaded and updated continuously. My lack of understanding also makes a difficult word question, so please forgive me that. With a remote SSH connection to the pair, I only copy the correct software to the ASA Active? Or y at - it a way to get the software on each disk individually in the only SSH connection? I'm not sure how to handle the ASA ensures no comfort in it... If I can get to remote software at each ASA (copy on different disks? i.e. disk0: and disk1:?), while I will also meet a problem to update startup for each statement individually, but to solve that I guess I could just remove the old software, but cela seems bad practice before confirming the new software is ok.
If there is an easier way to deploy the new code via ASDM or CSM, I am certainly open to that.
Any advice or resources that anyone could offer would be extremely useful and appreciated.
Thank you
Justin
Justin,
This is exactly why. If you are using version prior to version 8.4.1, routing table information is not replicated between the devices.
Information that is not transmitted to the rescue unit when the rollover is enabled includes these:
The HTTP connection table (except if the HTTP replication is enabled)
The user authentication (uauth) table
The routing tables
Status information for the security service modules
If your gateway of default route is learned via EIRGP and you are trying to access from the internet, you won't be able to get to the secondary unit.
Workaround solution, put the default gateway static with a metric higher while it appears on the running configuration and sent to the secondary unit.
Of the questions let me know.
Mike
-
Hello
First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.
The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.
I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.
I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:
4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry
5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!
6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)
and this, in the journal of customer:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 5.1.2600 Service Pack 3
24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002
Start the login process
25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "213.94.x.x".
27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 213.94.x.x.
28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x
29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014
Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.
40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.
Can you see what I'm doing wrong?
Thank you
Sam
Pls add the following policy:
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
You can also run debug on the ASA:
debugging cry isa
debugging ipsec cry
and retrieve debug output after trying to connect.
Maybe you are looking for
-
How can you ask siri for a rest stop
How can you ask siri for a rest stop
-
can not get netframe work 3.5 service pack 1 to install always get an error code ox643
I have a hp windows xp x 86(32 bit) media center 2005, I tried for about 3 to 4 weeks to get to dragon speaking naturally premium to install on the computer > it will not install because it says I have to install netframe work 3.5 SP1 in order so tha
-
I just installed FIXIT but when I select an item. to run I get the error code 0 x 80040154 Thank you lib
-
Hello I try to unzip a file in Vista and when I double click on the file compressed, that it opens automatically in RealPlayer format - and I get a mssg "RealPlayer must download a new software to play this clip" (and I can't do anything). If I try t
-
Use of Internet in blackBerry Smartphones on computer by logging into my BB
Hello: I use a 9300 BB (with 3G) and I have a kit of unlimited internet connection enabled on my Vodafone sim card. I would like to know if I can connect my BB to my laptop (by cable or BlueTooth) and then browse the internet from my laptop. If so, h