1. Prerequisite List
a. PC
b. PuTTY Software >>> You can download "PuTTY" from here.
c. Serial to USB Converter
d. Serial Cable
e. ASA 5510 Firewall
f. ASA firmware file
g. 3CDaemon (TFTP Client) >>> You can download "3CDaemon" from here.
(It may be an old software, but it gets the job done. )
h. Ethernet Cable (Cat 5)
* Note, ASA Firmware file can only be downloaded via a portal for CISCO customers or distributors. It is advisable to get a copy from them if you do not have access to these accounts.
2. Upgrade Path
To upgrade this particular CISCO device. (ASA 5510) there is normally an upgrade path to follow in sequence.
The upgrade path would mean that in order to upgrade the CISCO device to the latest possible firmware, it would have to be upgraded sequentially to a firmware not newer than the latest one before being able to upgrade to the latest one.
A simple illustration of this upgrade path would be as such:
Example:
Current Firmware : Version 1
Latest Firmware available : Version 10
Prerequisite Firmware to install before Latest Firmware : Version 5
Version 1 >>>upgrade to>>>> Version 5 >>>>upgrade to>>>>> Version 10
Upgrade Path for the CISCO ASA 5510 Series Firewall, Cisco Systems, Inc. |
Also since we are attempting a TFTP transaction check with the person who has configured the firewall on the port and network address it is currently using. For my case, I will be connecting my PC NIC with the ASA Firewall Management Interface (interface Management 0/0), using a CAT5 Cable.
Once you have access to the device from the console port, you should be able to see the hostname of the device.
Type in this command "Show Version".
Upon typing in the "Show Version "command, be sure to check the Version and RAM capacity of your Firewall Device before proceeding (both items status which are accessible via the "Show Version" command). Certain upgrade's will not be able to be conducted due to RAM limitation of your CISCO Firewall. To check for the RAM requirement before the firmware upgrade, you can refer it here.
Once you have verified the version of the image it is running and the amount of RAM your firewall has, ensure you have the ".bin" firmware files stored in your PC's local storage prior to the upgrade of the Firewall.
3. TFTP Firmware Image to CISCO ASA 5510
To initiate the upgrading process, we will have to set up a TFTP server on our local computer. Followed by transferring the files into the ASA Firewall itself (Usually, the default storage location for the file would be "disk0:/")
Once that is done, we have to configure the boot sequence to boot to the newly transferred firmware.
To do so we will use the "3CDaemon" software.
Upon Successfully Installing the "3CDaemon" software you will be able to see the following files in the installation folder. |
The Interface for the "3CDaemon" TFTP Client Software. |
The Configure TFTP Server Option |
Under the TFTP Configuration tab, click the button that is circled in red to specify the directory for the TFTP upload and download files. |
Before hand, you should create a new file and insert the Files that you want to TFTP to and from the directory. Once that is set, press OK to return to the TFTP start window.
To send files through and forth the TFTP client, you will need to ensure that your Firewall management port belongs with the same network as your PC's NIC.
You must also connect an ethernet cable from the management port of the ASA Firewall to your PC NIC port.
If the ASA Firewall has been pre-configured with IP Address (management port) before hand
To verify this, you would need to access your Firewall using the same method as performed earlier. Followed by inserting this command "Show Interface Management 0/0", or you may type in
"Show Interface xxx", where xxx is the port which was assigned previously by the person who has configured the ASA Firewall.
For this example I am going to assume that I have collected information of the network address that belongs for the port Management 0/0, which is under the network address of 192.168.1.1/24 from the person who has configured the device before this. That means we have to assign our NIC card to be within that network range in order to have a successful TFTP transaction.
If the ASA Firewall is brand new and you want to assign an IP address on the management port
This means that the management port would not have an IP assigned to it, and we have to assign one to it. To assign an IP to the management port (default interface name > management 0/0), first enter enable mode > configuration terminal mode. Once that is done you have to enter the management 0/0 interface. Once you are in the interface, you may then assign the IP address you want for that port. After the assignment is complete insert the "no shutdown" command to turn on the port, as all ports on all CISCO devices are usually switched off by default due to security concerns.
Lets break it down to the exact commands:
"enable"
"configuration terminal"
"interface Management 0/0"
"ip address 192.168.1.1 255.255.255.0"
(you may assign the same IP as mine, but it all depends on how you have planned out on assigning your IP's on your firewall ports)
"no shutdown"
"write memory" or "copy running-config startup-config"
Assigning Static IP to PC NIC Port.
Here are the Instructions on how to assign the network address of your NIC to be from the same network as the Managament 0/0 port of the firewall.
To summaries those steps , you will first need to enter control panel > network and internet > network and sharing center > change adapter settings > right click on Ethernet and enter its properties > (TCP/IPV4) and click on its properties > click on the radio button which says "use the following IP address : " and key in the following values to the provided text boxes.
For this example, I have configured my PC's NIC as:
IP Address: 192.168.2.219
*(Ensure that this static IP address is unassigned, to avoid IP conflict within the same network.)
Subnet Mask: 255.255.255.0
Default Gateway: <Blank>
followed by pressing on the "OK" button.
Note * Once that is done, ensure that your WiFi adapter and PC's local firewall settings are disabled. To avoid any interruptions on the TFTP transfer later on.
Once that is done, ensure that the firmware that will undergo the TFTP transaction is within the TFTP server directory as included earlier in the walkthrough.
Now return to your ASA Firewall console (make sure to connect & login beforehand) and insert this command to initiate the TFTP transaction. For this example I will be copying the firmware
"asa847-k8.bin" file.
"copy tftp://192.168.2.212/asa847-k8.bin disk0:/asa847-k8.bin"
be sure to TFTP all intended upgrade images into disk0:/ before proceeding.
Lets break down what this command comprises of :
"192.168.2.212" is the TFTP server destination, where the file is currently located at.
The first "asa847-k8.bin" from the left, is the file name of the firmware file that is in the TFTP server directory that the user would want to transfer to the ASA Firewall.
"disk0:/" is the local file directory located within the ASA Firewall storage, it is also the default file directory for the ASA Firewall. Normally most of the TFTP transaction would be designated to that directory.
The second "asa847-k8.bin" from the left, is the name of the file that would be saved as into "disk0:/", it is a common practice to rename the file as the same name as it to avoid any confusion or any misleading information in the future.
Upon completion of the TFTP transfer, you can verify it by checking the ASA File directory.
To do so justs enter this command.
"dir"
The above diagram illustrates what the directory of the firewall will look like, all files that has undergone the TFTP transaction should be seen here. If you are not able to find them here, it could mean that the file could have been corrupted, refer back to the Cisco download page to verify the correct file size.
4. Upgrading Firmware on ASA Firewall
Once you have verified that your file is in the directory as listed above. Proceed to configure the boot sequence of the firmware images. The command is as follows:
"boot system disk0:/asa847-k8.bin" > new firmware
"boot system disk0:/asa707-k8.bin" > current firmware
(For each upgrade step , be sure that both of these commands are inserted. Where the top portion represents the upgraded firmware, and where the bottom portion represents the current/old firmware.)
Lets also break down what this command comprises of :
The two lines indicate the boot priority of the 2 image files. Where the top line is the 1st image to boot, whereas the bottom line is the 2nd image to boot (Will only boot if ASA Firewall is not able to boot the first image).
Once that is done, perform a configuration save followed by a reboot to finish off the upgrade process.
Type in the following command to do so:
"write memory" > if this does not work you may also try the "copy running -config startup config"
* this command is to save your configuration so that your firewall will not loose its configuration in the event it power's down.
"reload" > reboots the ASA Firewall
Once the reboot is completed, verify the firmware image/version by typing in the "show version" command.
Repeat step 4 to complete the upgrade of the intended / latest firmware version for the ASA Firewall.
*Note, if the upgrade is successful and you do not encounter any abnormality to the CISCO ASA device, you may repeat the boot sequence command for the current / new Firmware image to complete the upgrade sequence.
You must also connect an ethernet cable from the management port of the ASA Firewall to your PC NIC port.
If the ASA Firewall has been pre-configured with IP Address (management port) before hand
To verify this, you would need to access your Firewall using the same method as performed earlier. Followed by inserting this command "Show Interface Management 0/0", or you may type in
"Show Interface xxx", where xxx is the port which was assigned previously by the person who has configured the ASA Firewall.
For this example I am going to assume that I have collected information of the network address that belongs for the port Management 0/0, which is under the network address of 192.168.1.1/24 from the person who has configured the device before this. That means we have to assign our NIC card to be within that network range in order to have a successful TFTP transaction.
If the ASA Firewall is brand new and you want to assign an IP address on the management port
This means that the management port would not have an IP assigned to it, and we have to assign one to it. To assign an IP to the management port (default interface name > management 0/0), first enter enable mode > configuration terminal mode. Once that is done you have to enter the management 0/0 interface. Once you are in the interface, you may then assign the IP address you want for that port. After the assignment is complete insert the "no shutdown" command to turn on the port, as all ports on all CISCO devices are usually switched off by default due to security concerns.
Lets break it down to the exact commands:
"enable"
"configuration terminal"
"interface Management 0/0"
"ip address 192.168.1.1 255.255.255.0"
(you may assign the same IP as mine, but it all depends on how you have planned out on assigning your IP's on your firewall ports)
"no shutdown"
"write memory" or "copy running-config startup-config"
Assigning Static IP to PC NIC Port.
Here are the Instructions on how to assign the network address of your NIC to be from the same network as the Managament 0/0 port of the firewall.
Accessing the Control Panel from the Start Menu (Windows 8.1) |
Click on the "Network and Internet" Option |
Followed by clicking on the Network and Sharing Center |
Then click on "Change adapter settings" |
Right Click on the Ethernet Section, and click on the Properties Option |
Click for the "Internet Protocol Version 4 (TCP/IPv4)" item and click on its properties. |
Press the radio button for the "Use the following IP address" and assign the IP address accordingly. |
To summaries those steps , you will first need to enter control panel > network and internet > network and sharing center > change adapter settings > right click on Ethernet and enter its properties > (TCP/IPV4) and click on its properties > click on the radio button which says "use the following IP address : " and key in the following values to the provided text boxes.
For this example, I have configured my PC's NIC as:
IP Address: 192.168.2.219
*(Ensure that this static IP address is unassigned, to avoid IP conflict within the same network.)
Subnet Mask: 255.255.255.0
Default Gateway: <Blank>
followed by pressing on the "OK" button.
Note * Once that is done, ensure that your WiFi adapter and PC's local firewall settings are disabled. To avoid any interruptions on the TFTP transfer later on.
When your NIC is configured correctly the Server would be broadcasting by the IP address that we have assigned. |
Close up view of the TFTP Server broadcasting message |
Once that is done, ensure that the firmware that will undergo the TFTP transaction is within the TFTP server directory as included earlier in the walkthrough.
Now return to your ASA Firewall console (make sure to connect & login beforehand) and insert this command to initiate the TFTP transaction. For this example I will be copying the firmware
"asa847-k8.bin" file.
"copy tftp://192.168.2.212/asa847-k8.bin disk0:/asa847-k8.bin"
be sure to TFTP all intended upgrade images into disk0:/ before proceeding.
Lets break down what this command comprises of :
"192.168.2.212" is the TFTP server destination, where the file is currently located at.
The first "asa847-k8.bin" from the left, is the file name of the firmware file that is in the TFTP server directory that the user would want to transfer to the ASA Firewall.
"disk0:/" is the local file directory located within the ASA Firewall storage, it is also the default file directory for the ASA Firewall. Normally most of the TFTP transaction would be designated to that directory.
The second "asa847-k8.bin" from the left, is the name of the file that would be saved as into "disk0:/", it is a common practice to rename the file as the same name as it to avoid any confusion or any misleading information in the future.
Upon completion of the TFTP transfer, you can verify it by checking the ASA File directory.
To do so justs enter this command.
"dir"
The above diagram illustrates what the directory of the firewall will look like, all files that has undergone the TFTP transaction should be seen here. If you are not able to find them here, it could mean that the file could have been corrupted, refer back to the Cisco download page to verify the correct file size.
4. Upgrading Firmware on ASA Firewall
Once you have verified that your file is in the directory as listed above. Proceed to configure the boot sequence of the firmware images. The command is as follows:
"boot system disk0:/asa847-k8.bin" > new firmware
"boot system disk0:/asa707-k8.bin" > current firmware
(For each upgrade step , be sure that both of these commands are inserted. Where the top portion represents the upgraded firmware, and where the bottom portion represents the current/old firmware.)
Lets also break down what this command comprises of :
The two lines indicate the boot priority of the 2 image files. Where the top line is the 1st image to boot, whereas the bottom line is the 2nd image to boot (Will only boot if ASA Firewall is not able to boot the first image).
Once that is done, perform a configuration save followed by a reboot to finish off the upgrade process.
Type in the following command to do so:
"write memory" > if this does not work you may also try the "copy running -config startup config"
* this command is to save your configuration so that your firewall will not loose its configuration in the event it power's down.
"reload" > reboots the ASA Firewall
Once the reboot is completed, verify the firmware image/version by typing in the "show version" command.
Repeat step 4 to complete the upgrade of the intended / latest firmware version for the ASA Firewall.
*Note, if the upgrade is successful and you do not encounter any abnormality to the CISCO ASA device, you may repeat the boot sequence command for the current / new Firmware image to complete the upgrade sequence.
ReplyDeletegood blog.
Cloud Based Firewall
CISCO Firewall