Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA Remote Install

Posted on 2015-01-16
3
Medium Priority
?
203 Views
Last Modified: 2015-01-25
I have an ASA that is in a remote location, that needs upgrading, the iOS and configuration changes.

Is it possible to reset the firewall to factory settings and upon bootup it loads a script to create all the new statements needed?

For example a “config factory-default” and “reload save-config noconfirm”

It then boots up with a pre loaded script on the flash or disk configuring all the interfaces and vlans and everything else?

Has anyone ever done this?

Thanks
0
Comment
Question by:tolinrome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40553940
You can always upgrade on remote location. Using TFTP and file transfer on VPN connection or HTTP to download ASA image from web server.

Then you need to verify this image (verify disk0:/asa....bin) and modify boot parameters

First check boot sequence:

sh run | i boot

Be careful, boot sequence is added one after another. If you want to boot using new image, I always remove all "boot system image disk0:/..." and then put first boot to point to new image, the second boot to point to the previous image just in case.

For example, you have in boot sequence these two files:
boot system disk0:/asa825-48-k8.bin
boot system disk0:/asa825-50-k8.bin

Now you want to add asa825-52-k8.bin...and preserve asa825-50-k8.bin as the secondary image if something goes wrong with the first one (for example error on flash card)

First remote current boot settings:

no boot system disk0:/asa825-48-k8.bin
no boot system disk0:/asa825-50-k8.bin

Then write new boot settings:

boot system disk0:/asa825-52-k8.bin
boot system disk0:/asa825-50-k8.bin

As a precaution I always have two images on ASA. The last actual one and the previous. Be careful before downloading new image - check free space on flash card - remove the oldest image.

Regarding changes in config file - DO NOT reset it to factory default on remote because you will lose access after reboot. You can save config (startup-config) to your PC and there modify config, then upload it back againt to startup-config. If there is only a small change which does NOT include anything regarding getting public IP from ISP provider, you can modify it online.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40554181
Thanks Matt, these are good points.

The reset factory default is one of my main procedures though, thats how I wipe it out and put a fresh config on it. The reason for the factory default is because it would be way to tedious and error prone to make all the new changes and remove the old ones (tried it). As you know, I just cant paste a new config on the firewall since most of it wouldn't even take since it would force me to remove previous config lines first. I need to change ACL and NAT statements and VLAN interfaces and their IP addresses etc, etc. Doing this manually takes a long time and is error prone.

What if before I do the factory reset after I already have the startup config with all the statements I want in it, wouldnt that work?
0
 
LVL 6

Accepted Solution

by:
Matt earned 2000 total points
ID: 40554989
You can do that of course. I always keep a separate copy of ASA config like these:

disk0:/myconfig-yyyy-mm-dd.txt

You can do write erase and then reload with your already prepared startup-config. Just be careful not to do "wr mem" after "write erase". This is the main reason why I have also one copy separate from CISCO startup-config and also because you can see PPPOE, VPN preshared key passwords when saving to custom backup file.

The main point to be very careful is that ASA gets public IP and that you can access ASA using SSH. If you get these two points to be working then you can of course do whatever you like on remote.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question