Solved

ASA Remote Install

Posted on 2015-01-16
3
175 Views
Last Modified: 2015-01-25
I have an ASA that is in a remote location, that needs upgrading, the iOS and configuration changes.

Is it possible to reset the firewall to factory settings and upon bootup it loads a script to create all the new statements needed?

For example a “config factory-default” and “reload save-config noconfirm”

It then boots up with a pre loaded script on the flash or disk configuring all the interfaces and vlans and everything else?

Has anyone ever done this?

Thanks
0
Comment
Question by:tolinrome
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40553940
You can always upgrade on remote location. Using TFTP and file transfer on VPN connection or HTTP to download ASA image from web server.

Then you need to verify this image (verify disk0:/asa....bin) and modify boot parameters

First check boot sequence:

sh run | i boot

Be careful, boot sequence is added one after another. If you want to boot using new image, I always remove all "boot system image disk0:/..." and then put first boot to point to new image, the second boot to point to the previous image just in case.

For example, you have in boot sequence these two files:
boot system disk0:/asa825-48-k8.bin
boot system disk0:/asa825-50-k8.bin

Now you want to add asa825-52-k8.bin...and preserve asa825-50-k8.bin as the secondary image if something goes wrong with the first one (for example error on flash card)

First remote current boot settings:

no boot system disk0:/asa825-48-k8.bin
no boot system disk0:/asa825-50-k8.bin

Then write new boot settings:

boot system disk0:/asa825-52-k8.bin
boot system disk0:/asa825-50-k8.bin

As a precaution I always have two images on ASA. The last actual one and the previous. Be careful before downloading new image - check free space on flash card - remove the oldest image.

Regarding changes in config file - DO NOT reset it to factory default on remote because you will lose access after reboot. You can save config (startup-config) to your PC and there modify config, then upload it back againt to startup-config. If there is only a small change which does NOT include anything regarding getting public IP from ISP provider, you can modify it online.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40554181
Thanks Matt, these are good points.

The reset factory default is one of my main procedures though, thats how I wipe it out and put a fresh config on it. The reason for the factory default is because it would be way to tedious and error prone to make all the new changes and remove the old ones (tried it). As you know, I just cant paste a new config on the firewall since most of it wouldn't even take since it would force me to remove previous config lines first. I need to change ACL and NAT statements and VLAN interfaces and their IP addresses etc, etc. Doing this manually takes a long time and is error prone.

What if before I do the factory reset after I already have the startup config with all the statements I want in it, wouldnt that work?
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40554989
You can do that of course. I always keep a separate copy of ASA config like these:

disk0:/myconfig-yyyy-mm-dd.txt

You can do write erase and then reload with your already prepared startup-config. Just be careful not to do "wr mem" after "write erase". This is the main reason why I have also one copy separate from CISCO startup-config and also because you can see PPPOE, VPN preshared key passwords when saving to custom backup file.

The main point to be very careful is that ASA gets public IP and that you can access ASA using SSH. If you get these two points to be working then you can of course do whatever you like on remote.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Switch Port Security 2 44
Using VLAN Interface in ASA 5 31
Cisco 5508 controller parsing error 4 56
best recommendation for a hardware diagnostic tool 7 55
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now