Solved

ASA Remote Install

Posted on 2015-01-16
3
173 Views
Last Modified: 2015-01-25
I have an ASA that is in a remote location, that needs upgrading, the iOS and configuration changes.

Is it possible to reset the firewall to factory settings and upon bootup it loads a script to create all the new statements needed?

For example a “config factory-default” and “reload save-config noconfirm”

It then boots up with a pre loaded script on the flash or disk configuring all the interfaces and vlans and everything else?

Has anyone ever done this?

Thanks
0
Comment
Question by:tolinrome
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40553940
You can always upgrade on remote location. Using TFTP and file transfer on VPN connection or HTTP to download ASA image from web server.

Then you need to verify this image (verify disk0:/asa....bin) and modify boot parameters

First check boot sequence:

sh run | i boot

Be careful, boot sequence is added one after another. If you want to boot using new image, I always remove all "boot system image disk0:/..." and then put first boot to point to new image, the second boot to point to the previous image just in case.

For example, you have in boot sequence these two files:
boot system disk0:/asa825-48-k8.bin
boot system disk0:/asa825-50-k8.bin

Now you want to add asa825-52-k8.bin...and preserve asa825-50-k8.bin as the secondary image if something goes wrong with the first one (for example error on flash card)

First remote current boot settings:

no boot system disk0:/asa825-48-k8.bin
no boot system disk0:/asa825-50-k8.bin

Then write new boot settings:

boot system disk0:/asa825-52-k8.bin
boot system disk0:/asa825-50-k8.bin

As a precaution I always have two images on ASA. The last actual one and the previous. Be careful before downloading new image - check free space on flash card - remove the oldest image.

Regarding changes in config file - DO NOT reset it to factory default on remote because you will lose access after reboot. You can save config (startup-config) to your PC and there modify config, then upload it back againt to startup-config. If there is only a small change which does NOT include anything regarding getting public IP from ISP provider, you can modify it online.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40554181
Thanks Matt, these are good points.

The reset factory default is one of my main procedures though, thats how I wipe it out and put a fresh config on it. The reason for the factory default is because it would be way to tedious and error prone to make all the new changes and remove the old ones (tried it). As you know, I just cant paste a new config on the firewall since most of it wouldn't even take since it would force me to remove previous config lines first. I need to change ACL and NAT statements and VLAN interfaces and their IP addresses etc, etc. Doing this manually takes a long time and is error prone.

What if before I do the factory reset after I already have the startup config with all the statements I want in it, wouldnt that work?
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40554989
You can do that of course. I always keep a separate copy of ASA config like these:

disk0:/myconfig-yyyy-mm-dd.txt

You can do write erase and then reload with your already prepared startup-config. Just be careful not to do "wr mem" after "write erase". This is the main reason why I have also one copy separate from CISCO startup-config and also because you can see PPPOE, VPN preshared key passwords when saving to custom backup file.

The main point to be very careful is that ASA gets public IP and that you can access ASA using SSH. If you get these two points to be working then you can of course do whatever you like on remote.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now