Solved

ASA Remote Install

Posted on 2015-01-16
3
166 Views
Last Modified: 2015-01-25
I have an ASA that is in a remote location, that needs upgrading, the iOS and configuration changes.

Is it possible to reset the firewall to factory settings and upon bootup it loads a script to create all the new statements needed?

For example a “config factory-default” and “reload save-config noconfirm”

It then boots up with a pre loaded script on the flash or disk configuring all the interfaces and vlans and everything else?

Has anyone ever done this?

Thanks
0
Comment
Question by:tolinrome
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40553940
You can always upgrade on remote location. Using TFTP and file transfer on VPN connection or HTTP to download ASA image from web server.

Then you need to verify this image (verify disk0:/asa....bin) and modify boot parameters

First check boot sequence:

sh run | i boot

Be careful, boot sequence is added one after another. If you want to boot using new image, I always remove all "boot system image disk0:/..." and then put first boot to point to new image, the second boot to point to the previous image just in case.

For example, you have in boot sequence these two files:
boot system disk0:/asa825-48-k8.bin
boot system disk0:/asa825-50-k8.bin

Now you want to add asa825-52-k8.bin...and preserve asa825-50-k8.bin as the secondary image if something goes wrong with the first one (for example error on flash card)

First remote current boot settings:

no boot system disk0:/asa825-48-k8.bin
no boot system disk0:/asa825-50-k8.bin

Then write new boot settings:

boot system disk0:/asa825-52-k8.bin
boot system disk0:/asa825-50-k8.bin

As a precaution I always have two images on ASA. The last actual one and the previous. Be careful before downloading new image - check free space on flash card - remove the oldest image.

Regarding changes in config file - DO NOT reset it to factory default on remote because you will lose access after reboot. You can save config (startup-config) to your PC and there modify config, then upload it back againt to startup-config. If there is only a small change which does NOT include anything regarding getting public IP from ISP provider, you can modify it online.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40554181
Thanks Matt, these are good points.

The reset factory default is one of my main procedures though, thats how I wipe it out and put a fresh config on it. The reason for the factory default is because it would be way to tedious and error prone to make all the new changes and remove the old ones (tried it). As you know, I just cant paste a new config on the firewall since most of it wouldn't even take since it would force me to remove previous config lines first. I need to change ACL and NAT statements and VLAN interfaces and their IP addresses etc, etc. Doing this manually takes a long time and is error prone.

What if before I do the factory reset after I already have the startup config with all the statements I want in it, wouldnt that work?
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40554989
You can do that of course. I always keep a separate copy of ASA config like these:

disk0:/myconfig-yyyy-mm-dd.txt

You can do write erase and then reload with your already prepared startup-config. Just be careful not to do "wr mem" after "write erase". This is the main reason why I have also one copy separate from CISCO startup-config and also because you can see PPPOE, VPN preshared key passwords when saving to custom backup file.

The main point to be very careful is that ASA gets public IP and that you can access ASA using SSH. If you get these two points to be working then you can of course do whatever you like on remote.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now