1. Overview
There could be many reasons to always upgrade Cisco ASA firewall IOS software to the latest version. The most common reasons are first to fix the bug, second to fix security vulnerability, and the last one is for the stability reason. Since the firewall is not clustered, you will experience about five minutes down time during the reboot process of Cisco ASA firewall.
In this instruction, TechSpaceKH will explains you how to upgrade stand alone Cisco ASA firewall IOS software from version 9.8.2 to the latest version 9.9.2.
2. Prerequisites
In this article, it is presumed that:
a. You have already done the security hardening on your Cisco ASA firewall devices so that you can have a secure file copy over the network. please refer to this link. Security Hardening Cisco ASA Firewall
b. You have a direct console access to ASA firewall
c. You have Cisco TAC account with enough privilege to download the software.
d. You already have an SSH server up and running on your network.
3. Network Diagram
To simplify the explanation of the upgrade procedure, we will use the following network diagram for operate this IOS software upgrade. You need to upload Cisco IOS file “asa992-smp-k8.bin” which you have downloaded from with Cisco TAC account to SSH server. In our case, we will upload this file to directory “/home/vannath” on SSH server IP 10.0.0.1 from management workstation.
Then, we need make a secure copy of Cisco IOS file “asa992-smp-k8.bin” from SSH server into Cisco ASA firewall appliance with “scp” command.
4. Upgrade Cisco ASA Firewall
First, we need to copy Cisco IOS file “asa992-smp-k8.bin” from SSH server into Cisco ASA firewall appliance flash drive by using “scp” command as the following. To use “scp” command to copy file on Cisco ASA firewall, please refer to Hardening Cisco ASA Firewall
# copy scp://vannath@10.0.0.1/asa992-smp-k8.bin flash:
After finish copying the IOS software file, we need to verify this file with the following command to make sure that the file is not corrupted.
# verify asa992-smp-k8.bin Verifying file integrity of disk0:/asa992-smp-k8.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Done! Embedded Hash SHA-512: 25f280312421717f0eb924aa92178777e28ed6e68aa72c17dc1b776092268b6bf903cd9d9575d57e41766095258aca1a3751985c450053e39714599a8c9b581c Computed Hash SHA-512: 25f280312421717f0eb924aa92178777e28ed6e68aa72c17dc1b776092268b6bf903cd9d9575d57e41766095258aca1a3751985c450053e39714599a8c9b581c CCO Hash SHA-512: 3908d8744421809bdad41f0cdb4c96db70cdacc0fb135c45a78c3a9f8e97e83a092e34a07369d8018b33533252acf8f4489d1d5ce264a7906c7913101bc17cfe Signature Verified
Next, we need to verify the current boot image by using the following “show” command.
# sh run boot system
Now, let remove any existing boot image configurations so that we can enter the new boot image as our first choice on Cisco ASA firewall appliance.
# no boot system disk0:/asa982-smp-k8.bin
Next, we have to set the new boot image IOS in order. If ASA cannot boot the first image, I will boot the second image consequently.
# boot system flash:/asa992-smp-k8.bin # boot system disk0:/asa982-smp-k8.bin
Finally, we need to save the new settings to the startup configuration and verify that Cisco ASA firewall boot image is set to “asa992-smp-k8.bin” using command “show run boot system” and after that reload the device.
# wr # sh run boot boot system disk0:/asa992-smp-k8.bin boot system disk0:/asa982-smp-k8.bin # reload
After the reload process finish, we need to verify if the Cisco ASA firewall device is upgraded to version 9.9.2 by running the following command.
# sh ver Cisco Adaptive Security Appliance Software Version 9.9(2)
5. Conclusion
Now you should be able to upgrade stand alone Cisco ASA firewall IOS software from version 9.8.2 to the latest version 9.9.2. Hopefully, you can find this document informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
