The Adaptive Security Appliance (ASA) is Cisco's latest and greatest firewall, and it's quickly overtaking the PIX firewall in popularity. When first released, the ASA 5500 series firewalls came with software version 7.0. Subsequent upgrades featured versions 7.1, 7.2, and 8.0.
The Cisco ASA is a good firewall, and I like it much better than the PIX. While I wouldn't call it the best firewall available, Cisco's adding more and more features to it all the time.
But even more important than new ASA features is staying current with the software versions to keep the firewall patched with the latest security fixes. How do you upgrade the software on an ASA? Let's walk through the process.
What does version 8.x have to offer?
According to the release notes for ASA software version 8.x, the upgrade boasts a number of new features.
- EIGRP routing is now available.
- The upgrade adds high-availability functionality.
- There are several SSL VPN enhancements — including a unique onscreen keyboard, which helps prevent keystroke logging.
- SSL VPN support for Windows Vista and Mac OS X clients is now available.
- ASA sports a new AnyConnect VPN client.
- There's built-in local certificate authority.
- There's VPN load balancing between other ASA firewalls.
- The upgrade features additional browser-based SSL VPN features.
- It includes transparent NAT.
Where can I find the upgrade?
To download the ASA software, you must have a valid SMARTnet agreement. Log onto the Cisco Web site; you can find the download here: http://www.cisco.com/cgi-bin/tablebuild.pl/asa
Enter your login information, and click OK. The Web page will list the software downloads. This Web site offers all versions of the ASA software, the Adaptive Security Device Manager (ASDM) GUI for the ASA, and even translators to enable your SSL VPN messages to appear in other languages.For this example, I'm downloading the latest and greatest: Cisco ASA software 8.0.2 ED, as shown in Figure A.
How do I upgrade ASA to the latest version?
Once you've downloaded the necessary software, follow these steps:
1. Back up your current configuration file using TFTP. Alternatively, you can just paste it into Notepad and save it on your hard drive. Just make sure you have a copy somewhere in case something goes wrong.
2. Determine which version of ASA software you have now. Here's an example:
ASA5510# sh ver
Cisco Adaptive Security Appliance Software Version 7.0(6)
Device Manager Version 5.0(6)
Directory of disk0:/
5 -rw- 5474304 00:05:00 Jan 01 2003 asa706-k8.bin
675 -rw- 5823980 16:34:26 Nov 07 2006 asdm506.bin
255426560 bytes total (244064256 bytes free)
3. You can use TFTP to move the image to the ASA. Here's an example:
ASA5510# copy tftp disk0
Address or name of remote host ? 10.253.15.77
Source filename ? asa802-k8.bin
Destination filename [disk0]? disk0:asa802-k8.bin
Accessing tftp://10.253.15.77/asa802-k8.bin...!!!!!! (truncated)
Writing file disk0:/asa802-k8.bin... !!!!! (truncated)
14524416 bytes copied in 118.210 secs (123088 bytes/sec)3a. Or, all of you GUI lovers out there can use the ASDM GUI to do the transfer, as shown in Figure B.
4. Rename your old version to make sure you boot off the new version. Here's an example:
ASA5510# rename asa706-k8.bin asa706-k8.old
5. You can choose to upgrade your version of ASDM using the same method. Version 8.x of the ASA software can run version 6.x of the ASDM. In fact, if you reboot your ASA without upgrading the ASDM, you may not be able to use ASDM after it reboots. You'll find this out when using the show version command, as shown below:
Cisco Adaptive Security Appliance Software Version 8.0(2)
Detected an old ASDM version.
You will need to upgrade it before using ASDM.
Get more resources
- "Get to know Cisco's new security appliance: ASA 5500"
- "Cisco administration 101: Learn the difference between PIX and ASA"
- Cisco ASA 5500 Series Adaptive Security Appliance Software
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!