Networking

Five steps to upgrading the software on a Cisco ASA 5510


The Adaptive Security Appliance (ASA) is Cisco's latest and greatest firewall, and it's quickly overtaking the PIX firewall in popularity. When first released, the ASA 5500 series firewalls came with software version 7.0. Subsequent upgrades featured versions 7.1, 7.2, and 8.0.

The Cisco ASA is a good firewall, and I like it much better than the PIX. While I wouldn't call it the best firewall available, Cisco's adding more and more features to it all the time.

But even more important than new ASA features is staying current with the software versions to keep the firewall patched with the latest security fixes. How do you upgrade the software on an ASA? Let's walk through the process.

What does version 8.x have to offer?

According to the release notes for ASA software version 8.x, the upgrade boasts a number of new features.

  • EIGRP routing is now available.
  • The upgrade adds high-availability functionality.
  • There are several SSL VPN enhancements -- including a unique onscreen keyboard, which helps prevent keystroke logging.
  • SSL VPN support for Windows Vista and Mac OS X clients is now available.
  • ASA sports a new AnyConnect VPN client.
  • There's built-in local certificate authority.
  • There's VPN load balancing between other ASA firewalls.
  • The upgrade features additional browser-based SSL VPN features.
  • It includes transparent NAT.

Where can I find the upgrade?

To download the ASA software, you must have a valid SMARTnet agreement. Log onto the Cisco Web site; you can find the download here: http://www.cisco.com/cgi-bin/tablebuild.pl/asa

Enter your login information, and click OK. The Web page will list the software downloads. This Web site offers all versions of the ASA software, the Adaptive Security Device Manager (ASDM) GUI for the ASA, and even translators to enable your SSL VPN messages to appear in other languages.

For this example, I'm downloading the latest and greatest: Cisco ASA software 8.0.2 ED, as shown in Figure A.

Figure A

Figure A

How do I upgrade ASA to the latest version?

Once you've downloaded the necessary software, follow these steps:

1. Back up your current configuration file using TFTP. Alternatively, you can just paste it into Notepad and save it on your hard drive. Just make sure you have a copy somewhere in case something goes wrong.

2. Determine which version of ASA software you have now. Here's an example:

ASA5510# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(6)

Device Manager Version 5.0(6)

ASA5510# dir

Directory of disk0:/

5 -rw- 5474304 00:05:00 Jan 01 2003 asa706-k8.bin

675 -rw- 5823980 16:34:26 Nov 07 2006 asdm506.bin

255426560 bytes total (244064256 bytes free)

ASA5510#

3. You can use TFTP to move the image to the ASA. Here's an example:

ASA5510# copy tftp disk0

Address or name of remote host []? 10.253.15.77

Source filename []? asa802-k8.bin

Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://10.253.15.77/asa802-k8.bin...!!!!!! (truncated)

Writing file disk0:/asa802-k8.bin... !!!!! (truncated)

14524416 bytes copied in 118.210 secs (123088 bytes/sec)

3a. Or, all of you GUI lovers out there can use the ASDM GUI to do the transfer, as shown in Figure B.

Figure B

Figure B

4. Rename your old version to make sure you boot off the new version. Here's an example:

ASA5510# rename asa706-k8.bin asa706-k8.old

5. You can choose to upgrade your version of ASDM using the same method. Version 8.x of the ASA software can run version 6.x of the ASDM. In fact, if you reboot your ASA without upgrading the ASDM, you may not be able to use ASDM after it reboots. You'll find this out when using the show version command, as shown below:

Cisco Adaptive Security Appliance Software Version 8.0(2)

Detected an old ASDM version.

You will need to upgrade it before using ASDM.

Get more resources

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

12 comments
gbata
gbata

I would like to upgrade my cisco asa from 8.0 to 8.3. Do this change will affect my last configuration on version 8.0 tx for reply

rpearson97217
rpearson97217

If you upgrade an asa on a live network, will there be downtime?

bozard
bozard

Anybody upgraded to 8.2.1 yet? Is it o.k???

Amenawon
Amenawon

I want to upgrade my ASA with the following specs to ASA Version 8.0(20 Device type: 5540 ASA Version: 7.0(7) ASDM Version: 5.0(7) Do need new licenses after the upgrade?

Amenawon
Amenawon

I want to upgrade my box with the following specs Device Type: ASA5540 ASA Version: 7.0(7) ASDM Version: 5.0(7) Do I need new licences if I upgrade to ASA Version 8.0(2) and ASDM Version 6.0

jkerby
jkerby

If you copy and paste the running config in Step 1 you will lose all passwords since they will be encrypted, showing just ******, which will mean you lose some VPN configs and you may have a difficult time logging in using the old password. When you use tftp to backup the current config it will copy the passwords using clear text which has good as well as bad points.

djdawson
djdawson

Instead of renaming the old image, it's a better idea to use the "boot system" command in the config to specify the new boot image, just like in IOS routers when you have multiple images in flash. Similarly, there's an "asdm image" command that specifies which ASDM software should be used. Since the ASA boxes come with a lot more flash than the old PIX boxes did, it's now more feasible to keep multiple images in flash, so these two commands are very useful.

career
career

I upgraded my ASA5505 to 8.2 over the weekend. It's only in a lab setting, but haven't spotted any problems yet. However, I should mention that 8.2 is mostly geared towards new IDS and IPv6 features. I'm not using either.

jdclyde
jdclyde

so that you can download the newer versions from cisco.

jeremy
jeremy

Yeah - I just found out about that ASDM command yesterday, too. I followed the instructions in this article and upgraded the ASDM to the latest and greatest - and renamed the old ASDM image, but then received an error that it couldn't find the ASDM image. So - be sure to check that config file!

larrymthompson
larrymthompson

I have downloaded from Cisco and uploaded from the tftp to flash these asdm-615.bin, asdm-61551.bin, and asdm-61557.bin, and the end result is they are loaded but not valid image files? Help

Editor's Picks