New Cisco ASA IOS install – Firewalling (Free Preview)

This is a preview lesson. Please purchase the course before starting the lesson.

I recently bought a Cisco ASA 5520 Firewall without a flash drive from eBay. I decided not to go ahead with an original Cisco flash drive and used a third party 512MB compact flash drive to load the IOS. When I powered it on it kept booting over and over again as it could not find a boot image. No surprise right? There was no boot image in the first place.

However, I had the same issue even when I had a boot image on the compact flash drive.

To fix the above issue here are the steps I had to follow to load an IOS to this third party compact flash drive in order to get the ASA to function properly.

 

Step1: Enter the rommon prompt by pressing the ESC key

Evaluating BIOS Options ...
 Launch BIOS Extension to setup ROMMON
 Cisco Systems ROMMON Version (1.0(11)5) #0: Thu Aug 28 15:23:50 PDT 2008

Platform ASA5520
 Use BREAK or ESC to interrupt boot. 
Use SPACE to begin boot immediately.                                                  Boot interrupted.
Management0/0
Ethernet auto negotiation timed out.
Interface-4 Link Not Established (check cable).

Default Interface number-4 Not Up

Use ? for help.
rommon #0>

Step2: Erase the contents of the flash drive and set the tftpdnld variable commands to provide the TCP/IP Connectivity to the Cisco ASA firewall

NOTE: All tftpdnld variable commands must be upper case. The variable itself is case sensitive as in the case of a filename, as shown in the following example:

 

rommon #1> dev
Interface Device Information:
  GigabitEthernet0/0: i82546GB, PCI: bus-3, slot-3, fct-1, rev-3, irq-9
  GigabitEthernet0/1: i82546GB, PCI: bus-3, slot-3, fct-0, rev-3, irq-9
  GigabitEthernet0/2: i82546GB, PCI: bus-3, slot-2, fct-1, rev-3, irq-9
  GigabitEthernet0/3: i82546GB, PCI: bus-3, slot-2, fct-0, rev-3, irq-9
  Management0/0: i82551ER, PCI: bus-4, slot-2, fct-0, rev-16, irq-11

rommon #2> erase disk0:

About to erase the selected device, this will erase
all files including configuration, and images.
Continue with erase? y/n [n]: y

Erasing Disk0:
....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
rommon #3> ADDRESS=192.168.1.60
rommon #4> SERVER=192.168.1.101
rommon #5> IMAGE=asa917-11-k8.bin
rommon #6> PORT=GigabitEthernet0/0
GigabitEthernet0/0
Link is UP
MAC Address: c47d.4f85.0234

Step 3: To validate your settings, enter the set command

rommon #7> set
ROMMON Variable Settings:
  ADDRESS=192.168.1.60
  SERVER=192.168.1.101
  GATEWAY=0.0.0.0
  PORT=GigabitEthernet0/0
  VLAN=untagged
  IMAGE=asa917-11-k8.bin
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=20

Step 4: Ping the TFTP server by entering the ping 192.168.1.101

rommon #8> ping 192.168.1.101
Sending 20, 100-byte ICMP Echoes to 192.168.1.101, timeout is 4 seconds:
?!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20)

Figure TFTP Server and its directory contents

 

Step 5: Load the software image by entering the tftpdnld command

rommon #9> tftpdnld
ROMMON Variable Settings:
ADDRESS=192.168.1.60
SERVER=192.168.1.101
GATEWAY=0.0.0.0
PORT=GigabitEthernet0/0
VLAN=untagged
IMAGE=asa917-11-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

tftp asa917-11-k8.bin@192.168.1.101
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Received 27703296 bytes

Launching TFTP Image...e>

Cisco Security Appliance admin loader (3.0) #0: Fri Sep 16 07:43:52 PDT 2016
Platform ASA5520

Loading...
IO memory blocks requested from bigphys 32bit: 22733
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
open /dev/hda1:No such file or directory
dosfsck(/dev/hda1) returned 1
mount: mounting /dev/hda1 on /mnt/disk0 failed: No such file or directory
mount: mounting /dev/hda1 on /mnt/disk0 failed: No such file or directory
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Currently, only 1 or 2 FATs are supported, not 0.

dosfsck(/dev/hdb1) returned 1
mount: mounting /dev/hdb1 on /mnt/disk1 failed: Invalid argument
mount: mounting /dev/hdb1 on /mnt/disk1 failed: Invalid argument
Processor memory 1828716544, Reserved memory: 110100480

Total SSMs found: 1
ASA-SSM-40, SN JAF1409ACEC, HW ver 1.0, FW ver 1.0(14)5

Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: c47d.4f85.0238
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 03 MAC: c47d.4f85.0237
i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 02 MAC: c47d.4f85.0236
i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 01 MAC: c47d.4f85.0235
i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: c47d.4f85.0234

INFO: Unable to read firewall mode from flash
Writing default firewall mode (single) to flash

INFO: Unable to read cluster interface-mode from flash
Writing default mode "None" to flash
imb_upgrade_thread: IMB in slot 1 is version 1.8
imb_upgrade_thread: IMB in slot 1 is being upgraded to 1.10
Verify the activation-key, it might take a while...
Failed to retrieve permanent activation key.
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Running Timebased Activation Key: 0x152f9a5d 0xa4e41e43 0x35a84e1e 0x4040981b 0x8012ddae
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled 26 days
Security Contexts : 12 26 days
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

IMBFS: Updating the IMB to v1.10. Please wait...
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNlite-MC-SSLm-PLUS-2.08
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
IMBFS: The IMB software was changed to v1.10.



At this point if we check the flash contents we can see there is no image in the flash drive. So, do not reboot, else you will end up at step one again. What we need to do is copy the boot image to the flash drive.

 

<output omitted>

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Insufficient flash space available for this request:
  Size info: request:32 free:0  delta:32
Could not initialize system files in flash.
config_fetcher: channel open failed
ERROR: MIGRATION - Could not get the startup configuration.

INFO: Power-On Self-Test in process.
...........................................................
INFO: Power-On Self-Test complete.

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_200301010017.log'
 Pre-configure Firewall now through interactive prompts [yes]? no

Type help or '?' for a list of available commands.
ciscoasa> 
ciscoasa> en
Password: 
ciscoasa# show flash:
--#--  --length--  -----date/time------  path
 2315  196         Jan 01 2003 00:17:15  upgrade_startup_errors_200301010017.log
 2313  0           Jan 01 2003 00:17:15  coredumpinfo
 2314  59          Jan 01 2003 00:17:15  coredumpinfo/coredump.cfg
 2310  0           Jan 01 2003 00:16:52  crypto_archive
 2294  0           Jan 01 2003 00:16:31  log

0 bytes total (0 bytes free)

Step 6: Configure interface gig0/0 with an ip address and assign it to the inside zone.

 

Our TFTP server is also in the inside zone.

 

ciscoasa(config)# interface gig0/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 192.168.1.60 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)# exit

 

Step 7: Ping the TFTP server by entering the ping 192.168.1.101

ciscoasa# ping 192.168.1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/60 ms

 

Step 8: Load the software image by entering the copy tftp flash command

ciscoasa# copy tftp flash
 Address or name of remote host []? 192.168.1.101
 Source filename []? asa917-11-k8.bin
 Destination filename [asa917-11-k8.bin]?
Accessing tftp://192.168.1.101/asa917-11-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
27703296 bytes copied in 67.380 secs (413482 bytes/sec)


ciscoasa# show flash
--#--  --length--  -----date/time------  path
   10  27703296    Jan 01 2003 00:20:58  asa917-11-k8.bin

255287296 bytes total (227549184 bytes free)

 

Now you can safely reload the Cisco ASA 5520 firewall. You should be able to follow the same procedure on any other Cisco 5500 series ASA.

Lesson tags: ASA, ASA5520, Cisco, Firewall, IOS
Back to: Practical Network Lessons > Install and Upgrade Guides