Recover the Image on an ASA

Cisco SMB Support Assistant

Cisco | Profile | Contacts & Feedback | Help


Recover the Image on an ASA 5500 Series Security Appliance

Home > Work With My Security Devices > Cisco Security Appliances > Recover the Image on an ASA 5500 Series Security Appliance


Introduction Requirements Prepare to Recover the Image Obtain Software Set Up the TFTP Server Open a Terminal Connection Recover the Image Next Step Troubleshoot the Procedure Related Information

Download PDF


IntroductionThis document provides instructions to reinstall the software image on your ASA 5500 series Security Appliance. This document applies to both ASA 5510 and ASA 5505 Adaptive Security Appliance devices.

You need to reinstall the software image in either of these scenarios:

l You reset the ASA 5500 password with password discovery disabled

l The ASA software image is damaged or corrupted

Note: Some command-line output in this document has been truncated for clarity and improved usability.

Back to Top

RequirementsTo perform the steps described in this document, you need to have this equipment:

Service Requests

Open a service request Update a service request

Feedback

Please rate this site:

++ + +/- - --

Suggestions for improvement:

If Cisco may contact you for more detailsor for future feedback opportunities,please enter your contact information:

Full Name:

Email:

http://www.cisco.com/public/technotes/smbsa/en/us/remote/5500_image_rcvry.html (1 of 12)6/27/2008 12:33:20 PM


l Physical access to the ASA

l A Windows PC with terminal-emulation software, such as HyperTerminal

l A straight-through Ethernet cable. For more information about cables, refer to Cable Descriptions.

l A console cable or a rolled cable with an adapter. For more information about cables, refer to Cable Descriptions.

l TFTP Server software. For more information about TFTP software, refer to Set Up a TFTP Server.

l Approximately one hour of network downtime

Back to Top

Prepare to Recover the ImageFollow these steps to prepare your network to recover the image on the ASA 5500 Series Security Appliance:

Obtain Software

Before you begin, contact the SMB Technical Assistance Center (SMB TAC) to obtain these images:

l A Cisco software image for the ASA 5500 Series Security Appliance

l An image for Adaptive Security Device Manager

Set Up the TFTP Server

Follow these steps to set up the TFTP server:

1. Connect a straight-through Ethernet cable from PC to the ethernet interface 0/0 of the ASA.



Note: The picture displays ASA 5510 model. Other series of ASA models looks different. Always connect the straight-through Ethernet cable from PC to the first Ethernet interface of the ASA.

2. Ensure that the ASA software image and the ASDM image are in the TFTP root directory for your TFTP application. For more information about TFTP software, refer to Set Up a TFTP Server.

3. Change your PC IP address to 192.168.1.2. For more information about how to change your IP address, refer to Configure an IP Address on Your PC.

4. Leave the TFTP Server software open so that the ASA can download the images from your PC.

Open a Terminal Connection

You need a console access to your security appliance in order to reset the password. Follow these steps to set up console access to the security appliance:

1. Connect the RJ-45 connector of the console cable into the console port on the rear panel of the security appliance. Connect the DB-9 connector to the PC serial port. On your PC choose Start > Programs > Accessories > Communications > HyperTerminal to open HyperTerminal. For additional information on how to connect a terminal to the console port, refer to Create a HyperTerminal Connection.

2. Create a connection with these terminal settings.

m Bits per second (baud): 9600

m Data bits: 8

m Parity: None

m Stop bits: 1

m Flow Control: None



Back to Top

Recover the ImageFollow these steps to recover the image on the ASA security appliance:

1. If the ASA is missing its software image, it reboots continuously. If you need to break a continuous reboot cycle, watch the startup messages that the ASA displays during boot. When the ASA displays Use BREAK or ESC to interrupt boot, press Escape.

Note: If your ASA does not continuously reboot, proceed to the next step.

Booting system, please wait...

CISCO SYSTEMSEmbedded BIOS Version 1.0(10)0 03/25/05 22:42:05.25

Low Memory: 631 KBHigh Memory: 256 MBPCI Device Table.Bus Dev Func VendID DevID Class Irq 00 00 00 8086 2578 Host Bridge 00 01 00 8086 2579 PCI-to-PCI Bridge



00 03 00 8086 257B PCI-to-PCI Bridge 00 1C 00 8086 25AE PCI-to-PCI Bridge 00 1D 00 8086 25A9 Serial Bus 11 00 1D 01 8086 25AA Serial Bus 10 00 1D 04 8086 25AB System 00 1D 05 8086 25AC IRQ Controller 00 1D 07 8086 25AD Serial Bus 9 00 1E 00 8086 244E PCI-to-PCI Bridge 00 1F 00 8086 25A1 ISA Bridge 00 1F 02 8086 25A3 IDE Controller 11 00 1F 03 8086 25A4 Serial Bus 5 00 1F 05 8086 25A6 Audio 5 02 01 00 8086 1075 Ethernet 11 03 01 00 177D 0003 Encrypt/Decrypt 9 03 02 00 8086 1079 Ethernet 9 03 02 01 8086 1079 Ethernet 9 03 03 00 8086 1079 Ethernet 9 03 03 01 8086 1079 Ethernet 9 04 02 00 8086 1209 Ethernet 11 04 03 00 8086 1209 Ethernet 5

Evaluating BIOS Options ...Invalid Key: 001B

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005

Platform ASA5510

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot interrupted.

Use ? for help.rommon #0>

Note: If you are unable to break the boot process and the ASA reboots, repeat this step.

2. Type ADDRESS=192.168.1.1 and press Enter.

rommon #0>ADDRESS=192.168.1.1

3. Type IMAGE=filename.bin and press Enter.

rommon #1>IMAGE=asa704-k8.bin

4. Type PORT=Ethernet0/0 and press Enter.

rommon #2>PORT=Ethernet0/0



Ethernet0/0Link is UPMAC Address: 0013.c480.7a1e

5. Type SERVER=192.168.1.2 and press Enter.

rommon #3>SERVER=192.168.1.2

6. Type unset GATEWAY and press Enter.

rommon #3>unset GATEWAY

7. Type tftpdnld and press Enter.

rommon #4>tftpdnldROMMON Variable Settings: ADDRESS=192.168.1.1 SERVER=192.168.1.2 GATEWAY=0.0.0.0 PORT=Ethernet0/0 VLAN=untagged IMAGE=asa704-k8.bin CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20

tftp [email protected]!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Received 5437440 bytes

Launching TFTP Image...

8. The ASA boots with the new image file.

Cisco PIX Security Appliance admin loader (3.0) #0: Thu Oct 13 21:07:02 PDT 2005

################################################################################################################################################################

9. After the ASA boots, it displays the command prompt. Type enable and press Enter. Press Enter at the password prompt.



cisco>enablePassword: cisco#

Note: If you do not see the prompt after the ASA boots, press Enter to clear the output.

10. Type format disk0: and press Enter. Press Enter at each of the three confirm messages that appear.

cisco#format disk0:WARNING: Saving activation key file failed. Proceed with operation? [confirm]

Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in "disk0:". Continue? [confirm]

Format: Drive communication & 1st Sector Write OK...

Format: All system sectors written. OK...

Format: Total sectors in formatted partition: 123104Format Total bytes in formatted partition: 6302948Format: Operation completed successfully.

Format of disk0 completecisco#

11. Type configure terminal and press Enter.

cisco#configure terminalcisco(config)#

12. Type interface ethernet0/0 and press Enter.

cisco(config)#interface ethernet0/0cisco(config-if)#

13. Type ip address 192.168.1.1 255.255.255.0 and press Enter.

cisco(config-if)# ip address 192.168.1.1 255.255.255.0

14. Type nameif inside and press Enter.

cisco(config-if)#nameif insideINFO: Security level for "inside" set to 100 by default.

15. Type no shut and press Enter.http://www.cisco.com/public/technotes/smbsa/en/us/remote/5500_image_rcvry.html (7 of 12)6/27/2008 12:33:20 PM


cisco(config-if)# no shut

16. Type exit and press Enter.

cisco(config-if)#exitcisco(config)#

17. Type route inside 0.0.0.0 0.0.0.0 192.168.1.2 and press Enter.

cisco(config)#route inside 0.0.0.0 0.0.0.0 192.168.1.2

18. Type end and press Enter.

cisco(config)#endcisco#

19. Type write memory and press Enter.

cisco#write memoryBuilding configuration...Cryptochecksum: 332fb353 d7c0f574 9315ed84 3dc1192e

1213 bytes copied in 3.540 secs (404 bytes/sec)[OK]

20. Type copy tftp://192.168.1.2/asa704-k8.bin flash: and press Enter.

cisco#copy tftp://192.168.1.2/asa704-k8.bin flash:Address or name of remote host [192.168.1.2]?

Source filename [asa704-k8.bin]?

Destination filename [asa704-k8.bin]?

Accessing tftp://192.168.1.2/asa704-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Writing file disk0:/asa704-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!5437440 bytes copied in 251.880 secs (21663 bytes/sec)



cisco#

21. Type copy tftp://192.168.1.2/asdm504.bin flash: and press Enter.

cisco# copy tftp://192.168.1.2/asdm504.bin flash:Address or name of remote host [192.168.1.2]?

Source filename [asdm504.bin]?

Destination filename [asdm504.bin]?

Accessing tftp://192.168.1.2/asdm504.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Writing file disk0:/asdm504.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!5958324 bytes copied in 336.670 secs (17733 bytes/sec)cisco#

22. Type configure terminal and press Enter.

cisco#configure terminalcisco(config)#

23. Type no route inside 0.0.0.0 0.0.0.0 192.168.1.2 and press Enter.

cisco(config)#no route inside 0.0.0.0 0.0.0.0 192.168.1.2

24. Type end and press Enter.

cisco(config)#endcisco#

25. Type asdm image flash:asdm504.bin and press Enter.

cisco(config)#asdm image flash:asdm504.bin

26. Type http server enable and press Enter.

cisco(config)#http server enable



27. Type http 192.168.1.0 255.255.0 inside and press Enter.

cisco(config)#http 192.168.1.0 255.255.255.0 inside

28. Close your TFTP server software.

29. Close the terminal connection and disconnect the console cable from the ASA.

Back to Top

Next StepYou have completed image recovery for your Cisco ASA 5500 series security appliance. To reconfigure the ASA, proceed to Configure Your ASA 5505 Security Appliance or Configure Your ASA 5510 Security Appliance.

Back to Top

Troubleshoot the ProcedureThis section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem Cause(s) and Suggested Solution(s)

The ASA boots normally before you interrupt the boot sequence.

Repeat the first step in Recover the Image.



You receive an error message Interface link did not come up. Timed out. TFTP: Operation terminated or Timed Out after you perform step 6 of the Recover the Image section.

Ensure that the PC's IP address is configured with 192.168.10.2 with a subnet mask of 255.255.255.0. Refer to Configure an IP Address on Your PC for instructions.

Ensure that you use the proper cable. You must use a crossover cable not a straight-through cable to connect your PC to the ASA first Ethernet port. Refer to Cable Descriptions for more information

Ensure that you have launched TFTP Server program.

You receive an error message

%Error opening tftp://192.168.1.2/asa704-k8.bin (No such device) or

%Error opening tftp://192.168.1.2/asdm504.bin (No such device) after performing steps 20 and 21 respectively

Ensure that you have specified the correct file path in step 20 and step 21 of the Recover the Image section.

You receive an error message

TFTP error 1 received (File not found).

TFTP: Operation terminated.

Ensure that the new software image is stored in your TFTP Root directory.

If you are still unable to complete the procedure successfully, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

l Set Up a TFTP Server l Configure an IP Address on Your PC l Cable Descriptions l Create a HyperTerminal Connection l Configure Your ASA 5505 Security Appliance



l Configure Your ASA 5510 Security Appliance

1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.


cisco.comCisco SMB Support Assistant

PNPKPFDHHFMOIPFAIELJILJAAHHDNBEA: form1: x: f1: f2:

f3: 834f4: TAC - SMBSA Documentf5: smbsa-doc-feedbackf6: not availablef7: 1f8: 3f9: /public/technotes/smbsa/en/us/doc-feedback-confirm.htmlf10: f11: f12:

f13: Submitf14:

Recover the Image on an ASA

Documents

Transcript of Recover the Image on an ASA