Notes for upgrading the IOS version of CiscoASA Firewall

Notes for upgrading the IOS version of CiscoASA Firewall

Reference the official Cisco announcement:

Vulnerability in Internet Key Exchange (IKE) Version 1 (V1) and IKE Protocol Version 2 (v2) the Cisco ASA software code may allow unauthenticated remote attackers to reinstall the system or execute code remotely.

This vulnerability is caused by a buffer overflow in the affected code zone. Attackers can exploit this vulnerability to exploit this vulnerability by sending specially crafted UDP packets. A vulnerability may allow attackers to execute arbitrary code to gain full control of the system or cause the impact of system reinstallation.

Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects the configuration of the firewall mode only in one or more context mode systems. This vulnerability can trigger IPv4 and IPv6 traffic.

Cisco released software updates to fix this vulnerability.

The affected Cisco ASA software may be affected by this vulnerability for the following products:

Cisco ASA5500 Series Adaptive Security Devices

Cisco ASA5500-X series next generation Firewall

Cisco Catalyst 6500 series switches and Cisco 7600 series routers for the Cisco ASA Service Module

Cisco ASA1000V cloud Firewall

Cisco Adaptive Security Virtual Device (ASAV)

Cisco firepower 9300 ASA Security Module

Cisco ISA 3000 Industrial Security Equipment

 

Therefore, the exit firewall of a large enterprise, Cisco 5520, also needs to upgrade IOS.

 

Preparations before Upgrade (important, must be executed)

1. Check the current running status of the firewall, including the firewall panel indicators, firewall fans, firewall CPU, and memory.

Of course, to view the firewall indicators, the fan can only be viewed on site

To view the running status of the firewall CPU and memory, run the following command:

CiscoASA#showprocesscpu-usageCiscoASA#showprocessmemory

2. Be sure to back up the configuration. You need to use the record session function of SecureCRT to import the content in show running-config to the log file.

Then, use SecureCRT to connect to the firewall and enter show running-config to save the configuration command in the local log file. In this way, you are not afraid to lose the configuration and capture it everywhere.

Note: Under normal circumstances, upgrading CiscoASA IOS will not cause configuration loss, even if you upgrade from the asa847-k8.bin to the asa912-k8.bin, it is normal that the command will automatically convert to the commands supported by the current version. However, the risk of command loss is not ruled out.

3. (very important) back up the License of CiscoASA

During the upgrade, you may still be able to remedy the loss of the configuration, but if the License is lost, it may not be easy to find. You need to contact Cisco again to retrieve the License.

However, it is very easy to back up the License of CiscoASA. You only need to run the Show version command.

Ciscoasa # showversion ************************************* **************************************** * *** WARNING ** WARNING ************* ----> MinimumMemoryRequirementsNOTMet! <---- ******** InstalledRAM: 1024 MB ***** RequiredRAM: 2048 MB ***** Upgradepart #: ASA5520-MEM-2GB = *** ThisASAdoesnotmeettheminimummemoryrequirementsneededto *** runthisimage. pleaseinstalladditionalmemory (partnumber ***** listedabove) ordowngradetoASAversion8.2orearlier. * *** Continuingtorunwithoutamemoryupgradeisunsupported, and *** criticalsystemfeatureswillnotfunctionproperly. **************************************** * ********************************** CiscoAdaptiveSecurityApplianceSoftwareVersion9.1 (2) deviceManagerVersion7.5 (1) CompiledonThu09-May-1315: 37 bybuildersSystemimagefileis "disk0:/asa912-k8.bin" Configfileatbootwas "startup-config" <--- More ---> parameters: ASA5520, 1024 MBRAM, role, InternalATACompactFlash, 256 MB [email protected], 2048 KBEncryptionhardwaredevice: CiscoASA-55xxon-boardaccelerator (revision0x0) Bootmicrocode: CN1000-MC-BOOT-2.00SSL/IKEmicrocode: CNLite-MC-SSLm-PLUS-2_05IPSecmicrocode: CNlite-MC-IPSECm-MAIN-2.08Numberofaccelerators: 10: Ext: GigabitEthernet0/0: addressisc84c. 7561.88fe, irq91: Ext: GigabitEthernet0/1: addressisc84c. 7561.88ff, irq92: Ext: GigabitEthernet0/2: addressisc84c. 7561.8900, irq93: Ext: GigabitEthernet0/3: addressisc84c. 7561.8901, irq94: Ext: Management0/0: addressisc84c. 7561.8902, irq115: Int: Notused: irq116: Int: Notused: pushed: MaximumPhysicalInterfaces: pushed: 150 perpetual <--- More ---> InsideHosts: pushed: Active/pushed-DES: EnabledperpetualEncryption-3DES-AES: protocol: 2 perpetualgp/GPRS: Protocol: 2 protocol: Protocol: 750 Protocol: 750 perpetualSharedLicense: Protocol: 2 Protocol: 2 perpetualBotnetTrafficFilter: Protocol: DisabledperpetualCluster: protocol. # Here is the firewall serial number and License. I have not provided the SerialNumber: J ********** hVRunningPermanentActivationKey: 0x1 ************** 20x08 ******* a80x ******** 00x4 ****** 97Configurationregisteris0x1Configurationhasnotbeenmodifiedsincelastsystemrestart.

 

4. Only after the backup work is completed can potential risks be avoided, and then you can prepare for IOS image upgrade.

What you need to prepare is:

FileZilla Server

Fire Prevention IOS

Note: If the firewall model is a Cisco55xx-X, you must have "smp" in your IOS

The firewall model used in this upgrade project is Cisco5520, the original IOS version is asa741-k8.bin, so you must follow the upgrade order provided by Cisco to complete the upgrade, it is best not to Skip, otherwise, the configuration or License is easily lost.

So the upgrade step shocould be 7.0-> 7.1-> 7.2-> 8.2-> 8.4 (6)-> 9.1x

So, you must upgrade to 8.2, that is, asa821-k8.bin, and then to 8.4 (6), that is, asa846.k8. bin, and then upgrade to 9.1 (2) before the upgrade to 9.1 (3) or more advanced.

 

The upgrade operation is actually relatively simple. Use FileZilla to set up FTP and set the user name test and password haha.

Then copy the IOS image to the flash memory of the ASA.

ciscoasa#copyftp://test:[email protected]/asa847-k8.binflash:Addressornameofremotehost[]?10.164.12.3Sourcefilename[]?asa847-k8.binDestinationfilename[asa847-k8.bin]?

After the copy is complete, you can use show flash: to see

ciscoasa#showflash:-#---length-------date/time------path10Mar12201118:52:14crypto_archive28515584Jun18201005:53:48asa724-k8.bin34181246Jun18201005:55:04securedesktop-asa-3.2.1.103-k9.pkg4398305Jun18201005:55:30sslclient-win-1.1.0.154.pkg156514852Mar12201103:46:24asdm-524.bin180Feb10201409:27:06log482289Feb23201609:42:027_2_4_0_startup_cfg.sav490Feb10201409:27:24coredumpinfo5059Feb10201409:27:24coredumpinfo/coredump.cfg511138Jul04201414:05:58upgrade_startup_errors_201407041405.log521138Feb23201608:40:18upgrade_startup_errors_201602230840.log531138Feb23201609:42:04upgrade_startup_errors_201602230942.log5424809472Feb23201611:14:52asa847-k8.bin210485248bytesavailable(44818432bytesused)

 

After the copy is complete, execute the upgrade command

Ciscoasa # conftciscoasa (config) # bootsystemdisk0:/asa847-k8.binciscoasa (config) # nobootsystemdisk0:/asa724-k8.binciscoasa (config) # exitciscoasa # reload can be upgraded simultaneously ASDMciscoasa (config) # asdmimagefiledisk0:/asdm-751.bin

 

After the upgrade is completed, the following criteria must be met:

Run show vlan to view the vlan status on the firewall

Run show route to view the firewall route table

Use the ping command to check Service connectivity

 

Requirements: firewall configurations and policies are not lost, and firewall route entries are not lost.

2. the IOS software version currently running on the firewall must comply with the upgraded software version.

Run show version to view the current IOS software version.

ASDM can be used normally

3. The firewall is running normally, and the CPU and memory usage are not significantly high.

Execute show process cpu-usage

4. Firewall SSM works properly

Run show module all to view the firewall module