Sysadmin > CiscoFirewall > ASAUpgradeASAOS90
Upgrade ASA os 9.0.1
no boot system disk0:/asa861-2-smp-k8.bin no asdm image disk0:/asdm-66114.bin boot system disk0:/asa901-smp-k8.bin asdm image disk0:/asdm-702.bin write mem reload
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
ReâCisco BIOS Version:9B2C106A
Build Date:11/10/2011 09:59:37
CPU Type: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2660 MHz
Total Memory:12288 MB(DDR3 1333)
System memory:624 KB, Extended Memory:3573 MB
PCI Device Table:
Bus Dev Func VendID DevID Class IRQ
---------------------------------------------------------
00 00 00 8086 D130 Bridge Device
00 03 00 8086 D138 PCI Bridge,IRQ=11
00 05 00 8086 D13A PCI Bridge,IRQ=11
00 08 00 8086 D155 System Device
00 08 01 8086 D156 System Device
00 08 02 8086 D157 System Device
00 08 03 8086 D158 System Device
00 10 00 8086 D150 System Device
00 10 01 8086 D151 System Device
00 16 00 8086 3B64 I/O Port Device,IRQ=11
00 1A 00 8086 3B3C USB Controller,IRQ=11
00 1C 00 8086 3B42 PCI Bridge,IRQ=10
00 1C 04 8086 3B4A PCI Bridge,IRQ=10
00 1C 05 8086 3B4C PCI Bridge,IRQ=11
00 1D 00 8086 3B34 USB Controller,IRQ=10
00 1E 00 8086 244E PCI Bridge
00 1F 00 8086 3B16 Bridge Device
00 1F 02 8086 3B22 SATA DPA,IRQ=5
00 1F 03 8086 3B30 SMBus,IRQ=11
01 00 00 10B5 8618 PCI Bridge,IRQ=11
02 01 00 10B5 8618 PCI Bridge,IRQ=10
02 03 00 10B5 8618 PCI Bridge,IRQ=5
02 05 00 10B5 8618 PCI Bridge,IRQ=10
02 07 00 10B5 8618 PCI Bridge,IRQ=5
02 09 00 10B5 8618 PCI Bridge,IRQ=10
02 0B 00 10B5 8618 PCI Bridge,IRQ=5
02 0D 00 10B5 8618 PCI Bridge,IRQ=10
02 0F 00 10B5 8618 PCI Bridge,IRQ=5
03 00 00 8086 10D3 Ethernet,IRQ=10
04 00 00 8086 10D3 Ethernet,IRQ=5
05 00 00 8086 10D3 Ethernet,IRQ=10
06 00 00 8086 10D3 Ethernet,IRQ=5
07 00 00 8086 10D3 Ethernet,IRQ=10
08 00 00 8086 10D3 Ethernet,IRQ=5
09 00 00 8086 10D3 Ethernet,IRQ=10
0A 00 00 8086 10D3 Ethernet,IRQ=5
0B 00 00 10B5 8624 PCI Bridge,IRQ=11
0C 04 00 10B5 8624 PCI Bridge,IRQ=11
0C 05 00 10B5 8624 PCI Bridge,IRQ=10
0C 08 00 10B5 8624 PCI Bridge,IRQ=11
0C 09 00 10B5 8624 PCI Bridge,IRQ=10
0E 00 00 10B5 8624 PCI Bridge,IRQ=10
0F 04 00 10B5 8624 PCI Bridge,IRQ=10
0F 05 00 10B5 8624 PCI Bridge,IRQ=11
0F 06 00 10B5 8624 PCI Bridge,IRQ=5
0F 08 00 10B5 8624 PCI Bridge,IRQ=10
0F 09 00 10B5 8624 PCI Bridge,IRQ=11
11 00 00 8086 10E7 Ethernet,IRQ=11
11 00 01 8086 10E7 Ethernet,IRQ=5
12 00 00 8086 10E7 Ethernet,IRQ=5
12 00 01 8086 10E7 Ethernet,IRQ=11
14 00 00 8086 10E7 Ethernet,IRQ=11
14 00 01 8086 10E7 Ethernet,IRQ=5
15 00 00 1000 0A05 Processor,IRQ=11
17 00 00 177D 0010 Cavium Encryption,IRQ=11
18 00 00 8086 10D3 Ethernet,IRQ=11
19 00 00 1A03 1150 PCI Bridge,IRQ=10
1A 00 00 1A03 2000 VGA,IRQ=10
FF 00 00 8086 2C50 Bridge Device
FF 00 01 8086 2C81 Bridge Device
FF 02 00 8086 2C90 Bridge Device
FF 02 01 8086 2C91 Bridge Device
FF 03 00 8086 2C98 Bridge Device
FF 03 01 8086 2C99 Bridge Device
FF 03 02 8086 2C9A Bridge Device
FF 03 04 8086 2C9C Bridge Device
FF 04 00 8086 2CA0 Bridge Device
FF 04 01 8086 2CA1 Bridge Device
FF 04 02 8086 2CA2 Bridge Device
FF 04 03 8086 2CA3 Bridge Device
FF 05 00 8086 2CA8 Bridge Device
FF 05 01 8086 2CA9 Bridge Device
FF 05 02 8086 2CAA Bridge Device
FF 05 03 8086 2CAB Bridge Device
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Platform ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa901-smp-k8.bin... Booting...
Platform ASA5545
Loading...
IO memory blocks requested from bigphys 32bit: 81984
ÿdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/sda1: 122 files, 33795/1951812 clusters
dosfsck(/dev/sda1) returned 0
Processor memory 5392543744, Reserved memory: 0
Total NICs found: 19
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 08 MAC: a493.4caa.eb59
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 07 MAC: a493.4caa.eb5d
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 06 MAC: a493.4caa.eb58
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 05 MAC: a493.4caa.eb5c
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 04 MAC: a493.4caa.eb57
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 03 MAC: a493.4caa.eb5b
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 02 MAC: a493.4caa.eb56
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 01 MAC: a493.4caa.eb5a
i82574L rev00 Gigabit Ethernet @ irq11 dev 0 index 00 MAC: a493.4caa.eb55
i82576F rev01 Gigabit Ethernet @ irq05 dev 0 index 14 MAC: 00e0.ed20.c519
i82576F rev01 Gigabit Ethernet @ irq11 dev 0 index 13 MAC: 00e0.ed20.c518
i82576F rev01 Gigabit Ethernet @ irq11 dev 0 index 12 MAC: 00e0.ed20.c517
i82576F rev01 Gigabit Ethernet @ irq05 dev 0 index 11 MAC: 00e0.ed20.c516
i82576F rev01 Gigabit Ethernet @ irq05 dev 0 index 10 MAC: 00e0.ed20.c515
i82576F rev01 Gigabit Ethernet @ irq11 dev 0 index 09 MAC: 00e0.ed20.c514
ivshmem rev03 Backplane Data Interface @ index 15 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface @ index 16 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface @ index 17 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 18 MAC: 0000.0000.0000
INFO: Unable to read cluster interface-mode from flash
Writing default mode "None" to flash
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0xd917f672 0x3309432d 0x9d618294 0xf52cb4d8 0x8759c200
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA5545 VPN Premium license.
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0022
Cisco Adaptive Security Appliance Software Version 9.0(1)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.
This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.
Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Busybox comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
675 Mass Ave, Cambridge, MA 02139
DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
grub comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Linux kernel comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
module-init-tools comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
numactl, version 2.0.3, Copyright (C) 2008 SGI.
Author: Andi Kleen, SUSE Labs
Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
numactl comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
pciutils comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
qemu, version 0.12.5, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
qemu comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
qemu-KVM Inter-VM Shared Memory Patch, version 1.0,
Copyright (C) 2009 Cam Macdonell
qemu-KVM Inter-VM Shared Memory Patch comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111 USA
readline comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
udev comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Cisco Adapative Security Appliance Software, version 9.0,
Copyright (c) 1996-2012 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.0 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1. The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY. You can
redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
(http://www.gnu.org/licenses/lgpl-2.1.html). See User Manual for licensing
details.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!!.
Cryptochecksum (unchanged): 971cbg0d 0bz158f4 f345u401 356bf234
Type help or '?' for a list of available commands.
ciscoasa>
running-config after der upgrade
ciscoasa# show run : Saved : ASA Version 9.0(1) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet1/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! boot system disk0:/asa901-smp-k8.bin ftp mode passive pager lines 24 logging asdm informational mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-702.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.20-192.168.1.254 management dhcpd enable management ! ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption des-sha1 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:971b1d0d0bc158f4f437c401356bf762 : end
difference between the running-configs
< ASA Version 9.0(1) > ASA Version 8.6(1)2 < xlate per-session deny tcp any4 any4 < xlate per-session deny tcp any4 any6 < xlate per-session deny tcp any6 any4 < xlate per-session deny tcp any6 any6 < xlate per-session deny udp any4 any4 eq domain < xlate per-session deny udp any4 any6 eq domain < xlate per-session deny udp any6 any4 eq domain < xlate per-session deny udp any6 any6 eq domain < boot system disk0:/asa901-smp-k8.bin > boot system disk0:/asa861-2-smp-k8.bin < asdm image disk0:/asdm-702.bin > asdm image disk0:/asdm-66114.bin < no arp permit-nonconnected < timeout pat-xlate 0:00:30 < crypto ipsec security-association pmtu-aging infinite < crypto ca trustpool policy > webvpn < no call-home reporting anonymous
multiple mode
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
Process shutdown finished
...
!INFO: Admin context is required to get the interfaces
*** Output from config line 41, "arp timeout 14400"
INFO: Admin context is required to get the interfaces
*** Output from config line 42, "no arp permit-nonconnect..."
crypto ipsec security-association pmtu-aging infinite
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 43, "crypto ipsec security-as..."
Creating context 'admin'... Done. (1)
*** Output from config line 48, "admin-context admin"
tls-proxy maximum-session 1000
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 46, context 'admin', "tls-proxy maximum-sessio..."
.
Cryptochecksum (changed): 22abfedb dbc91fe9 75e7049d 0d1a9326
*** Output from config line 51, " config-url flash:/admi..."
Cryptochecksum (changed): 90116fe1 13ab1c37 939ceb67 b6be4fea
Type help or '?' for a list of available commands.
