Step by Step guide to upgrade Cisco ASA IOS and ASDM Version

Important: Even though below steps are common to upgrade any version of Cisco ASA IOS and ASDM, you need to verify in cisco.com website to understand the vendor recommended upgrade path. Below is the step by step guide to upgrade Cisco ASA IOS version from 8.6(1)2 to 9.1(2).

Refer Cisco recommended upgrade path for Cisco ASA  IOS Version

(config)# show version
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
Compiled on Fri 01-Jun-12 02:16 by builders
System image file is “disk0:/asa861-2-smp-k8.bin”
Config file at boot was “startup-config”

so, our upgrade path is as follows

first upgrade 8.6(1) to 9.0(2) and finally to 9.1(2), simultaneously we will upgrade our ASDM version to 7.1(5) that supports 9.1(2) version of IOS

Upgrade ASA version from 8.6(1)2 to 9.0(2)

Note: No need to upgrade ASDM version at this stage as we still need to upgrade to our final version 9.1(2) so we can upgrade ADSM at the later stage.

Step 1: Verify that you have enough disk space in Cisco ASA to load new bin, I have 3.7 Gbytes space, so no worries!
Note: Use Whatsbyte.com for bytes conversion

asa-disk-space

Step 2: Download following versions from cisco.com (you need a smartnet login!)

  • Download 9.0(2) and 9.1(2) version of IOS
  • Download 7.1(5) version of ASDM

Step 3: Download and setup TFTP server from solarwinds.com

Step 4: Upload 9.0(2) version to ASA via tftp server
(config) # copy tftp: disk0:
Run ‘show disk0:‘ command to verify that bin is copied to ASA

asa-upgrade-tftp-disk0

Step 5: Set ASA to boot with new image 9.0(2) when it is rebooted next time (don’t forget to save the image!).
(config)# boot system disk0:/asa902-10-smp-k8.bin
(config)# wr mem
(config) # reload

asa-boot-new-bin

Step 6: Once ASA started operating, run ‘Show Version‘ and verify that the running IOS version is 9.0(2)

Upgrade ASA version from 9.0(2) to 9.1(2)  and ASDM version to 7.1(5)

Note: Nothing new, except we are going to upload latest ASDM version

Step 1: Upload 9.1(2) version to ASA via tftp server

asa-upload-bin-912

Step 2: Upload ASDM 7.1(5) version to ASA via tftp server

asa-upload-asdm-715

Step 3: Set ASA to boot with new image 9.1(2) and also ASDM with 7.1(5) when it is rebooted next time (don’t forget to save the image!).

(config)# boot system disk0:/asa912-smp-k8.bin

(config)# asdm image disk0:/asdm-715.bin

asa-boot-912

Step 4: Verify that the loaded version is 9.1(2) and then We are done!

Config SSH and ASDM in Cisco ASA 5500 series

SSH Configuration Commands

Step 1: Create a username and password

(config t)# domain-name hackandsecure.com
(config t)# username hns1 password ******* privilege 15

Step 2: Enable SSH from inside
(If you would like to restrict to a specific IP, specify as ssh 10.240.102.8 255.255.255.0 inside)

(config t)# ssh 0.0.0.0.0 0.0.0.0 inside

Step 3: Allow LOCAL authentication
Note: LOCAL should be mentioned exactly as it is (CAPS)

(config t)# aaa authentication ssh console LOCAL

asa-ssl-authentication

Step 4: Create RSA key-pair

(config t)# crypto key gen rsa gen mod 1024

Step 5: It is always good practice to specify timeout for inactive SSH session to say 10 mins.
(config t)# ssh timeout 10

 

ASDM Configuration Commands

Step 1: Using ‘Show Version’ command verify that correct version of ASDM image is loaded matching ASA version.

asa-asdm-version

Step 2: Enable http server

(config)# http server enable
(config)# http 0.0.0.0 0.0.0.0 inside

enable-asdm-http

You can run ‘Show run http’ to verify that http server is already enabled.

Note: WebVPN uses the same 443 port as ASDM, so if ASDM is enabled, change http port to a different port 4443

(config)# no http server enable
(config)# http server enable 4443

Step 3: Allow LOCAL authentication
Note: LOCAL should be mentioned exactly as it is (CAPS), you can see as an example, ASA couldn’t recognize the command locaL

aaa authentication http console LOCAL

asa-asdm-authentication

Step 4: Ensure ASA is listening on port 443

asdm-liten-port

Step 5: Timeout for inactive session of 10 mins.
(config t)# http server time-out 10

Do you still have problem accessing through SSH or ASDM?

• Add SSL encryption standard to ASA. Most default browsers and SSH clients would reject the default cipher that is present in Cisco ASA
(config)# ssl encryption rc4-shal1 aes128-sha1 aes256-sha1 3des-sha1

ssl-cipher-asa-standard

Failed to enable Virtual Adapter in Cisco VPN Client in 64bit Windows 8

We have Windows 8 64 bit laptop users who receive this error while trying to use Cisco VPN.

Cisco VPN on Windows 8.1 - Reason 442: Failed to enable Virtual Adapter

Fix:

  • Click Start and type regedit in the Search field and hit enter.
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA
  • Find the String Value called DisplayName
  • Right click and select Modify from the context menu.
  • In Value data, remove @oemX.inf,%CVirtA_Desc%;. The Value data should only contain Cisco Systems VPN Adapter for 64-bit Windows.
  • Click Ok.
  • Close Registry Editor.
  • Retry your Cisco VPN Client connection.

Cisco VPN on Windows 8.1 - Reason 442: Failed to enable Virtual Adapter Registry Before

Cisco VPN on Windows 8.1 - Reason 442: Failed to enable Virtual Adapter Registry After

I noticed that some VPN Clients even though have correct DisplayName Value, they still receive VPN error, then I followed the below steps and it worked for me!

  1. Go to services by issuing command services.msc in command prompt
  2. Stop the Cisco Systems,Inc.VPN service
  3. Stop the Internet Connection Sharing (ICS) service
  4. Right click on ICS service and choose Properties. Then change Startup type to Disabled or Manual.
  5. Start Cisco Systems,Inc.VPN service

Cisco VPN fails to enable virtual adapter in windows 8

If you are one like me, facing ‘Reason 442: Failed to enable Virtual Adapter’ error after installing Cisco VPN Client in Windows 8 system. Follow the steps to fix it. Works!

VPN Client Failed Virtual Adapter
VPN Client Failed Virtual Adapter error in Windows 8 installation
  1. Open Registry editor by typingregedit in Run prompt
  2. Browse to the Registry Key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA
  3. Select the DisplayName to modify,
    o    For x86, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter”
    o    For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”
  4. Try connecting now. No need for restart.

IDM or ASDM JAVA Memory Heap Size Issue

When trying to open Intrusion Prevention from Cisco ASDM, following message is thrown

image

Your current Java memory heap size is less than 256 MB, the amount required for IOS IPS to run. To change the Java memory heap size, open the Java control panel and enter -Xmx256m in the Java Applet Runtime Settings dialog. This dialog is in the Java tab, or in the Advanced tab of the Java control panel. After you have changed the Java heap size, restart Cisco SDM.

Solution:

Step 1:
1. Open the Control Panel.
2. Navigate to Programs, and open the Java control panel.
3. Under the Java tab, in the Java Runtime Environment Settings pane, click View.
4. For all enabled Java versions, enter -Xmx512m under Runtime Parameters.
5. Hit OK and close the control panel.

image

Step 2: The shortcut will still refer to its own runtime parameters. Change it and create a short cut as Target: C:\Windows\System32\javaw.exe -Xms256m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher

Start in: “C:\Program Files\Cisco Systems\ASDM\”