This post will describe how to upgrade a standalone Firepower 1010 hardware running ASA firmware version 9.18.2 to 9.20.2. The software upgrade image will be copied to the ASA using SolarWinds SFTP/SCP Server software, this is free to download and install.
Before upgrade the ASA firmware you should read the release notes of the new version you wish to upgrade to, in order to determine if there are any caveats to be concerned about. https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/products-release-notes-list.html
- Download the ASA firmware image from software.cisco.com
- Save the file to a local folder.
- Configure the SCP server to use the folder location as above (if not already configured).
Before upgrading the ASA take a backup copy of the running configuration, run the command copy running-config scp://<username>:<password>@<server ip address>/<filename>
ASA# copy running-config scp://admin:admin@192.168.10.11/ASA-backup-210324.txt Source filename [running-config]? Address or name of remote host [192.168.10.11]? Destination username [admin]? Destination filename [ASA-backup-210324.txt]? Cryptochecksum: b384ab0f 6724477a 1fa2115c 88099b9f !!!!!!!!!!!!!!!!!!!!!!!!!!! 26760 bytes copied in 0.500 secs
With the ASA configuration backed up and saved off box, you can now safely upgrade the ASA.
- Copy the ASA upgrade image file to the ASA using the command copy scp://<username>@<ip address>/<image name>
ASA# copy scp://admin@192.168.10.11/cisco-asa-fp1k.9.20.2.2.SPA flash: Address or name of remote host [192.168.10.11]? Source username [admin]? Source filename [cisco-asa-fp1k.9.20.2.2.SPA]? Destination filename [cisco-asa-fp1k.9.20.2.2.SPA]? Accessing scp://admin@192.168.10.11/cisco-asa-fp1k.9.20.2.2.SPA... Password: ***** !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ----------------------------------- SNIP ----------------------------------------- Verifying file disk0:/cisco-asa-fp1k.9.20.2.2.SPA... Writing file disk0:/cisco-asa-fp1k.9.20.2.2.SPA... 421203680 bytes copied in 428.410 secs (984120 bytes/sec)
- Run the command show running-config boot system to confirm the existing firmware version and remove. This may not be present if the ASA firmware was installed via ROMMON.
- Run the command boot system disk0:/<image file> – i.e, boot system disk0:/cisco-asa-fp1k.9.20.2.2.SPA
- Save the configuration, run the command write mem.
- Run the command reload to reboot the firewall.
The reboot of the ASA will take up to 20 minutes.
Once the device has rebooted, login and run show version and confirm the ASA is now running the new version.
ASA# show version Cisco Adaptive Security Appliance Software Version 9.20(2)2 SSP Operating System Version 2.14(1.131) Device Manager Version 7.20(2) Compiled on Mon 11-Dec-23 23:43 GMT by builders System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.14.1.131.SPA" Config file at boot was "startup-config" ASA up 1 min 13 secs Start-up time 7 secs
NOTE – The ASA image bundle includes the latest ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin).
Login to the ASA via ASDM, this will prompt you to Upgrade Now.
With that the ASA is now upgraded, check connectivity, and ensure the ASA is working as expected.
integrating IT 