Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5520 Flash Disaster

Status
Not open for further replies.

pgatt62

Technical User
Aug 23, 2010
24
GB
It would seem that I have inadvertently deleted some flash from a new ASA 5520, namely the first flash 1841 IOS and some others. The ASA goes to ROMOMON first on boot then loads an IOS of some sort and at least lets some configuration take place but I do not know if it will operate under these conditions.
I originally tinkered about with it in ASDM to get a feel for it then did a write erase to clear the config I had made.
I remembered seeing a lot of flash files especially an 1841 Router IOS earlier when I did a "sh flash" but when I checked it later it was gone and so were some others. I then did a "restore to factory default" in ASDM hoping that would return everything to normal but this did not work.
I am worried sick that this could be so serious my position with the company could be in jeopardy. Please can anyone advise me on how to sort out this problem. I do not know if we have any Technical Support Service Agreements with Cisco.
I am at home at the moment but will post the "sh flash" screenshot to anyone who asks, thanks
Sincerely pgatt62
 
if this is new then go find the disks that came with the 5520, one of them should have everything you need to get this back up and running including the code that came with it originally.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Thanks Unclerico, the job for tomorrow has been postponed.
I thought I might have been remembering another flash screen from moments earlier but I'm sure an 1841 router was in the list. Here is what I have on flash at present, could I have got it wrong? I can live with that no problem!
Regards etc pgatt62

ciscoasa# sh flash:
--#-- --length-- -----date/time------ path
124 16275456 May 14 2010 21:30:26 asa821-k8.bin
125 11348300 May 14 2010 23:30:54 asdm-621.bin
3 4096 Jan 01 2003 00:03:50 log
10 4096 Jan 01 2003 00:04:00 crypto_archive
11 4096 Jan 01 2003 00:04:32 coredumpinfo
12 43 Aug 31 2010 15:25:30 coredumpinfo/coredump.cfg
127 12105313 May 14 2010 23:27:22 csd_3.5.841-k9.pkg
128 4096 May 14 2010 23:27:26 sdesktop
134 1462 May 14 2010 23:27:26 sdesktop/data.xml
129 2857568 May 14 2010 23:27:26 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg

130 3203909 May 14 2010 23:27:28 anyconnect-win-2.4.1012-k9.pkg
131 4832344 May 14 2010 23:27:30 anyconnect-macosx-i386-2.4.1012-k9.pkg
132 5209423 May 14 2010 23:27:34 anyconnect-linux-2.4.1012-k9.pkg
133 7058 Aug 31 2010 13:23:36 Temp_Config.cfg

255582208 bytes total (197652480 bytes free)
 
your asa821-k8.bin is the code needed to run the ASA so you should be fine. are you concerned that the 1841 code is no longer there??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
I am concerned the 1841 config isn't there yes. (If it was in the first place.) I've tried all day to get it to work under test conditions but no joy. Checked NAT etc all seems ok. Looked at hundreds of sites and all to no avail which makes me worry if I've broken it right enough. I'm glad that the jobs been postponed but I'm still concerned all the same.
Thanks for your help so far
Regards pgatt62
 
can you post a scrubbed config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Really sorry but I'm not sure what a scrubbed config is.
 
connect to the device and issue a show run. grab the output and post it here. before posting be sure to clean up any usernames/passwords, mask the first three octets of any public ip addresses, etc.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Thanks for the trouble youre taking for me Unclerico. Following is the config I set up for a basic test rig for a ping through the system that I felt sure would work but didn't. See what you think, cheers:

sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.226 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->


interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 10
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
access-list ICMP-ACL extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ICMP-ACL in interface outside
access-group ICMP-ACL in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
<--- More --->


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!

service-policy global_policy global
prompt hostname context
Cryptochecksum:15ef65e9834ee141ac4c3a7572d86d64
: end


ciscoasa#
 
did you try to ping from the ASA itself or did you try and ping from a device behind the ASA??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Initial pings from ASA to devices on either side successful, ping from a host on the inside network to another host or ip address on the outside of the ASA, even the outside ASA ip interface failed.
 
you won't be able to ping the outside interface so that's not an issue. try the following to get icmp traffic to flow:
Code:
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-cmap)# inspect icmp
remove the ACL's from the inside and outside interfaces. try to ping again.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Will do. I'm on another project today but I'll get to it later so here's hoping. Pat
 
Just to say that I remember seeing somewhere the "ip inspect" command in router CBAC/SPI configuration but didn't see any mention of this in Harris Andrea's book which I bought before posting my original request. I take it from the default config posted above that only the protocols listed after the "policy-map global_policy" command will be allowed through the ASA, and if I want internet access and any other type of protocol I'll have to add them to the list?
Silly question, but can the outside interface ever be pinged from the inside?
I'll get on to the ASA later today to try out what you suggested. Cheers again
 
traffic that is not included in the global_policy can still be allowed through, but certain traffic needs to be inspected before it will work. the opposite is also true in that inspection sometimes needs to be disabled for some protocols.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Unclerico

I've managed to get it working now to which I'm eternally grateful to you for all your help and patience and not to put too large a spin on it to my great relief!
Thanks for everything and if your ever in Scotland look me up and I'll stand you a couple of beers.

Thanks again pgatt62
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top