ASA防火墙rommon监控模式恢复IOS方法

0
2515

血的教训:擦除防火墙配置的命令是write erase而不是erase flash!

交叉线:MGMT(managerment 0/0接到pc机的rj45端口)

用usb转rj45 console线连接pc    这里需要这两条线同时连接好。

这里需要准备cisco tftp server软件、xshell6 、ISO包(建议放到桌面上)

一、运行cisco tftp server服务

二、设置pc机网口网络设置

三、进入监控模式

在设备启动时会有提示按某个键进入监控模式。如下:

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

1.按“ESC”键进入监控模式。

rommon #1>

rommon #2> ADDRESS=192.168.1.1(ASA地址)

rommon #3> GATEWAY=192.168.1.2(默认网关,设置为本机地址即可)

rommon #4> IMAGE=asa9-12-1-smp-k8.bin(指定IOS文件名)

rommon #5> SERVER=192.168.1.2(TFTP SERVER 地址,即本机地址)

rommon #6>

rommon #6> sync

Updating NVRAM Parameters…

rommon #7> ping 192.168.1.2

Link is UP

Sending 20, 100-byte ICMP Echoes to 192.168.1.2, timeout is 4 seconds:

?!!!!!!!!!!!!!!!!!!!

Success rate is 95 percent (19/20)                     —此处如果不通的话检查当前pc的网口设置(192.168.1.2)

2、执行tftpdnld命令

执行后显示如下:

rommon #8> tftpdnld

ROMMON Variable Settings:

ADDRESS=192.168.1.1

SERVER=192.168.1.

GATEWAY=192.168.1.2

PORT=Management0/0

VLAN=untagged

IMAGE=asa9-12-1-smp-k8.bin

CONFIG=

LINKTIMEOUT=20

PKTTIMEOUT=4

RETRY=20

tftp asa9-12-1-smp-k8.bin@192.168.1.2 via 192.168.1.2

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

3、将IOS上传到ASA

此时IOS还没有装入ASA,而是从tftp引导启动设备。这一点当设备启动完毕后可以用show version命令看到:

System p_w_picpath file is “tftp://192.168.1.2/asa821-k8.bin”

启动完毕后需要将tftp server连接到除管理接口以外的其它接口,然后再升级IOS(——建议使用568B直通线从防火墙的g 0/0口连接pc机)

注意:必须要将接口配置成 inside口

ASA#conf t

ASA(config)#int e0/0

ASA(config-if)#nameif inside

ASA(config-if)#ip add 192.168.1.1 255.255.255.0

ASA(config-if)#no sh

ASA#ping 192.168.1.2

通后就可以灌IOS了

执行tftpdnld命令

ASA#copy tftp: flash:

Tftp server IP address:192.168.1.2

Source file name:asa9-12-1-smp-k8.bin

Destination file name:asa9-12-1-smp-k8.bin

到这一步并没有结束,此时还需要进行boot system的设置,使用命令:

ASA(config)#boot system disk0:/asa9-12-1-smp-k8.bin    这步感觉可以省略

—–此处有个报错:不管他后面还是正常。

ASA(config)#wr

然后reload一下就可以了

四、相关错误提示:

重启之后就成功了,但是有如下提示(其实可以忽略,暂时不确定是否对以后的设置产生影响):

Cisco Adaptive Security Appliance Software, version 9.12
Copyright (c) 1996-2019 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Reading from flash…
!!WARNING: BOOT variable added, but unable to find disk0:/disk0/asa9-12-1-smp-k8.bin
*** Output from config line 58, “boot system disk0:/disk0…”
.
Cryptochecksum (unchanged): 88da30e0 eff17eac 2e4eedb2 6438b6e2

INFO: Power-On Self-Test in process.
……………………………………………………………..
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test…
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test…
INFO: SW-DRBG health test passed.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or ‘?’ for a list of available commands.
ciscoasa> CXSC module is no longer supported and was prevented from booting
Consider uninstalling the unsupported CXSC module with the command ‘sw-module module cxsc uninstall’

问题1:

!!WARNING: BOOT variable added, but unable to find disk0:/disk0/asa9-12-1-smp-k8.bin

问题2:

ciscoasa> CXSC module is no longer supported and was prevented from booting
Consider uninstalling the unsupported CXSC module with the command ‘sw-module module cxsc uninstall’

未完待续—