Dưới đây là một qui trình nâng cấp, qui trình này chưa có phần cập nhật activation-key. Upgrading an Image from an Administrative Session 1. Make sure an image server is available. The server should have the firewall image available for downloading, either by TFTP, FTP, HTTP, or HTTPS. 2. Make sure you have sufficient space on the flash file system. An ASA allows one or more image files as well as other files to be stored in flash, as long as you have sufficient space to contain them all. When a new image or file is downloaded, it is stored in flash with a specific filename. A file is overwritten only if an existing file in flash has an identical filename. You can use the following command to check the available (free) space in the flash memory: Firewall# dir flash:/ For example, suppose a new firewall image is available on a server. The image file size is 4,995,512 bytes. First, the amount of free flash memory is checked, giving the following output: Firewall# dir flash:/ Directory of flash:/ 6 -rw- 4976640 10:04:50 Nov 12 2004 image.bin 10 -rw- 1575 23:05:09 Sep 30 2004 old_running.cfg 12 -rw- 3134 23:30:24 Nov 08 2004 admin.cfg 13 -rw- 1401 14:12:31 Oct 20 2004 CustomerA.cfg 14 -rw- 2515 23:29:28 Nov 08 2004 border.cfg 17 -rw- 1961 13 22 Oct 25 2004 datacenter.cfg 23 -rw- 8596996 10:12:38 Nov 12 2004 asdm.bin 21 drw- 704 15:06:09 Nov 22 2004 syslog 32 -rw- 205 15:06:08 Nov 22 2004 stuff 16128000 bytes total (2466816 bytes free) Firewall# Clearly, 2,466,816 bytes free is insufficient to store the new image unless the existing image (image.bin) is overwritten. On an FWSM or a PIX 6.3 platform, only one operating system image and one PDM image can be stored in the flash file system at any time. If a new image is downloaded, it automatically overwrites an existing image in flash. 3. Make sure the firewall can reach the server: Firewall# ping [interface] ip-address The server has IP address ip-address. The firewall should already have the necessary routing information to reach the server. You can specify the firewall interface where the server is located ("outside," for example) if the firewall cannot determine that directly. For example, this firewall can reach the server at 192.168.254.2: Firewall# ping 192.168.254.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms Firewall# 4. (TFTP only) Identify a possible TFTP server: Firewall(config)# tftp-server interface ip-address path The TFTP server can be found at ip-address on the firewall interface named interface (outside), for example. As of FWSM 3.1(1) and ASA 7.0(1), the interface parameter is required. For prior releases, the firewall always assumes the inside interface is used for TFTP. The only way to override this assumption is by specifying a firewall interface in the tftp-server command. This interface is always used whenever files are copied to and from a TFTP server, even if the server address is different from the one configured with this command. The image files are stored in the path directory on the TFTP server. This path is relative only to the TFTP process itself. For example, if the image files are stored in the topmost TFTP directory (/tftpboot within the server's file system, for example), the path would be /, or theroot of the TFTP directory tree. The tftp-server command is optional because most of the TFTP parameters can be given with the copy EXEC command when the image is downloaded. 5. Copy the image file from the server. With any download method, the basic command syntax is: Firewall# copy source flash:[image | pdm | filename] The image is downloaded and copied into flash memory as either an operating system image or a pdm image. Only one of either image type can be stored in the firewall flash, and their locations are automatically determined. In fact, PIX 6.3 restricts the image transfer to these two file types. ASA and FWSM platforms make use of their more flexible flash file systems. From the system execution space, you can copy one or more image files into flash and then specify which image the firewall should use. You can give the destination filename as an arbitrary filename. You also can use the image or asdm keywords for backward compatibility. In that case, the firewall uses the image filename configured with the boot system or asdm image commands, respectively. Also, you can choose TFTP, FTP, or HTTP as the copy method, as discussed in the following steps. Use a TFTP server: Firewall# copy tftp:[:[[//location][/pathname]] flash: [image | pdm | filename] The image file is located on the TFTP server at location, which can be either a hostname (already defined with a name command) or an IP address. The image file is referenced by pathname, which can include any directory structure needed within TFTP, along with the filename. (If the actual path name of the TFTP directory contains spaces, you should first define the whole path name using the tftp-server command. Spaces are not allowed in the pathname here.) If the location or pathname parameters are left out of this command, the firewall prompts you for those values. If you add a colon after the tftp keyword, the firewall picks up the remaining parameters configured with the tftp-server command. For example, suppose a new operating system image named newimage.bin is located on TFTP server 192.168.254.2. Recall that the firewall assumes that the TFTP server is located on the inside interface by default. In this case, it is located on the outside interface. You can download the new firewall image into flash memory using the following commands: Firewall# configure terminal Firewall(config)# tftp-server outside 192.168.254.2 / Firewall(config)# exit Firewall# copy tftp://192.168.254.2/newimage.bin flash:image Address or name of remote host [192.168.254.2]? Source filename [newimage.bin]? Destination filename [image.bin]? %Warning:There is a file already existing with this name Do you want to over write? [confirm] Accessing tftp://192.168.254.2/newimage.bin !!!!!!!!!!!!! [output omitted] Writing file flash:/image.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 4976640 bytes copied in 143.380 secs (34801 bytes/sec) Firewall# . Dưới đây là một qui trình nâng cấp, qui trình này chưa có phần cập nhật activation-key. Upgrading an Image. interface (outside), for example. As of FWSM 3.1(1) and ASA 7.0(1), the interface parameter is required. For prior releases, the firewall always assumes