User Guide for Auto Update Server 3.2.2
Bootstrapping Devices to Operate with AUS
Download this chapter
Bootstrapping Devices to Operate with AUSBootstrapping Devices to Operate with AUS
Download the complete book
User Guide for Auto Update Server 3.2.2User Guide for Auto Update Server 3.2.2 (PDF - 2 MB)
give_us_feedback

Table Of Contents

Bootstrapping Devices to Operate with AUS

Bootstrapping Security Appliances

Configuring the Software Image and ASDM Image to Boot


Bootstrapping Devices to Operate with AUS

To enable communication between AUS and devices, you must configure transport settings on the devices, before you add them to AUS or the Security Manager inventory. You configure devices according to the functionality you need.

Bootstrapping Security Appliances

Bootstrapping Security Appliances

Before you can manage a PIX security appliance or an ASA device using AUS, you must set up the PIX security appliance or ASA device with a minimum configuration that provides basic connectivity. See the User Guide for Cisco Security Manager 3.2.2 for details about setting up basic connectivity.

In addition to basic connectivity, you need to configure some settings specific to AUS. The following procedures describe how to configure and verify these settings using the PIX security appliance or ASA device command line interface.

Note You can also use the PIX Firewall Device Manager (PDM) Setup wizard to configure the PIX security appliance running PIX security appliance software version 6.3. See PDM documentation for more information. Use the Adaptive Security Device Manager (ASDM) Startup Wizard to configure PIX security appliance running PIX security appliance software version 7.0 and ASA devices. See ASA and ASDM documentation for more information.

Note ASA devices must be bootstrapped with the asdm image and boot system commands to manage ASDM and ASA software images using AUS. For more information, see Configuring the Software Image and ASDM Image to Boot.

To bootstrap a PIX security appliance or an ASA device to operate with AUS, follow these steps from the console terminal connected to the PIX security appliance or ASA device console port:

 
Command
Purpose

Step 1 

enable password

Enters privileged mode from which you can configure the PIX security appliance and ASA devices.

Step 2 

config terminal

Enters configuration mode from the terminal.

Step 3 

http server enable

Enables the PIX security appliance or ASA device to be monitored or have its configuration modified from a browser.

Step 4 

http ip_address [netmask] [if_name]

Specifies the host or network authorized to initiate an HTTP connection to the PIX security appliance or ASA device.

ip_address - IP address of the host or network authorized to initiate an HTTP connection to the PIX security appliance and ASA devices.

netmask - Network mask for the http ip_address.

if_name - PIX security appliance or ASA interface name on which the host or network initiating the HTTP connection resides.

Note This setting must be configured for the Auto Update Immediate feature to work.

Step 5 

auto-update server https://username:
password@AUSserver_
IP_address:port/
autoupdate/AutoUpdateServlet

Connects the device to AUS.

username—Login name used to enter the CiscoWorks2000 Server.

password—Password used to enter the CiscoWorks2000 Server.

AUSserver_IP_address—IP address of the AUS server.

port—Port number of the AUS server. Number is typically 443.

Step 6 

auto-update poll-period poll_period [retry_count]
[retry_period]

Changes the polling period for AUS.

poll_period—Period in minutes between poll updates. Default is 720 minutes (12 hours).

retry_count—Number of times to retry if unable to connect to server. Default is 0. (Optional)

retry_period—Time, in minutes, between retries. Default is 5. (Optional)

Step 7 

auto-update device-id hardware-serial_ip|
hostname|ip_address [if_name|mac-address
[if_name]|string text]

Configures the device to use the specified device ID to identify itself.

if_name—The interface name.

text—Text that identifies the device.

Because a PIX security appliance or an ASA device might have more than one interface, the assigned device ID could be the IP address or MAC address of one of the interfaces.

In the following example, "outside" is the name of the outside interface of and the device ID is the IP address of that outside interface. 

auto-update device-id ipaddress outside

Step 8 

http ip_address [netmask] [if_name]

(Optional) Use this command if you plan to use the Launch Device Manager feature and you want to limit HTTP access to the device for security purposes. Enter this command for each host you want to allow HTTP access.

ip_address—The host or network authorized to initiate an HTTP connection to the PIX security appliance and ASA devices.

netmask—The network mask for the http ip_address.

if_namePIX security appliance or ASA device interface name on which the host or network initiating the HTTP connection resides.

In the following example, the host with IP address 10.10.10.10 is permitted access to the device's web server through the outside interface: 

http 10.10.10.10 255.255.255.255 outside

Caution We do not recommend that you configure the device with http 0.0.0.0 0.0.0.0 outside. This will allow any external host to connect to your device through the web server.

Step 9 

write memory

Stores the current configuration in Flash memory.

Step 10 

show auto-update

Shows the AUS URL, poll period, timeout, and device ID. Make sure that the settings match those you entered. If necessary, make any modifications.

Step 11 

exit

Exits configuration mode.

Configuring the Software Image and ASDM Image to Boot

By default, the security appliance boots the first software image it finds in internal Flash memory. It also boots the first ASDM image it finds in internal Flash memory, or of none exists there, then in external Flash memory. If you have more than one image, you should specify the image you want to boot. In the case of the ASDM image, if you do not specify the image to boot, even if you have only one image installed, then the security appliance inserts the asdm image command into the running configuration. To avoid problems with Auto Update (if configured), and to avoid the image search at each startup, you should specify the ASDM image you want to boot in the startup configuration.

You must use the boot system and asdm image commands on your security appliance to point the Flash memory to the version of images that are downloaded using AUS to the device. Otherwise, the existing image on the security appliance is overwritten with the latest version being downloaded from AUS and the update of ASDM image might fail.

Also, the configuration file that is assigned to a security appliance must point to the same boot software image and ASDM image that are configured on the device. Otherwise, the existing image on the security appliance is overwritten with the latest version being downloaded from AUS.

If you see the following messages on the security appliance, make sure that the ASDM image on the security appliance is compatible with the current version. You can verify this condition by viewing the output of the show run command on the device. 

Auto-update client: Sent DeviceDetails to 
/autoupdate/AutoUpdateServlet of server 10.1.1.200

Auto-update client: Processing UpdateInfo from server 10.1.1.200

Auto-update client: Failed to contact: 
https://10.1.1.200/autoupdate/AutoUpdateServlet, reason: ErrorList 
error code: CALLHOME-PARSER-ERROR, description: The XML parser 
encountered an error: The content of element type "DeviceDetails" must 
match 
"(DeviceID,HostName,PlatformFamily,PlatformType,SerialNumber,SysObject
Id,IPAddress+,VersionInfo*,Memory*)

To configure the software image to boot, enter the following command: 

hostname(config)# boot system url

where url is one of the following:

{flash:/ | disk0:/ | disk1:/}[path/]filename

The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1:/ keyword represents the external Flash memory on the ASA.

tftp://[user[:password]@]server[:port]/[path/]filename

This option is only supported for the ASA 5500 series adaptive security appliance.

You can enter up to four boot system command entries, to specify different images to boot from in order; the security appliance boots the first image it finds. Only one boot system tftp: command can be configured, and it must be the first one configured.

To configure the ASDM image to boot, enter the following command: 

hostname(config)# asdm image {flash:/ | disk0:/ | 
disk1:/}[path/]filename