||Open a CLI session to the ASA using the console or SSH.|
||Download the appropriate ASA CX image to the ASA flash. |
In the following example, replace <TFTP Server> with the address of your server and use the correct image name for the file you are downloading.
ciscoasa# conf t
ciscoasa(config)# copy tftp://<TFTP SERVER>/asacx-5500x-boot-9.1.1-28.img disk0:/
||Remove any existing ASA CX image and shut down IPS if necessary. |
If the system has an existing ASA CX image, uninstall it. If you ever enabled the IPS software module, ensure that it is shut down and uninstalled.
If you have an active service policy redirecting traffic to an IPS module, you must remove that policy. For example, if the policy is a global one, you would use no service-policy ips_policy global.
The following example uninstalls an ASA CX image and verifies that the IPS module is shut down before uninstalling it. Verify that the state of the IPS module in the show module output is “Down.” This example does not show a required command sequence; omit any commands that are not necessary for your device. If you must uninstall a module, reload the device. (Output is omitted.)
ciscoasa(config)# sw-module module cxsc uninstall
ciscoasa(config)# sw-module module ips shutdown
ciscoasa(config)# sh module ips
ciscoasa(config)# sw-module module ips uninstall
||Install the boot image. |
The image requires at least 5-15 minutes to boot.
In the following example, use the name of the image you downloaded to disk0.
ciscoasa(config)# sw-module module cxsc recover configure image
ciscoasa(config)# sw-module module cxsc recover boot
||Open a console session to
ASA CX using the session cxsc console command. |
Log in as admin (default password is Admin123).
To leave the console session and return to the ASA CLI, press Ctrl-^ (typically Ctrl-Shift-6), then press x.
ciscoasa# session cxsc console
Establishing console session with slot 1
Opening console session with module cxsc.
Connected to module cxsc. Escape character sequence is 'CTRL-SHIFT-6 then x'.
cxsc login: admin
||Create the required partitions. |
Disk /dev/sda doesn't contain a valid partition table
WARNING: You are about to erase all policy configurations and data.
You cannot undo this action.
Are you sure you want to proceed? [y/n]: y
Partition Successfully Completed
||Use the setup command to configure the system: |
Before you start the setup wizard, be sure you determine the correct input for the following values (the default host name is asacx):
- Host name for the system.
The hostname must be fewer than 65
and can contain characters, numbers, and
hyphens only. The first and last
character must be a letter or number and the
hostname cannot be all numbers.
- The type of addressing to use for the management IP address.
- You can configure the following types of address: static IPv4, DHCP for IPv4, static IPv6, IPv6 stateless autoconfiguration. For the ASA CX software module, the address must be on the same subnet as the ASA management address, and the ASA management interface must be up and available. You can configure both IPv4 and IPv6 addressing. Do the following:
IPv4 static address—Determine the IPv4 management IP address, subnet mask, and gateway.
DHCP—Ensure there is a DHCP server that will respond on the management network.
DHCP is not recommended. The system will stop functioning correctly if DHCP changes the assigned address due to lease expiration or other reasons. We suggest you use static addressing instead.
IPv6 static address—Determine the IPv6 management IP address and prefix length and gateway.
IPv6 stateless autoconfiguration—IPv6 stateless autoconfiguration will generate a global IPv6 address only if the link on which the device resides has a router configured to provide IPv6 services, including the advertisement of an IPv6 global prefix for use on the link. If IPv6 routing services are not available on the link, you will get a link-local IPv6 address only, which you cannot access outside of the device’s immediate network link.
IPv6 stateless autoconfiguration assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly. We suggest you use static addressing instead.
- DNS information.
If you do not use DHCP, you need to specify the IP addresses (IPv4 or IPv6) of the primary and optionally, secondary, DNS servers and the local domain name. If you configure both IPv4 and IPv6 management addresses, you can enter DNS addresses in either or both formats; otherwise, you must match the format of the management address.
You can also enter a comma-separated list of search domains, which are sequentially appended to host names that are not fully qualified in an attempt to resolve the name to an IP address. For example, a search domain list would allow you to ping www instead of a fully-qualified name such as www.example.com.
- NTP information.
You can decide whether to configure Network Time Protocol (NTP) for system time. When using NTP, specify the NTP server names or IPv4 addresses.
You will be asked if you want to use NTP symmetric key authentication. Authentication is useful if you want to ensure your time source is trusted. If you configure authentication, follow the prompts to add the key number (e.g. 2), key type, key, and then assign the keys to your servers based on key number. Supported key types include MD, MD2, MD5 SHA, SHA1,MDC2, and RIPEMD160. Because the key must first be defined on the NTP server, obtain the keys from the server administrator. If you own the NTP server, consult the server documentation to learn how to configure authentication.
When you complete the wizard, you are shown a summary of the configuration. Enter Y to save the configuration.
||Use the system install command to install the ASA CX System Software package. You must first ensure that the package is on an HTTP/HTTPS/FTP server that is accessible to the ASA CX. |
Example:For example, the following command will upgrade the system with the asacx-sys-9.1.1.pkg package. Enter Y to install the upgrade.
asacx-boot> system install https://upgrades.example.com/packages/asacx-sys-9.1.1.pkg
You need to authenticate with the server to download the package.
Password: (typing not displayed)
Description: Cisco ASA CX System Upgrade
Requires reboot: Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Stopping all the services ...
Starting upgrade process ...
Reboot is required to complete the upgrade. Press Enter to reboot the system.
||Press Enter to reboot the system. |
Rebooting the system closes the console session. Allow 10-15 minutes for the system to reboot.
||Open a console session and log in as the admin user. |
ciscoasa# session cxsc console
||If necessary, configure the time settings. |
Use the show time command to determine the current date, time, and time zone for the system. The default is to use the UTC time zone.
If you are using NTP, you can configure the local time zone using the config timezone command. If you are not using NTP, also configure the local time using the config time command.
||Use the config passwd command to change the password for the admin user. You are prompted for the new password.|
||The device is now ready for use. |
Use a browser to open the web interface using https://server_address.
You can log out of the CLI by entering the exit command.
For information on the other commands available in the CLI, enter help or ?.