cisco_ASA防火墙恢复初始化

cisco_ASA防⽕墙恢复初始化
ASA 防⽕墙flash 被删
防⽕墙不断启动
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
按下ESC进⼊监控模式
监控模式下的显⽰和交换机路由器没有什么区别。

命令格式也⼤同⼩异只要⼤家变通⼀下就不难恢复。

rommon #1> ？
Variables: Use "sync" to store in NVRAM
ADDRESS= local IP address
CONFIG= config file path/name
GATEWAY= gateway IP address
IMAGE= image file path/name
LINKTIMEOUT= Link UP timeout (seconds)
PKTTIMEOUT= packet timeout (seconds)
PORT= ethernet interface port
RETRY= Packet Retry Count (Ping/TFTP)
SERVER= server IP address
VLAN= enable/disable DOT1Q tagging on the selected port
rommon #2> ADDRESS=192.168.0.2 （因为是TFFP上传，所以防⽕墙设置为客户机）
rommon #3> GATEWAY=192.168.0.1 （⽹关）
rommon #4> IMAGE=asa802-k8.bin （导⼊IOS的名称）
rommon #5> SERVER=192.168.0.1 （服务器IP，也就是你的PC）
rommon #6> sync （保存）
Updating NVRAM Parameters...
rommon #7> ping 192.168.0.1
Sending 20, 100-byte ICMP Echoes to 192.168.0.1, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20)
确认线路是否连通，开启TFTP软件（这⾥说明下我测试是ASA5505 所以接的E0/0⼝。

不知道设备该接什么⼝可以⽤set
看“PORT=Ethernet0/0”）
rommon #8> tftpdnld （上传）
ROMMON Variable Settings:
ADDRESS=192.168.0.2
SERVER=192.168.0.1
GATEWAY=192.168.0.1
PORT=Ethernet0/0
VLAN=untagged
IMAGE=asa802-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp asa802-k8.bin@192.168.0.1 via 192.168.0.1
导⼊后设备重启，现在有了IOS 能进去
Type help or '?' for a list of available commands.
ciscoasa> en
但现在IOS也没有装⼊设备，⽽是从tftp引导启动设备，断开TFTP服务器就会从新进⼊监控模式。

这⼀点当设备启动完毕后可以⽤show version命令看到：
System image file is "tftp://192.168.0.1/asa802-k8.bin"
现在需要把IOS存⼊设备，但是现在防⽕墙和PC已经不能通信
ciscoasa# ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
No route to host 192.168.0.1
Success rate is 0 percent (0/1)
因为刚才是在监控模式下，现在需要配置让PC和防⽕墙从新通信（具体型号具体设置，下⾯已我⼿上的5505为例）interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
现在测试
ciscoasa# ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1
92.168.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
已经能通信，下⾯拷贝IOS和ASDM存⼊设备
ciscoasa# copy tftp://192.168.0.1/asa802-k8.bin disk0:/asa802-k8.bin
Address or name of remote host [192.168.0.1]?
Source filename [asa802-k8.bin]?
Destination filename [asa802-k8.bin]?
Accessing tftp://192.168.0.1/asa802-k8.bin. ...
因为删除的是flash 现在还需要导⼊ASDM （注意ASDM和IOS的兼容，不兼容如下图）
ciscoasa# copy tftp://192.168.0.1/asdm-602.bin disk0://asdm-602.bin
Address or name of remote host [192.168.0.1]?
Source filename [asdm-602.bin]?
Destination filename [asdm-602.bin]?
Accessing tftp://192.168.0.1/asdm-602.bin.. ...
现在可以看见IOS以后在设备上
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
ciscoasa# show flash:
--#-- --length-- -----date/time------ path
3 4096 Aug 26 2009 17:41:50 log
10 4096 Aug 26 2009 17:41:56 crypto_archive
11 4096 Aug 26 2009 17:59:06 coredumpinfo
12 43 Aug 27 2009 09:13:02 coredumpinfo/coredump.cfg
78 16275456 Aug 26 2009 18:07:50 asa802-k8.bin
80 7598456 Aug 27 2009 09:05:54 asdm-602.bin
设置启动⽂件
ciscoasa (config)# boot system disk0:/asa802-k8.bin 设置IOS
ciscoasa (config)# asdm image disk0:/asdm602.bin 设置ASDM
ciscoasa (config)# reload 重新启动，配置⽣效
备份上⾯dir的⽂件
ciscoasa (config)# copy disk0:/asa802-k8.bin tftp://192.168.1.1/asa802-k8.bin ciscoasa (config)# copy disk0:/asdm602.bin tftp://192.168.1.1/asdm602.bin。