How to upgrade the Cisco ASA 5505 software

The newest Cisco ASA firewall 5500 series came out with software version 7.0, following the successful software version 6.x of the older PIX firewall models. The latest ASA software version is 8.x with intermediary versions of 7.1 and 7.2. In this post I will show you how to upgrade a Cisco ASA 5505 firewall from version 7.2(3) to version 8.0(2). The same approach can be used for any 5500 appliance series. To get the latest ASA software version, you must have a valid SMARTnet agreement which is basically a maintenance contract for your Cisco product.

cisco asa 5505 firewall image


Connect to the appliance (console or SSH) and verify the current running software version by using the show ver command:

ASA5505# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders
System image file is “disk0:/asa723-k8.bin
Config file at boot was “startup-config”

ASA5505 up 34 mins 42 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001e.7a86.1ea8, irq 11
1: Ext: Ethernet0/0 : address is 001e.7a86.1ea0, irq 255
2: Ext: Ethernet0/1 : address is 001e.7a86.1ea1, irq 255
3: Ext: Ethernet0/2 : address is 001e.7a86.1ea2, irq 255
4: Ext: Ethernet0/3 : address is 001e.7a86.1ea3, irq 255
5: Ext: Ethernet0/4 : address is 001e.7a86.1ea4, irq 255
6: Ext: Ethernet0/5 : address is 001e.7a86.1ea5, irq 255
7: Ext: Ethernet0/6 : address is 001e.7a86.1ea6, irq 255
8: Ext: Ethernet0/7 : address is 001e.7a86.1ea7, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

From the above output you can see that we are running Version 7.2(3) which is located in disk0 (disk0:/asa723-k8.bin). Also, the GUI device manager version (ASDM) is 5.2(3). Now, lets upgrade to version 8.0(2).

Step 2:

Assume that our internal network range is Configure a TFTP server (you can use the free tftpd32) on an internal PC (e.g and backup the current running software image from the firewall to your TFTP PC.

ASA5505# copy disk0 tftp

Source filename []?asa723-k8.bin
Address or name of remote host []?

Also, save the current running configuration. Just issue the show run command and copy all configuration output from your terminal window into a text file.

Step 3:

Now it’s the time to upload the new software image file to the disk system of the firewall. Assume that we have already downloaded the software file asa802-k8.bin and placed that on our TFTP PC.

ASA5505# copy tftp disk0

Address or name of remote host []?
Source filename []? asa802-k8.bin
Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://…!!!!!! (truncated)
Writing file disk0:/asa802-k8.bin… !!!!! (truncated)
14524416 bytes copied in 118.210 secs (123088 bytes/sec)

Step 4:

Since now we will have two image files on the firewall disk (old 7.2 and new 8.0 image files), we need to tell the firewall explicitly which image file to use when booting.

ASA5505# conf t
ASA5505(config)# boot system disk0:/asa802-k8.bin
ASA5505(config)# wr mem

Step 5:

Reboot the firewall in order to load the new software image file. (use the reload command). If everything works ok with the new image, you can delete the old one from disk0. (delete disk0:/asa723-k8.bin)

Step6 (Optional):

The new ASA version 8.x uses the newest Device Manager (ASDM) version 6.x. You can download the new ASDM software from Cisco and upgrade that as well (using the same steps as above).

"Sponsored Links"


  1. KrisBelucci says

    Hi, cool post. I have been wondering about this topic,so thanks for writing.

  2. Nico says

    Just as an FYI – when I did this on my ASA 5505 it still booted to the old asa804-k8.bin instead of the new asa821-k8.bin image.

    Turns out the boot config showed

    BOOT variable = disk0:/asa804-k8.bin;disk0:/asa821-k8.bin
    Current BOOT variable = disk0:/asa804-k8.bin;disk0:/asa821-k8.bin

    I guess this meant that it would still boot the old image first. So I cleared the boot variable first with the following commands:

    no boot system disk0:/asa821-k8.bin
    no boot system disk0:/asa804-k8.bin

    Then I reset it with this:

    boot system disk0:/asa821-k8.bin
    wr mem
    reload noconfirm

    Then it booted the correct one.

    Thanks for the rest!!!

  3. BlogAdmin says

    Hello Nico

    Thanks for your excellent feedback.

    There are always some little twists with Cisco products that you learn them only from experience.

    Thanks for commenting


  4. Mike says

    Just small addition for new asdm image (step 5)
    ASA5505(config)#asdm image disk0:/asdm-621.bin
    ASA5505(config)# wr mem

  5. Lizandro Diaz says

    Can I upgrade to 8.3 with 64 MB of flash, I already have 512 of RAM.

    Thanks in advance.

  6. BlogAdmin says

    Yes you can. The important thing is to have enough RAM memory, so 512MB of RAM will be ok.

  7. Kiro Garnenkov says

    Yes you can , but be careful , because there is some changes in image 8.3
    As example , far as I know , In this image everything is objects and NAT is different …..

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>