Recover the boot image on a Cisco ASA Firewall

By | October 14, 2013

If you ever find yourself in a situation where the OS gets corrupted or you accidentally wipe out an old OS bin file and reboot before adding the new one, welcome to boot looping.  When you are prompted to interrupt the boot loop, do so by pressing Esc or Break.  From here you will be taken into the world of Rommon.  Rommon has very limited functionality and is a life saver for getting your OS loaded back on the device.  You will be booting from a TFTP server so if you do not have one I recommend download one from SolarWinds.  After you get your TFTP server, put your .bin OS file directly in the root (for simplicity sake).  Now make sure your firewall can access your TFTP server.  If you don’t have the luxury of a provisioning rack with it’s own VLAN then I recommend simply putting the  TFTP server on a laptop and using a crossover cable to connect Eth0/0 to the laptop NIC and putting them on the same subnet.  We will use 192.168.10.0/24 in this example.  Next, console into the firewall and run the following commands:

rommon #1> ADDRESS=192.168.10.10
rommon #2> SERVER=192.168.10.20
rommon #3> GATEWAY=192.168.10.1
rommon #4> IMAGE=asa902-k8.bin (or the name of your OS bin file)
rommon #5> PORT=Ethernet0/0
rommon #6> tftp

This will allow you to boot from that image on your TFTP Server!  In order for this to work, the TFTP Server IP should be 192.168.10.20.  You don’t really need a gateway since they are on the same subnet, however you can substitute the IPs above as needed based on your situation.  Once you get back into your ASA you will have your old config in place, however before rebooting make sure you put the .bin file on Disk0:/ or else you will have to do this ALL OVER AGAIN!