手贱把公司ASA防火墙IOS文件删除了,赶紧在同型号防火墙下载IOS文件后恢复故障。记录一下过程。

rommon #1> ?
Variables: Use "sync" to store in NVRAM 
ADDRESS= local IP address 
CONFIG= config file path/name 
GATEWAY= gateway IP address 
IMAGE= p_w_picpath file path/name 
LINKTIMEOUT= Link UP timeout (seconds) 
PKTTIMEOUT= packet timeout (seconds) 
PORT= ethernet interface port 
RETRY= Packet Retry Count (Ping/TFTP) 
SERVER= server IP address 
VLAN= enable/disable DOT1Q tagging on the selected port 
rommon #2> ADDRESS=192.168.0.2 (因为是TFFP上传,所以防火墙设置为客户机) 
rommon #3> GATEWAY=192.168.0.1 (网关) 
rommon #4> IMAGE=asa802-k8.bin (导入IOS的名称) 
rommon #5> SERVER=192.168.0.1 (服务器IP,也就是你的PC) 
rommon #6> sync (保存) 
Updating NVRAM Parameters... 
rommon #7> ping 192.168.0.1 
Sending 20, 100-byte ICMP Echoes to 192.168.0.1, timeout is 4 seconds: 
?!!!!!!!!!!!!!!!!!!! 
Success rate is 95 percent (19/20) 
确认线路是否连通,开启TFTP软件 (这里说明下我测试是ASA5505 所以接的E0/0口。不知道设备该接什么口可以用set看“PORT=Ethernet0/0”) 
rommon #8> tftpdnld (上传) 
ROMMON Variable Settings: 
ADDRESS=192.168.0.2 
SERVER=192.168.0.1 
GATEWAY=192.168.0.1 
PORT=Ethernet0/0 
VLAN=untagged 
IMAGE=asa802-k8.bin 
CONFIG= 
LINKTIMEOUT=20 
PKTTIMEOUT=4 
RETRY=20 
tftp asa802-k8.bin@192.168.0.1 via 192.168.0.1 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
导入后设备重启,现在有了IOS 能进去 
Type help or '?' for a list of available commands. 
ciscoasa> en 
但现在IOS也没有装入设备,而是从tftp引导启动设备,断开TFTP服务器就会从新进入监控模式。这一点当设备启动完毕后可以用show version命令看到: 
System p_w_picpath file is "tftp://192.168.0.1/asa802-k8.bin" 
现在需要把IOS存入设备,但是现在防火墙和PC已经不能通信 
ciscoasa# ping 192.168.0.1 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: 
No route to host 192.168.0.1 
Success rate is 0 percent (0/1) 
因为刚才是在监控模式下,现在需要配置让PC和防火墙从新通信(具体型号具体设置,下面已我手上的5505为例) 
interface Vlan1 
nameif inside 
security-level 100 
ip address 192.168.1.1 255.255.255.0 
! 
interface Vlan2 
nameif outside 
security-level 0 
ip address 192.168.0.2 255.255.255.0 
! 
interface Ethernet0/0 
switchport access vlan 2 
现在测试 
ciscoasa# ping 192.168.1.1 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms 
已经能通信,下面拷贝IOS和ASDM存入设备 
ciscoasa# copy tftp://192.168.0.1/asa802-k8.bin disk0:/asa802-k8.bin 
Address or name of remote host ? 
Source filename ? 
Destination filename ? 
Accessing tftp://192.168.0.1/asa802-k8.bin. ... !!!!!!!!!!!!!!!!!!! 
因为删除的是flash 现在还需要导入ASDM (注意ASDM和IOS的兼容,不兼容如下图) 
进行ciscoasa# copy tftp://192.168.0.1/asa802-k8.bin disk0:/asa802-k8.bin一直报错。
ciscoasa# show flash:
Initializing disk0: cache, please wait...Failed (Invalid DOS media or no media in slot error).
%Error show flash: (Failed to initialize the Inode table)
ciscoasa# dir disk0:
%Error opening disk0:/ (Invalid DOS media or no media in slot)
ciscoasa# fsck flash:
Initializing disk0: cache, please wait...Failed (Invalid DOS media or no media in slot error).
Internal error, inode table initialization for flash: failed with error Invalid DOS media or no media in slot
%Error checking flash: (Invalid DOS media or no media in slot)
WARNING: Restoring security context mode failed.
最后使用ciscoasa# format flash: 命令后正常。
ciscoasa# copy tftp://192.168.0.1/asdm-602.bin disk0://asdm-602.bin 
Address or name of remote host ? 
Source filename ? 
Destination filename ? 
Accessing tftp://192.168.0.1/asdm-602.bin.. ... !!!!!!!!!!!!!!!!!!! 
现在可以看见IOS以后在设备上 
ciscoasa# show version 
Cisco Adaptive Security Appliance Software Version 8.2(1) 
Compiled on Tue 05-May-09 22:45 by builders 
System p_w_picpath file is "disk0:/asa821-k8.bin" 
Config file at boot was "startup-config" 
ciscoasa# show flash: 
--#-- --length-- -----date/time------ path 
3 4096 Aug 26 2009 17:41:50 log 
10 4096 Aug 26 2009 17:41:56 crypto_archive 
11 4096 Aug 26 2009 17:59:06 coredumpinfo 
12 43 Aug 27 2009 09:13:02 coredumpinfo/coredump.cfg 
78 16275456 Aug 26 2009 18:07:50 asa802-k8.bin 
80 7598456 Aug 27 2009 09:05:54 asdm-602.bin 
设置启动文件 
ciscoasa (config)# boot system disk0:/asa802-k8.bin 设置IOS 
ciscoasa (config)# asdm p_w_picpath disk0:/asdm602.bin 设置ASDM 
ciscoasa (config)# reload 重新启动,配置生效 
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。