Table of Contents
Cisco - Firewall - Miscellaneous
Cisco - End-of-Life and End-of-Sale Notices for ASA hardware EoL dates.
End-of-Life and End-of-Sale Notices for ASA software.
Cisco - Cisco ASA Compatibility
Cisco - Supported VPN Platforms, Cisco ASA Series
PIX
The predecessor of the Cisco ASA series firewalls.
YouTube - Cisco PIX 501 compact 4 port firewall #teardown on 2023-02-18 by Computers Cats and More.
ASA
Cisco Secure Firewall ASA
Cisco Secure Firewall ASDM
Reddit - Is Cisco ASA still worth it in 2023 ?
Reddit - Why Cisco ASA isn’t dead yet ?
Cisco ASA 5500 Series Adaptive Security Appliances Data Sheet
Cisco ASA 5500-X Series Firewalls
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1
CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1
GitHub - jbaines-r7/theway A tool for extracting, modifying, and crafting ASDM binary packages (CVE-2022-20829).
GitHub - nccgroup/asafw Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
GitHub - nccgroup/asatools Main repository to pull all NCC Group Cisco ASA-related tool projects.
NCC Group Research Blog - Cisco ASA series part one: Intro to the Cisco ASA
Cisco ASA 5500-X Series Firewalls - Release Notes
Release Notes for the Cisco ASA Series, 9.1(x) and EoS and EoL ASA 9.1, ASDM 7.1 Last Date of Support: OS SW 2022-08-31.
Release Notes for the Cisco ASA Series, 9.2(x) and EoS and EoL ASA 9.2, ASDM 7.2 Last Date of Support: OS SW 2022-08-31.
Release Notes for the Cisco ASA Series, 9.4(x) and EoS and EoL ASA(v) 9.4(x), ASDM 7.4(x) Last Date of Support: App SW 2021-08-31.
Release Notes for the Cisco ASA Series, 9.6(x) and EoS and EoL ASA(v) 9.6(x) ASDM 7.6(x) Last Date of Support: App SW 2022-09-30.
Release Notes for the Cisco ASA Series, 9.7(x) and EoS and EoL ASA 9.7, ASDM 7.7 Last Date of Support: OS SW 2022-08-31
Release Notes for the Cisco ASA Series, 9.8(x) and EoS and EoL ASA(v) 9.8(x) ASDM 7.8(x) Last Date of Support: App SW 2025-02-28.
EoS and EoL ASA(v) 9.9(x) ASDM 7.9(x) Last Date of Support: App SW 2023-05-31.
EoS and EoL ASA(v) 9.10(x) ASDM 7.10(x) Last Date of Support: App SW 2022-10-31.
Release Notes for the Cisco ASA Series, 9.12(x) and EoS and EoL ASA(v) 9.12(x) ASDM 7.12(x) Last Date of Support: App SW 2026-02-28.
Release Notes for the Cisco ASA Series, 9.13(x) and EoS and EoL ASA(v) 9.13(x), ASDM 7.13(x) Last Date of Support: App SW 2023-06-30.
Release Notes for the Cisco ASA Series, 9.14(x) and EoS and EoL ASA(v) 9.14(x), ASDM 7.14(x) Last Date of Support: App SW 2025-03-31.
Release Notes for the Cisco ASA Series, 9.15(x) and EoS and EoL ASA(v) 9.15(x), ASDM 7.15(x) Last Date of Support: App SW 2024-06-30.
Release Notes for the Cisco ASA Series, 9.16(x)
EoS and EoL ASA(v) 9.17(x), ASDM 7.17(x) Last Date of Support: App SW 2025-12-31.
Cisco Secure Firewall ASA New Features by Release
PeteNetLive - Cisco ASA: Remove FTD and Return to ASA and ASDM
PeteNetLive - ASA – Memory Error (Post upgrade to version 8.3)
NAT Overload - How to get the latest Cisco ASA/ASDM firmware image and update for free!
NetworkProGuide - How to Download Cisco IOS Updates for Free (Legally)
Rapid7 Blog - Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software posted on 2022-08-11.
YouTube - Cisco ASA 5500 Series Family Video Data Sheet on 2011-03-15 by i3webservices.
Cisco - QoS on the Cisco ASA Configuration Examples
Server Fault - QoS on Cisco ASA 5505 by VLAN/subnet
Cisco - Troubleshoot ASA Network Address Translation (NAT) Configuration
GitHub - in-transit/regional-asa This script will create network objects based off region/country. Uses delegated statistics files from for example ARIN - Extended Delegation Statistics. Via server fault - How to block a Countries IP range with a Cisco ASA?.
Cisco Secure Firewall ASA Series Feature Licenses
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1 - Chapter: Managing Feature Licenses, Supported Feature Licenses Per Model
The Traceroute Blog - Cisco ASA 5505 ASDM stuck at 17%
Cisco Community - ASA 5515 versus 5515-X
Cisco Community - ASA and Firepower hardware fact sheet lists CPU type, model, and crypto accelerator for several ASA models.
GitHub - jbaines-r7/cisco_asa_research Cisco ASA Software and ASDM Security Research.
Can Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability for CVE-2018-0101 be use to get ASA 9.1.7.23 for Cisco ASA 5500 series from TAC?
Another much older one Multiple Vulnerabilities in Cisco ASA Software with many CVE-2014-* CVEs.
Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability CVE-2016-6366. Affects Cisco ASA 5500 series with fix available in 9.1.7(9) or 9.0.4(40), and PIX series with no fix available. Workaround: limit/disable access to SNMP.
Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability CVE-2016-6367. Affects Cisco ASA 5500 series with fix available in 9.0(1), and PIX series with no fix available.
YouTube - ASA Firewall - Cisco ASA Firewall Full Course | 2022 by Knowledge Power on 2020-12-29.
Cisco - Use Guide to Secure ASA Firewall
Cisco - ASA Integrity Assurance
5505
YouTube - Cisco ASA5505 firewall teardown an detailed overview for CCNA security lab and repair on 2016-02-11 by Donkey Learning IT.
asa924-33-k8.bin is the latest and last release for the 5505(non-X) model. and you shouldnt (I wouldnt) install ASDM past asdm-771-151.bin, but YMMV.
Source: Reddit - r/networking - ASA5505 Setup
GitHub - jjkirn/ASDM Cisco ASA 5505 Adaptive Security Appliance. How to resolve Cisco ASDM-IDM Java Web Application issues with Oracle JRE.
5506-X
PEI - Cisco ASA 5506: Configuring the Interfaces to Replace the ASA 5505. In short: Clear the current inside interface, create a port-channel, and add the desired number of interfaces to it.
5510
Reddit - Does ASA-5510 have VGA pins?. In short: no it does not, VGA pins seem to only be found on 5500-X models.
5520
YouTube - Cisco ASA 5520 Firewall #teardown on 2021-10-13 by Computers Cats and More.
5550
YouTube - Cisco ASA 5550 series adaptive security appliance #teardown on 2023-05-31 by Computers Cats and More.
5580
Cisco ASA 5580 Adaptive Security Appliance
EOL/EOS for the Cisco ASA 5580 Adaptive Security Appliance, Last Date of Support is July 31, 2017.
Cisco Software Download - ASA 5580 Adaptive Security Appliance
Cisco ASA Interim Release Notes - 9.0 series
YouTube - Let's Look - Cisco ASA 5580 - Appliance Server on 2017-04-21 by Anthony Cress.
YouTube - Cisco ASA 5580 Adaptive Security Appliance Video Data Sheet on 2011-06-08 by TechSuperStore.
5585-X
Cisco ASA 5585-X Adaptive Security Appliance - Retirement Notification
End-of-Sale and End-of-Life Announcement for the Cisco ASA 5585-X Adaptive Security Appliance, Last Date of Support: HW: May 31, 2023.
Cisco - Install a SFR Module on an ASA 5585-X Hardware Module
YouTube - Partial disassembly of a Cisco ASA 5585-X Adaptive Security Appliance #teardown. on 2022-06-21 by Computers Cats and More.
YouTube - SSP-40 module out of a Cisco ASA 5585-X Adaptive Security Appliance #teardown on 2023-02-11 by Computers Cats and More.
5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 clock signal issue
Problem Description
The Adaptive Security Appliance (ASA) 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 might fail after 18 months or longer in operation due to a clock signal component failure.
Once the component has failed, the system will stop functioning, will not boot, and is not recoverable.
Problem Symptom
The security appliances no longer function and, subsequently, the system fails to boot. In addition, the LED status indicators on the security appliance illuminate as follows:
- Power LED is green
- Status LED is amber and blinking
| Product ID | Possibly Affected VID | Fixed VID |
|---|---|---|
| ASA5506 | V03 or earlier | V04 or later |
| ASA5506H | V03 or earlier | V04 or later |
| ASA5506W | V05 or earlier | V06 or later |
| ASA5508 | V04 or earlier | V05 or later |
| ASA5516 | V04 or earlier | V05 or later |
Cisco - Field Notice: FN - 64228 - ASA 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 Might Fail After 18 Months or Longer Due to Clock Signal Component Failure - Replace on Failure
Cisco - Clock Signal Component Issue
Cisco Community - Clock-Signal Repair Pictures ISR4300, ASA, ISR4400
Reddit - ASA 5506 V05 clock bug resurrection.
ASA Memory
Taken from archive.org - 2017-11-14.
| ASA Model | Internal Flash Memory (Default Shipping) | Total DRAM (Default Shipping) | DRAM Allocated to FW/VPN | DRAM Allocated to Module | |
|---|---|---|---|---|---|
| Before Feb. 2010 | After Feb. 2010 | ||||
| 5505 | 128 MB | 256 MB | 512 MB | 512 MB | On module |
| 5510 | 256 MB | 256 MB | 1 GB | 1 GB | On module |
| 5520 | 256 MB | 512 MB | 2 GB | 2 GB | On module |
| 5540 | 256 MB | 1 GB | 2 GB | 2 GB | On module |
| 5550 | 256 MB | 4 GB | 4 GB | 4 GB | On module |
| 5580-20 | 1 GB | 8 GB | 8 GB | 8 GB | N/A |
| 5580-40 | 1 GB | 12 GB | 12 GB | 12 GB | N/A |
| 5506-X, 5506H-X, 5506W-X | 8 GB | 4 GB | 1.8 GB | 2.2 GB | |
| 5508-X | 8 GB | 8 GB | 4 GB | 4 GB | |
| 5512-X | 4 GB | 4 GB | 2 GB | 2 GB | |
| 5515-X | 8 GB | 8 GB | 4 GB | 4 GB | |
| 5516-X | 8 GB | 8 GB | 4 GB | 4 GB | |
| 5525-X | 8 GB | 8 GB | 4 GB | 4 GB | |
| 5545-X | 8 GB | 12 GB | 6 GB | 6 GB | |
| 5555-X | 8 GB | 16 GB | 8 GB | 8 GB | |
| 5585-X with SSP-10 | 2 GB | 6 GB | 6 GB | On module | |
| 5585-X with SSP-20 | 2 GB | 12 GB | 12 GB | On module | |
| 5585-X with SSP-40 | 2 GB | 12 GB | 12 GB | On module | |
| 5585-X with SSP-60 | 2 GB | 24 GB | 24 GB | On module | |
| ASASM | 8 GB | 24 GB | 24 GB | N/A | |
| Firepower 2110, 2120 | 8 GB | 16 GB | 16 GB | N/A | |
| Firepower 2130 | 8 GB | 32 GB | 32 GB | N/A | |
| Firepower 2130 | 8 GB | 64 GB | 64 GB | N/A | |
Memory Requirements
The following sections list the memory requirements for current and legacy models.
Current Models
All current models include enough DRAM to run any supported release. There are no DRAM upgrade kits available. You can optionally install external flash memory to store additional images or other files. See the hardware guide for your model for more information.
Legacy Models
See the following memory requirements for legacy models:
- ASA 5505—With Version 8.3 through 9.1 only the Unlimited Hosts license and the Security Plus license with failover enabled require 512 MB DRAM; other licenses can use 256 MB. For Version 9.2 and later, all ASA 5505 licenses require 512 MB.
- ASA 5510, 5520, and 5540—To run 8.3 and later, you need the DRAM amount that shipped by default after February 2010. If you have an earlier unit, you must buy a memory upgrade kit. See Memory Kits.
- ASA 5510 through 5550—You might need to upgrade the internal flash memory to 512 MB or add external flash memory if you load multiple images of the AnyConnect client along with one or more images of the ASA software, ASDM, client/server plugins, or Cisco Secure Desktop. In particular, you might need to upgrade for multiple AnyConnect 3.0 and higher clients with optional modules.
- ASA 5520s and ASA 5540s manufactured before August 2011 have four DIMM sockets. ASA 5520s and ASA 5540s manufactured after this date have two DIMM sockets. All ASA 5550s have four DIMM sockets.
Memory Kits
The following table lists the DRAM (also referred to as DIMM) kits.
| Model | Size | Part Number |
|---|---|---|
| ASA 5505 | 512 MB | ASA5505-MEM-512= |
| ASA 5510 (If you previously purchased the 512 MB upgrade kit for the ASA 5510 (ASA5510-MEM-512=), you must upgrade to the 1 GB memory upgrade kit to run Version 8.3.) | 1 GB | ASA5510-MEM-1GB= |
| ASA 5520 | 2 GB | ASA5520-MEM-2GB= |
| ASA 5540 | 2 GB | ASA5540-MEM-2GB= |
| ASA 5550 | 4 GB | 2 x ASA5540-MEM-2GB= |
CompactFlash Upgrade Kits
The following table lists the CompactFlash upgrade kits available for the ASA 5510 through ASA 5550, for use as internal or external flash memory.
| Model | Size | Part Number |
|---|---|---|
| ASA 5510 through ASA 5550 | 256 MB | ASA5500-CF-256MB= |
| ASA 5510 through ASA 5550 | 512 MB | ASA5500-CF-512MB= |
ASA Version Notes
From Cisco Secure Firewall ASA Compatibility:
- ASA 9.18(x) was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.
- ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.
- ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.
- ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.
- ASA 9.2(x) was the final version for the ASA 5505. Later ASDM versions continue to support the ASA 5505.
- ASA 9.1(x) was the final verison for the ASA 5510, 5520, 5540, 5550, and 5580.
- ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.12(1) can manage an ASA 5515-X on ASA 9.10(1).
- New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.10 with ASA 9.12. For ASA interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.12(1.15) with ASDM 7.12(1).
- ASA 9.8(4.45) and 9.12(4.50) and later require ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI.
Older versions of the Cisco Secure Firewall ASA Compatibility page:
- archive.org - 2021-05-08 still mentions ASA 9.4 to 8.4.
- archive.org - 2019-04-01 still mentions ASA 8.3 to 7.2.
- archive.org - 2017-11-14 still mentions ASA 55[1-2,4-5,8]0s, and one of the last versions to do so.
- archive.org - 2014-03-03 still mentions ASA versions for ASA 55[1-2,4-5,8]0s, and PIX ASDM compatibility.
Cisco ASA release notes:
Traffic shaping not supported on multi-core ASA up to 9.2
CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1 lists:
Model Guidelines
- Traffic shaping is only supported on the ASA 5505, 5510, 5520, 5540, and 5550. Multi-core models (such as the ASA 5500-X) do not support shaping.
- (ASA 5580) You cannot create a standard priority queue for a Ten Gigabit Ethernet interface. Note : For the ASA 5585-X, standard priority queuing is supported on a Ten Gigabit Interface.
- (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 interface.
- (ASASM) Only policing is supported.
These limitations are also listed for ASA 9.2 on CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.2.
But have disappeared for ASA 9.4 on CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.4.
Traffic Shaping/Policing
Router Freak! - Traffic Policing vs. Traffic Shaping
Cisco - Compare Traffic Policy and Traffic Shape to Limit Bandwidth
Management
GitHub - DiogoAndre/napalm-asa-asdm This is a NAPALM community driver for the Cisco ASA platform, using the ASDM HTTPS interface as means to communicate with the device.
GitHub - napalm-automation-community/napalm-asa This is a NAPALM community driver for the Cisco ASA platform, using the ASA REST interface. The REST API is only available from software version 9.3.2 and up, and on the 5500-X series, ASAv, ASA on Firepower and ISA 3000 platforms.
GitHub - rhwendt/asdm This is a cli asdm launcher. It will automatically add the ASA to the java exceptions list.
ASDM
ASDM 7.18+ on OpenBSD
Tested on OpenBSD/AMD64 7.2, with ASA 9.12(4)58 and ASDM 7.19(1)95.
When used this way ASDM 7.19(1)95 keeps asking to set an enable password on start, even when it is already set, and to apply changes on close, even when there are no changes.
Based on William Lieurance's Tech Blog - Running Cisco ASDM 7.18 or 7.19 on Linux.
Starting with ASDM 7.18 there is no asdm.jnlp Java WebStart file anymore. To run ASDM you would have to install the ASDM Launcher, when Cisco only provides installers for macOS (dm-launcher.dmg) or Windows (dm-launcher.msi).
You can download de necessary jar files from the ASA (replace 10.10.10.1 with the IP of the ASA):
export ipaddr=10.10.10.1
wget --no-check-certificate https://${ipaddr}/admin/public/jploader.jar
wget --no-check-certificate https://${ipaddr}/admin/public/dm-launcher.jar
wget --no-check-certificate https://${ipaddr}/admin/public/lzma.jar
wget --no-check-certificate https://${ipaddr}/admin/public/retroweaver-rt-2.0.jar
But you'd still need the cert.pem certificate file, and I haven't yet found the correct URL to download this from the ASA, so you should get it from either dm-launcher.dmg or dm-launcher.msi. In this case I'll be using 7zip to extract all needed files from dm-launcher.msi.
The following assumes everything should end up in the current directory.
- Install 7zip:
pkg_add -i p7zip
- Open a web browser, and download the dm-launcher.msi from https://IP-ADDRESS/admin/dm-launcher.msi, log in with your enable password when asked to login.
- Change IP-ADDRESS to the IP address of your ASA.
- Extract Data1.cab from the msi with 7zip:
7z x dm-launcher.msi Data1.cab
- Extract all .jar, and all .pem files from the MSI:
7z x Data1.cab *.jar *.pem
- Create an asdm.sh with content:
#!/bin/sh export JAVA_HOME=/usr/local/jdk-1.8.0/ $JAVA_HOME/bin/java -Xms64m -Xmx512m -Djava.util.Arrays.useLegacyMergeSort=true -Dhttp.agent=ASDM -cp asdm_launcher.jar:jploader.jar:lzma.jar:retroweaver_rt_2.0.jar com.cisco.launcher.Launcher cert.pem
- Mark asdm.sh as executable:
chmod +x asdm.sh
- Make sure JDK 1.8 is installed:
- Install the jdk package:
pkg_add -i jdk
- When asked which version, choose the jdk-1.8.0 version.
- Start the ASDM:
./asdm.sh
Proof that it works:
Run another OS on ASA
Medium - Install OPNSense and Linux on Cisco ASA
Dominic Polizzi - Install OPNSense and Linux on Cisco ASA
Reddit - Install OPNSense on a Cisco ASA
ServeTheHome Forums - Pfsense(or Opnsense) on a Cisco ASA-5512-X
Reddit - Cisco Ironport C170 findings...
OpenWrt Forum - OpenWrt on old Cisco ASA 5525-x appliance
Reddit - OPNSense running on a Cisco ASA5512-X