User Tools

Site Tools


cisco:firewall:misc

Cisco - Firewall - Miscellaneous

PIX

The predecessor of the Cisco ASA series firewalls.

YouTube - Cisco PIX 501 compact 4 port firewall #teardown on 2023-02-18 by Computers Cats and More.

ASA

Cisco Secure Firewall ASA
Cisco Secure Firewall ASDM

Cisco ASA

Reddit - Is Cisco ASA still worth it in 2023 ?
Reddit - Why Cisco ASA isn’t dead yet ?

Cisco ASA 5500 Series Adaptive Security Appliances Data Sheet
Cisco ASA 5500-X Series Firewalls

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1
CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1

GitHub - jbaines-r7/theway A tool for extracting, modifying, and crafting ASDM binary packages (CVE-2022-20829).
GitHub - nccgroup/asafw Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
GitHub - nccgroup/asatools Main repository to pull all NCC Group Cisco ASA-related tool projects.

NCC Group Research Blog - Cisco ASA series part one: Intro to the Cisco ASA

Cisco ASA 5500-X Series Firewalls - Release Notes

Release Notes for the Cisco ASA Series, 9.1(x) and EoS and EoL ASA 9.1, ASDM 7.1 Last Date of Support: OS SW 2022-08-31.
Release Notes for the Cisco ASA Series, 9.2(x) and EoS and EoL ASA 9.2, ASDM 7.2 Last Date of Support: OS SW 2022-08-31.
Release Notes for the Cisco ASA Series, 9.4(x) and EoS and EoL ASA(v) 9.4(x), ASDM 7.4(x) Last Date of Support: App SW 2021-08-31.
Release Notes for the Cisco ASA Series, 9.6(x) and EoS and EoL ASA(v) 9.6(x) ASDM 7.6(x) Last Date of Support: App SW 2022-09-30.
Release Notes for the Cisco ASA Series, 9.7(x) and EoS and EoL ASA 9.7, ASDM 7.7 Last Date of Support: OS SW 2022-08-31
Release Notes for the Cisco ASA Series, 9.8(x) and EoS and EoL ASA(v) 9.8(x) ASDM 7.8(x) Last Date of Support: App SW 2025-02-28.
EoS and EoL ASA(v) 9.9(x) ASDM 7.9(x) Last Date of Support: App SW 2023-05-31.
EoS and EoL ASA(v) 9.10(x) ASDM 7.10(x) Last Date of Support: App SW 2022-10-31.
Release Notes for the Cisco ASA Series, 9.12(x) and EoS and EoL ASA(v) 9.12(x) ASDM 7.12(x) Last Date of Support: App SW 2026-02-28.
Release Notes for the Cisco ASA Series, 9.13(x) and EoS and EoL ASA(v) 9.13(x), ASDM 7.13(x) Last Date of Support: App SW 2023-06-30.
Release Notes for the Cisco ASA Series, 9.14(x) and EoS and EoL ASA(v) 9.14(x), ASDM 7.14(x) Last Date of Support: App SW 2025-03-31.
Release Notes for the Cisco ASA Series, 9.15(x) and EoS and EoL ASA(v) 9.15(x), ASDM 7.15(x) Last Date of Support: App SW 2024-06-30.
Release Notes for the Cisco ASA Series, 9.16(x)
EoS and EoL ASA(v) 9.17(x), ASDM 7.17(x) Last Date of Support: App SW 2025-12-31.

Cisco Secure Firewall ASA New Features by Release

PeteNetLive - Cisco ASA: Remove FTD and Return to ASA and ASDM
PeteNetLive - ASA – Memory Error (Post upgrade to version 8.3)
NAT Overload - How to get the latest Cisco ASA/ASDM firmware image and update for free!
NetworkProGuide - How to Download Cisco IOS Updates for Free (Legally)

Rapid7 Blog - Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software posted on 2022-08-11.

YouTube - Cisco ASA 5500 Series Family Video Data Sheet on 2011-03-15 by i3webservices.

Cisco - QoS on the Cisco ASA Configuration Examples
Server Fault - QoS on Cisco ASA 5505 by VLAN/subnet

Cisco - Troubleshoot ASA Network Address Translation (NAT) Configuration

GitHub - in-transit/regional-asa This script will create network objects based off region/country. Uses delegated statistics files from for example ARIN - Extended Delegation Statistics. Via server fault - How to block a Countries IP range with a Cisco ASA?.

Cisco Secure Firewall ASA Series Feature Licenses
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1 - Chapter: Managing Feature Licenses, Supported Feature Licenses Per Model

The Traceroute Blog - Cisco ASA 5505 ASDM stuck at 17%

Cisco Community - ASA 5515 versus 5515-X

HacherNet - Cisco ASA

Cisco Community - ASA and Firepower hardware fact sheet lists CPU type, model, and crypto accelerator for several ASA models.

GitHub - jbaines-r7/cisco_asa_research Cisco ASA Software and ASDM Security Research.

Can Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability for CVE-2018-0101 be use to get ASA 9.1.7.23 for Cisco ASA 5500 series from TAC?
Another much older one Multiple Vulnerabilities in Cisco ASA Software with many CVE-2014-* CVEs.

Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability CVE-2016-6366. Affects Cisco ASA 5500 series with fix available in 9.1.7(9) or 9.0.4(40), and PIX series with no fix available. Workaround: limit/disable access to SNMP.
Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability CVE-2016-6367. Affects Cisco ASA 5500 series with fix available in 9.0(1), and PIX series with no fix available.

YouTube - ASA Firewall - Cisco ASA Firewall Full Course | 2022 by Knowledge Power on 2020-12-29.

Cisco - Use Guide to Secure ASA Firewall
Cisco - ASA Integrity Assurance

5505

Cisco - ASA 5505

YouTube - Cisco ASA5505 firewall teardown an detailed overview for CCNA security lab and repair on 2016-02-11 by Donkey Learning IT.

asa924-33-k8.bin is the latest and last release for the 5505(non-X) model.

and you shouldnt (I wouldnt) install ASDM past asdm-771-151.bin, but YMMV.

Source: Reddit - r/networking - ASA5505 Setup

GitHub - jjkirn/ASDM Cisco ASA 5505 Adaptive Security Appliance. How to resolve Cisco ASDM-IDM Java Web Application issues with Oracle JRE.

5506-X

PEI - Cisco ASA 5506: Configuring the Interfaces to Replace the ASA 5505. In short: Clear the current inside interface, create a port-channel, and add the desired number of interfaces to it.

5510

Reddit - Does ASA-5510 have VGA pins?. In short: no it does not, VGA pins seem to only be found on 5500-X models.

5520

5550

5580

5585-X

5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 clock signal issue

Problem Description

The Adaptive Security Appliance (ASA) 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 might fail after 18 months or longer in operation due to a clock signal component failure.

Once the component has failed, the system will stop functioning, will not boot, and is not recoverable.

Problem Symptom

The security appliances no longer function and, subsequently, the system fails to boot. In addition, the LED status indicators on the security appliance illuminate as follows:

  • Power LED is green
  • Status LED is amber and blinking
Product IDPossibly Affected VIDFixed VID
ASA5506V03 or earlierV04 or later
ASA5506HV03 or earlierV04 or later
ASA5506WV05 or earlierV06 or later
ASA5508V04 or earlierV05 or later
ASA5516V04 or earlierV05 or later

Cisco - Field Notice: FN - 64228 - ASA 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 Might Fail After 18 Months or Longer Due to Clock Signal Component Failure - Replace on Failure
Cisco - Clock Signal Component Issue

Cisco Community - Clock-Signal Repair Pictures ISR4300, ASA, ISR4400
Reddit - ASA 5506 V05 clock bug resurrection.

ASA Memory

Taken from archive.org - 2017-11-14.

ASA ModelInternal Flash Memory (Default Shipping)Total DRAM (Default Shipping)DRAM Allocated to FW/VPNDRAM Allocated to Module
Before Feb. 2010After Feb. 2010
5505128 MB256 MB512 MB512 MBOn module
5510256 MB256 MB1 GB1 GBOn module
5520256 MB512 MB2 GB2 GBOn module
5540256 MB1 GB2 GB2 GBOn module
5550256 MB4 GB4 GB4 GBOn module
5580-201 GB8 GB8 GB8 GBN/A
5580-401 GB12 GB12 GB12 GBN/A
5506-X, 5506H-X, 5506W-X8 GB4 GB1.8 GB2.2 GB
5508-X8 GB8 GB4 GB4 GB
5512-X4 GB4 GB2 GB2 GB
5515-X8 GB8 GB4 GB4 GB
5516-X8 GB8 GB4 GB4 GB
5525-X8 GB8 GB4 GB4 GB
5545-X8 GB12 GB6 GB6 GB
5555-X8 GB16 GB8 GB8 GB
5585-X with SSP-102 GB6 GB6 GBOn module
5585-X with SSP-202 GB12 GB12 GBOn module
5585-X with SSP-402 GB12 GB12 GBOn module
5585-X with SSP-602 GB24 GB24 GBOn module
ASASM8 GB24 GB24 GBN/A
Firepower 2110, 21208 GB16 GB16 GBN/A
Firepower 21308 GB32 GB32 GBN/A
Firepower 21308 GB64 GB64 GBN/A

Memory Requirements

The following sections list the memory requirements for current and legacy models.

Current Models

All current models include enough DRAM to run any supported release. There are no DRAM upgrade kits available. You can optionally install external flash memory to store additional images or other files. See the hardware guide for your model for more information.

Legacy Models

See the following memory requirements for legacy models:

  • ASA 5505—With Version 8.3 through 9.1 only the Unlimited Hosts license and the Security Plus license with failover enabled require 512 MB DRAM; other licenses can use 256 MB. For Version 9.2 and later, all ASA 5505 licenses require 512 MB.
  • ASA 5510, 5520, and 5540—To run 8.3 and later, you need the DRAM amount that shipped by default after February 2010. If you have an earlier unit, you must buy a memory upgrade kit. See Memory Kits.
  • ASA 5510 through 5550—You might need to upgrade the internal flash memory to 512 MB or add external flash memory if you load multiple images of the AnyConnect client along with one or more images of the ASA software, ASDM, client/server plugins, or Cisco Secure Desktop. In particular, you might need to upgrade for multiple AnyConnect 3.0 and higher clients with optional modules.
  • ASA 5520s and ASA 5540s manufactured before August 2011 have four DIMM sockets. ASA 5520s and ASA 5540s manufactured after this date have two DIMM sockets. All ASA 5550s have four DIMM sockets.

Memory Kits

The following table lists the DRAM (also referred to as DIMM) kits.

ModelSizePart Number
ASA 5505512 MBASA5505-MEM-512=
ASA 5510 (If you previously purchased the 512 MB upgrade kit for the ASA 5510 (ASA5510-MEM-512=), you must upgrade to the 1 GB memory upgrade kit to run Version 8.3.)1 GBASA5510-MEM-1GB=
ASA 55202 GBASA5520-MEM-2GB=
ASA 55402 GBASA5540-MEM-2GB=
ASA 55504 GB2 x ASA5540-MEM-2GB=

CompactFlash Upgrade Kits

The following table lists the CompactFlash upgrade kits available for the ASA 5510 through ASA 5550, for use as internal or external flash memory.

ModelSizePart Number
ASA 5510 through ASA 5550256 MBASA5500-CF-256MB=
ASA 5510 through ASA 5550512 MBASA5500-CF-512MB=

ASA Version Notes

From Cisco Secure Firewall ASA Compatibility:

  • ASA 9.18(x) was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.
  • ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.
  • ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.
  • ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.
  • ASA 9.2(x) was the final version for the ASA 5505. Later ASDM versions continue to support the ASA 5505.
  • ASA 9.1(x) was the final verison for the ASA 5510, 5520, 5540, 5550, and 5580.
  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.12(1) can manage an ASA 5515-X on ASA 9.10(1).
  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.10 with ASA 9.12. For ASA interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.12(1.15) with ASDM 7.12(1).
  • ASA 9.8(4.45) and 9.12(4.50) and later require ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI.

Older versions of the Cisco Secure Firewall ASA Compatibility page:

Cisco ASA release notes:

Traffic shaping not supported on multi-core ASA up to 9.2

CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1 lists:

Model Guidelines

  • Traffic shaping is only supported on the ASA 5505, 5510, 5520, 5540, and 5550. Multi-core models (such as the ASA 5500-X) do not support shaping.
  • (ASA 5580) You cannot create a standard priority queue for a Ten Gigabit Ethernet interface. Note : For the ASA 5585-X, standard priority queuing is supported on a Ten Gigabit Interface.
  • (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 interface.
  • (ASASM) Only policing is supported.

These limitations are also listed for ASA 9.2 on CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.2.

But have disappeared for ASA 9.4 on CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.4.

Traffic Shaping/Policing

Management

GitHub - DiogoAndre/napalm-asa-asdm This is a NAPALM community driver for the Cisco ASA platform, using the ASDM HTTPS interface as means to communicate with the device.
GitHub - napalm-automation-community/napalm-asa This is a NAPALM community driver for the Cisco ASA platform, using the ASA REST interface. The REST API is only available from software version 9.3.2 and up, and on the 5500-X series, ASAv, ASA on Firepower and ISA 3000 platforms.

GitHub - rhwendt/asdm This is a cli asdm launcher. It will automatically add the ASA to the java exceptions list.

ASDM

ASDM 7.18+ on OpenBSD

Tested on OpenBSD/AMD64 7.2, with ASA 9.12(4)58 and ASDM 7.19(1)95.
When used this way ASDM 7.19(1)95 keeps asking to set an enable password on start, even when it is already set, and to apply changes on close, even when there are no changes.

Based on William Lieurance's Tech Blog - Running Cisco ASDM 7.18 or 7.19 on Linux.

Starting with ASDM 7.18 there is no asdm.jnlp Java WebStart file anymore. To run ASDM you would have to install the ASDM Launcher, when Cisco only provides installers for macOS (dm-launcher.dmg) or Windows (dm-launcher.msi).

You can download de necessary jar files from the ASA (replace 10.10.10.1 with the IP of the ASA):

export ipaddr=10.10.10.1
wget --no-check-certificate https://${ipaddr}/admin/public/jploader.jar
wget --no-check-certificate https://${ipaddr}/admin/public/dm-launcher.jar
wget --no-check-certificate https://${ipaddr}/admin/public/lzma.jar
wget --no-check-certificate https://${ipaddr}/admin/public/retroweaver-rt-2.0.jar

But you'd still need the cert.pem certificate file, and I haven't yet found the correct URL to download this from the ASA, so you should get it from either dm-launcher.dmg or dm-launcher.msi. In this case I'll be using 7zip to extract all needed files from dm-launcher.msi.

The following assumes everything should end up in the current directory.

  • Install 7zip:
    pkg_add -i p7zip
  • Open a web browser, and download the dm-launcher.msi from https://IP-ADDRESS/admin/dm-launcher.msi, log in with your enable password when asked to login.
    • Change IP-ADDRESS to the IP address of your ASA.
  • Extract Data1.cab from the msi with 7zip:
    7z x dm-launcher.msi Data1.cab
  • Extract all .jar, and all .pem files from the MSI:
    7z x Data1.cab *.jar *.pem
  • Create an asdm.sh with content:
    #!/bin/sh
    export JAVA_HOME=/usr/local/jdk-1.8.0/
    $JAVA_HOME/bin/java -Xms64m -Xmx512m -Djava.util.Arrays.useLegacyMergeSort=true -Dhttp.agent=ASDM -cp asdm_launcher.jar:jploader.jar:lzma.jar:retroweaver_rt_2.0.jar com.cisco.launcher.Launcher cert.pem
  • Mark asdm.sh as executable:
    chmod +x asdm.sh
  • Make sure JDK 1.8 is installed:
    • Install the jdk package:
      pkg_add -i jdk
    • When asked which version, choose the jdk-1.8.0 version.
  • Start the ASDM:
    ./asdm.sh

Proof that it works:

Run another OS on ASA

cisco/firewall/misc.txt · Last modified: 2024/05/08 21:37 by bas

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki