Saturday, January 7, 2017

Upgrading the Image of a Cisco ASA 5516-X

I was fortunate to configure and install a Cisco ASA 5516-X firewall for a site in Thailand. The visio stencil for Cisco ASA 5516-X and 5508-X aren't available yet (as of this writing) in Cisco's stencil website but someone in Cisco Support Community forum was generous to share this personally created stencil. Below are the front and back panel of an Cisco ASA 5516-X firewall.



Rom image verified correctly

Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015  by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders

Current image running: Boot ROM1

Last reset cause: PowerOn

DIMM Slot 0 : Present

DIMM Slot 1 : Present


Platform ASA5516 with 8192 Mbytes of main memory

MAC Address: 00:fe:c8:41:41:23


Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.


Boot in 10 seconds.


Located '.boot_string' @ cluster 821499.

#

Attempt autoboot: "boot disk0:"

Located 'asa951-lfbff-k8.spa' @ cluster 11.

############################################################
LFBFF signature verified.


INIT: version 2.88 booting

Starting udev
Configuring network interfaces... done.
Populating dev cache
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
  65:01/00
  Not automatically fixing this.
Starting check/repair pass.
Starting verification pass.
/dev/sdb1: 110 files, 811208/1918808 clusters
dosfsck(/dev/sdb1) returned 0
Processor memory 3754858905

Compiled on Wed 12-Aug-15 12:18 PDT by builders

Total NICs found: 13
i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: 00fe.c841.4ea8
ivshmem rev03 Backplane Data Interface     @ index 09 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface  @ index 10 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface     @ index 11 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 12 MAC: 0000.0000.0000

INFO: Unable to read cluster interface-mode from flash
        Writing default mode "None" to flash
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x512bf123 0x643f9456 0xb082c789 0x8bdc5abc 0x06072def

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual
VPN Load Balancing                : Enabled        perpetual

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Cisco Adaptive Security Appliance Software Version 9.5(1)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

libgcc, version 4.8.1, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.3 (http://www.gnu.org/licenses/gpl-3.0.html)
See User Manual (''Licensing'') for details.

libstdc++, version 4.8.23, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

Mdadm tools, version 3.2.6, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
Copyright (C) 2002-2009 Neil Brown <neilb@suse.de>
mdadm comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

Cisco Adaptive Security Appliance Software, version 9.5
Copyright (c) 1996-2015 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
!.
Cryptochecksum (unchanged): dee26e3b 1a333d4c 1cace476 b644621b

INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Type help or '?' for a list of available commands.

ciscoasa> enable
Password:    // JUST PRESS ENTER

ciscoasa# dir

Directory of disk0:/

94     -rwx  74369568     13:54:48 Nov 28 2015  asa951-lfbff-k8.spa
95     -rwx  25025404     13:55:06 Nov 28 2015  asdm-751.bin
96     -rwx  33           15:12:38 Nov 28 2015  .boot_string
11     drwx  4096         13:58:06 Nov 28 2015  log
21     drwx  4096         13:58:58 Nov 28 2015  crypto_archive
22     drwx  4096         13:59:00 Nov 28 2015  coredumpinfo

7859437568 bytes total (4536729600 bytes free)

ciscoasa#

ciscoasa# show run
: Saved

:
: Serial Number: JAD19480123
: Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.5(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5

no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dee26e3b1a333d4c1cace476b644621b
: end

ciscoasa# dir ?

  /all             List all files
  /recursive       List files recursively
  all-filesystems  List files on all filesystems
  disk0:           Directory or file name
  disk1:           Directory or file name      // USB FLASH DRIVE INSERTED
  flash:           Directory or file name
  system:          Directory or file name
  <cr>

ciscoasa# dir disk1:

Directory of disk1:/

115    -rwx  62682268     12:04:58 Mar 29 2012  c2900-universalk9-mz.SPA.150-1.M4.bin
116    -rwx  4968160      11:44:34 Dec 09 2014  TeamViewerQS_en-idch93gk2g.exe
117    -rwx  125231421    17:00:24 Feb 12 2015  lms5.1.bin
118    -rwx  95947928     08:01:34 Sep 26 2015  c2900-universalk9-mz.SPA.153-3.M6.bin
119    -rwx  302988468    14:29:12 Mar 29 2016  cat3k_caa-universalk9.SPA.03.06.04.E.152-2.E4.bin
120    -rwx  97911420     18:25:44 Mar 27 2015  c3900-universalk9-mz.SPA.154-1.T1.bin
121    -rwx  52420608     13:13:32 Apr 01 2016  asa924-8-smp-k8.bin
122    -rwx  69285888     14:55:24 Mar 24 2016  asa942-11-smp-k8.bin
123    -rwx  1402         23:39:00 Jun 30 2016  BOOTEX.LOG
125    -rwx  45424992     13:59:18 Aug 12 2016  c2800nm-advsecurityk9-mz.151-4.M10.bin
126    -rwx  25819140     21:45:52 Nov 26 2016  asdm-761.bin
127    -rwx  86678080     21:48:12 Nov 26 2016  asa961-10-lfbff-k8.SPA
128    -rwx  174131122    06:30:38 Nov 25 2016  AIR-CT2500-K9-8-0-140-0.aes
129    -rwx  420461412    05:54:08 Nov 25 2016  isr4300-universalk9.03.13.06a.S.154-3.S6a-ext.SPA.bin

2013200384 bytes total (448921600 bytes free)


ciscoasa# show bootvar

BOOT variable =
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =

ciscoasa# show run boot

ciscoasa# dir

Directory of disk0:/

94     -rwx  74369568     13:54:48 Nov 28 2015  asa951-lfbff-k8.spa
95     -rwx  25025404     13:55:06 Nov 28 2015  asdm-751.bin
96     -rwx  33           15:12:38 Nov 28 2015  .boot_string
11     drwx  4096         13:58:06 Nov 28 2015  log
21     drwx  4096         13:58:58 Nov 28 2015  crypto_archive
22     drwx  4096         13:59:00 Nov 28 2015  coredumpinfo

7859437568 bytes total (4536729600 bytes free)


ciscoasa# copy disk1:/asa961-10-lfbff-k8.SPA disk0:

Source filename [asa961-10-lfbff-k8.SPA]?

Destination filename [asa961-10-lfbff-k8.SPA]?

Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Done!
Computed Hash   SHA2: 9a63472ffae36c28ba572248372e639e
                      04661962d91b1e66100c0dd2b1319c23
                      0e05e02346015885babf75eef19893fd
                      75ae7a13e31b3df61681c58ded963680
                     
Embedded Hash   SHA2: 9a63472ffae36c28ba572248372e639e
                      04661962d91b1e66100c0dd2b1319c23
                      0e05e02346015885babf75eef19893fd
                      75ae7a13e31b3df61681c58ded963680
                     

Digital signature successfully validated
Writing file disk0:/asa961-10-lfbff-k8.SPA...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
86678080 bytes copied in 25.50 secs (3467123 bytes/sec)

ciscoasa# copy disk1:/asdm-761.bin disk0:


Source filename [asdm-761.bin]?


Destination filename [asdm-761.bin]?

Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
!!!!!!!!!!!!!!!!!!!!!!!!!
INFO: No digital signature found
25819140 bytes copied in 6.390 secs (4303190 bytes/sec)


ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)#

ciscoasa(config)# boot system disk0:/asa961-10-lfbff-k8.SPA

ciscoasa(config)# asdm image disk0:/asdm-761.bin

ciscoasa(config)# end

ciscoasa#

ciscoasa# show bootvar

BOOT variable =
Current BOOT variable = disk0:/asa961-10-lfbff-k8.SPA
CONFIG_FILE variable =
Current CONFIG_FILE variable =


ciscoasa#show run asdm
asdm image disk0:/asdm-761.bin
no asdm history enable

ciscoasa(config)# end

ciscoasa# write memory
Building configuration...
Cryptochecksum: 431b791f ef0b8e02 fdc91c8c 26d1aa95

3204 bytes copied in 0.90 secs
[OK]

ciscoasa#

ciscoasa# reload
Proceed with reload? [confirm]

ciscoasa#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module


ciscoasa#

ciscoasa# Shutting down License Controller
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....


<OUTPUT TRUNCATED>


Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Cisco Adaptive Security Appliance Software Version 9.6(1)10

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.6
Copyright (c) 1996-2016 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Ignoring the rest of the file
Reading from flash...
!.
Cryptochecksum (unchanged): 431b791f ef0b8e02 fdc91c8c 26d1aa95

INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Type help or '?' for a list of available commands.

ciscoasa> enable
Password:    // PRESS ENTER

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.6(1)10
Device Manager Version 7.6(1)

Compiled on Tue 09-Aug-16 17:47 PDT by builders
System image file is "disk0:/asa961-10-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 1 min 14 secs

Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is 00fe.c841.4ea9, irq 255
 2: Ext: GigabitEthernet1/2  : address is 00fe.c841.4eaa, irq 255
 3: Ext: GigabitEthernet1/3  : address is 00fe.c841.4eab, irq 255
 4: Ext: GigabitEthernet1/4  : address is 00fe.c841.4eac, irq 255
 5: Ext: GigabitEthernet1/5  : address is 00fe.c841.4ead, irq 255
 6: Ext: GigabitEthernet1/6  : address is 00fe.c841.4eae, irq 255
 7: Ext: GigabitEthernet1/7  : address is 00fe.c841.4eaf, irq 255
 8: Ext: GigabitEthernet1/8  : address is 00fe.c841.4eb0, irq 255
 9: Int: Internal-Data1/1    : address is 00fe.c841.4ea8, irq 255
10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
13: Ext: Management1/1       : address is 00fe.c841.4ea8, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total UC Proxy Sessions           : 1000           perpetual

Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual
VPN Load Balancing                : Enabled        perpetual

Serial Number: JAD19480123
Running Permanent Activation Key: 0x512bf276 0x643f9735 0xb082c1a8 0x8bdc5abc 0x06072123
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration has not been modified since last system restart.

No comments:

Post a Comment