My Network Security Journal: 2021

Friday, October 15, 2021

Cisco ASA Mutiple Context-Based ASA Firewall login Command

Here's a link about AAA and local username database in a Cisco ASA Multiple mode/Context-based Firewall. You should use the login command instead of enable in order to use the local username account (with privilege 15) for AAA fallback wherein the remote authentication server such TACACS+ or RADIUS is not reachable. This would allow you to jump to a context and issue any show and global config commands.

ciscoasa/pri/act> enable

Username: cisco-admin

Password: ***********

ciscoasa/pri/act# changeto context admin

ciscoasa/pri/act/admin# show run interface Manamgement0/0

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

ciscoasa/pri/act/admin# configure terminal

Command authorization failed

ciscoasa/pri/act> login

Username: cisco-admin

Password: ***********

ciscoasa/pri/act# changeto context admin

ciscoasa/pri/act/admin# show run interface Manamgement0/0

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

Sunday, July 4, 2021

Configuring Objects in a Cisco ASA Firewall

Here's a link about Cisco ASA Objects. I needed to "harden" our SIP connection to an external SIP gateway in the Internet. So instead of configuring multiple ACL entries, I configured Network and Service Objects on the Cisco ASA Firewall.

ciscoassa# configure terminal
ciscoassa(config)# object-group network SIP-EXTERNAL
ciscoassa(config-network-object-group)# network-object ?

network-object-group mode commands/options:
Hostname or A.B.C.D                     Enter an IPv4 network address
Hostname/<0-128> or X:X:X:X::X/<0-128> Enter an IPv6 prefix
host                                    Enter this keyword to specify a
                                          single host object
object                                  Enter this keyword to specify a
                                          network object
ciscoassa(config-network-object-group)# network-object host 208.7.8.1
ciscoassa(config-network-object-group)# network-object host 208.7.8.2

ciscoassa(config)# object-group network SIP-INTERNAL
ciscoassa(config-network-object-group)# network-object host 192.168.1.6
ciscoassa(config-network-object-group)# network-object host 192.168.1.7

ciscoassa(config)# object-group service SIP-PROTOCOLS
ciscoassa(config-service-object-group)# service-object ?

dual-service-object-group mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object   Enter this keyword to specify a service object
ospf
pcp
pim
pptp
sctp
snp
tcp
tcp-udp Both TCP & UDP
udp
ciscoassa(config-service-object-group)# service-object udp ?

dual-service-object-group mode commands/options:
destination Keyword to specify destination
source       Keyword to specify source
<cr>
dual-service-object-group mode commands/options:
<0-65535>          Enter port number (0 - 65535)
biff
bootpc
bootps
cifs
discard
dnsix
domain
echo
http
isakmp
kerberos
mobile-ip
nameserver
netbios-dgm
netbios-ns
nfs
ntp
pcanywhere-status
pim-auto-rp
radius
radius-acct
rip
secureid-udp
sip
snmp
snmptrap
sunrpc
syslog
tacacs
talk
tftp
time
vxlan
who
www
xdmcp
ciscoassa(config-service-object-group)# service-object udp destination ?

dual-service-object-group mode commands/options:
eq     Port equal to operator
gt     Port greater than operator
lt     Port less than operator
neq    Port not equal to operator
range Port range operator
ciscoassa(config-service-object-group)# service-object udp destination eq 5060
ciscoassa(config-service-object-group)# service-object tcp destination eq 5060
ciscoassa(config-service-object-group)# service-object udp destination range 5000 60000

ciscoassa(config)# show object
object-group network SIP-EXTERNAL
network-object host 208.7.8.1
network-object host 208.7.8.2
object-group service SIP-PROTOCOLS
service-object udp destination eq sip
service-object tcp destination eq sip
service-object udp destination range 5000 60000
object-group network SIP-INTERNAL
network-object host 192.168.1.6
network-object host 192.168.1.7

ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit ?

configure mode commands/options:
<0-255>       Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object        Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group ?

configure mode commands/options:
WORD Service or protocol object-group name
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS ?

configure mode commands/options:
A.B.C.D                Source IP address
X:X:X:X::X/<0-128>     Source IPv6 address/prefix
any                    Abbreviation for source address/mask of
                         0.0.0.0/0.0.0.0 OR source prefix ::/0
any4                   Abbreviation of source address and mask of 0.0.0.0
                         0.0.0.0
any6                   Abbreviation for source prefix ::/0
host                   Use this keyword to configure source host
interface              Use interface address as source address
object                 Keyword to enter source object name
object-group           Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user      Keyword to specify user object-group for source
security-group         Keyword to specify inline security-group
user                   Keyword to specify user for source
user-group             Keyword to specify user-group for source
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL ?

configure mode commands/options:
A.B.C.D                Destination IP address
X:X:X:X::X/<0-128>     Destination IPv6 address/prefix
any                    Abbreviation for destination address/mask of
                         0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4                   Abbreviation for destination address and mask of
                         0.0.0.0 0.0.0.0
any6                   Abbreviation for destination prefix ::/0
host                   Use this keyword to configure destination host
interface              Use interface address as destination address
object                 Keyword to enter destination object name
object-group           Network object-group for destination address
object-group-security Keyword to specify security object-group for
                         destination
security-group         Keyword to specify inline security-group
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL   // ONLY A SINGLE ACE

ciscoassa(config)# show run access-list
access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL

ciscoassa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list SIP-OUTSIDE-IN line 1 extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL (hitcnt=0) 0xc506ba7b
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0xa581f8ec
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0xe8109d83
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0xcd331db8
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x401975dd
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0x22d073e8
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0x08a4966a
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0x9747ecca
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x41479753
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0x98df0f49
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x3542d660
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0xcbde7f33
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x2b5bdc5b

Saturday, April 17, 2021

Cisco ASA Firewall 'shun' Command

There's a quick and easy way to block an external (public) IP address without creating an ACL is to use the Cisco ASA Firewall shun feature. This is useful when you don't have Firepower service enabled in your ASA (just a stateful firewall). Below is an example of an IP address who's reported hosting malware.

C:\Users\User>ping 183.131.207.66

Pinging 183.131.207.66 with 32 bytes of data:
Reply from 183.131.207.66: bytes=32 time=74ms TTL=48
Reply from 183.131.207.66: bytes=32 time=76ms TTL=48
Reply from 183.131.207.66: bytes=32 time=74ms TTL=48
Reply from 183.131.207.66: bytes=32 time=73ms TTL=48

Ping statistics for 183.131.207.66:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 73ms, Maximum = 76ms, Average = 74ms

ciscoasa# shun ?

Hostname or A.B.C.D Specify source IP address of a mischievous host
ciscoasa# shun 183.131.207.66
Shun 183.131.207.66 added in context: single_vf
Shun 183.131.207.66 successful

ciscoasa# show shun
shun (outside) 183.131.207.66 0.0.0.0 0 0 0

I was unable to ping and HTTPS to the site/IP afterwards.

C:\Users\User>ping 183.131.207.66

Pinging 183.131.207.66 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 183.131.207.66:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

To remove the shunned host IP, just simply use the no shun <IP ADDRESS> command.

ciscoasa# no shun 183.131.207.66

ciscoasa#

ciscoasa# show shun

ciscoasa#

Saturday, March 13, 2021

Configuring NetFlow (NSEL) in a Cisco ASA Firewall

Here's a nice Cisco link for configuring NetFlow Secure Event Logging (NSEL) in a Cisco ASA Firewall. The Cisco ASA supports NetFlow version 9.

ciscoasa# configure terminal

ciscoasa(config)# flow-export ?

configure mode commands/options:
active       Configure Netflow parameters for active connections
delay        Configure delay for exporting NetFlow events
destination Configure a destination to which NetFlow records will be sent
enable       Enable the export of flow information through NetFlow
               (deprecated)
template     Specify the template specific configurations
ciscoasa(config)# flow-export destination ?

configure mode commands/options:
Current available interface(s):
inside       Name of interface GigabitEthernet0/1
outside      Name of interface GigabitEthernet0/0
ciscoasa(config)# flow-export destination inside ?

configure mode commands/options:
Hostname or A.B.C.D Destination IP address or name
ciscoasa(config)# flow-export destination inside 192.168.1.6 ?

configure mode commands/options:
<1-65535> UDP port number
ciscoasa(config)# flow-export destination inside 192.168.1.6 2055

ciscoasa(config)# flow-export template ?

configure mode commands/options:
timeout-rate Specify the time before templates are resent
ciscoasa(config)# flow-export template timeout-rate ?

configure mode commands/options:
<1-3600> Timeout in minutes (default 30 minutes)
ciscoasa(config)# flow-export template timeout-rate 5 // DEFAULT IS 30 MINS

ciscoasa(config)# flow-export delay ?

configure mode commands/options:
flow-create Specify delay after which flow creation event will be exported
ciscoasa(config)# flow-export delay flow-create ?

configure mode commands/options:
<1-180> Delay in seconds
ciscoasa(config)# flow-export delay flow-create 60

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation event. // JUST A WARNING FOR 5 SECOND DIFFERENCE WITH flow-export active refresh-interval VALUE

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class class-default // MATCH ALL TRAFFIC
ciscoasa(config-pmap-c)# flow-export event-type all destination 192.168.1.6
ciscoasa(config-pmap-c)# end

ciscoasa# show run flow
flow-export destination inside 192.168.1.6 2055
flow-export template timeout-rate 5
flow-export delay flow-create 60

ciscoasa# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect sip
class tcp-traffic
set connection advanced-options allow-probes
class class-default
flow-export event-type all destination 192.168.1.6
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns dynamic-filter-snoop
!
ciscoasa# write memory
Building configuration...
Cryptochecksum: 9efb8040 ea39e168 2f4ab26e 3f75b246

105044 bytes copied in 1.210 secs (105044 bytes/sec)
[OK]

ciscoasa# show flow-export ?

counters Display flow-export run-time counters
ciscoasa# show flow-export counters

destination: inside 192.168.1.6 2055
Statistics:
    packets sent                                             5514
Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    failed to get lock on block                                 0
    source port allocation failure                              0

Below is a snippet of the output in Solarwinds' NetFlow Traffic Analyzer (NTA).

There's no increase in ASA CPU utilization observed after NetFlow was enabled.

ciscoasa# show cpu usage
CPU utilization for 5 seconds = 4%; 1 minute: 4%; 5 minutes: 4%

ciscoasa# show processes cpu-usage
Hardware:   ASA5515
Cisco Adaptive Security Appliance Software Version 9.8(4)10
ASLR enabled, text region 7f6204493000-7f6208801234
PC         Thread       5Sec     1Min     5Min   Process
0x0000560200394ce3   0x00007f4ac6ad7880     0.0%     0.0%     0.0%   zone_background_idb
0x00005602010644ed   0x00007f4ac6acce20     0.0%     0.0%     0.0%   webvpn_task
0x00005601ffbb58c8   0x00007f4ac6af27e0     0.0%     0.0%     0.0%   WebVPN KCD Process
0x0000560200ec7b92   0x00007f4ac6ad9920     0.0%     0.0%     0.0%   vpnlb_timer_thread
0x0000560200ec7dca   0x00007f4ac6adf020     0.0%     0.0%     0.0%   vpnlb_thread
0x0000560200eab718   0x00007f4ac6abf840     0.0%     0.0%     0.0%   vpnfol_thread_unsent
0x0000560200eab5c5   0x00007f4ac6abff80     0.0%     0.0%     0.0%   vpnfol_thread_timer
0x0000560200eab058   0x00007f4ac6abfbe0     0.0%     0.0%     0.0%   vpnfol_thread_sync
0x0000560200eaac2f   0x00007f4ac6ac0320     0.0%     0.0%     0.0%   vpnfol_thread_msg
0x00005601ff7f61e8   0x00007f4ac6ad3000     0.0%     0.0%     0.0%   VPN director state sync

ciscoasa# show processes cpu-usage | exclude 0.0
Hardware:   ASA5515
Cisco Adaptive Security Appliance Software Version 9.8(4)10
PC         Thread       5Sec     1Min     5Min   Process
   -          -         4.6%     3.9%     4.1%   DATAPATH-0-1386

Sunday, February 7, 2021

Cisco ASA 5506-X ROMMON Upgrade

I needed to upgrade the ROMMON firmware on a Cisco ASA 5506-X firewall (with SSD or Firepower module). This is a required step before converting the ASA to FTD. You can verify the ASA ROMMON version using the show module command. Notice the Fw Version is 1.1.15 and we needed to run at least 1.1.18.

ciscoasa# show module

Mod Card Type Model Serial No.

---- -------------------------------------------- ------------------ -----------

1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD24111234

sfr Unknown N/A JAD24111234

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------

1 bc5a.5681.d595 to bc5a.5681.d59e 2.4 1.1.15 9.8(2)

sfr bc5a.5681.d594 to bc5a.5681.d594 N/A N/A

Mod SSM Application Name Status SSM Application Version

---- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility

---- ------------------ --------------------- -------------

1 Up Sys Not Applicable

sfr Init Not Applicable

Use the upgrade rommon <LOCATION:FILE NAME> privileged EXEC command to perform the ROMMON upgrade. The ASA will auto reload twice during the process.

ciscoasa# upgrade ?

rommon Perform an upgrade on rom-monitor

ciscoasa# upgrade rommon ?

disk0: Path and filename on disk0:

disk1: Path and filename on disk1:

flash: Path and filename on flash:

ciscoasa# upgrade rommon disk0:asa5500-firmware-1118.SPA

Verifying file integrity of disk0:/asa5500-firmware-1118.SPA

Computed Hash SHA2: fb0bd87c814ddbd1340f5c05208f6254

7d2d330ef4b9fcc0eb3b42fdd5956fc8

c3af17a0d74a2b057e12dbb95408f562

c4886bb4c4592af87a722809208d5537

Embedded Hash SHA2: fb0bd87c814ddbd1340f5c05208f6254

7d2d330ef4b9fcc0eb3b42fdd5956fc8

c3af17a0d74a2b057e12dbb95408f562

c4886bb4c4592af87a722809208d5537

Digital signature successfully validated

File Name : disk0:/asa5500-firmware-1118.SPA

Image type : Release

Signer Information

Common Name : abraxas

Organization Unit : NCS_Kenton_ASA

Organization Name : CiscoSystems

Certificate Serial Number : 5F619995

Hash Algorithm : SHA2 512

Signature Algorithm : 2048-bit RSA

Key Version : A

Verification successful.

Proceed with reload? [confirm]

ciscoasa#

***

*** --- START GRACEFUL SHUTDOWN ---

***

*** Message to all terminals:

***

*** Performing upgrade on rom-monitor.

Shutting down isakmp

Shutting down webvpn

Shutting down sw-module

Shutting down License Controller

Shutting down File system

***

*** --- SHUTDOWN NOW ---

***

*** Message to all terminals:

***

*** Performing upgrade on rom-monitor.

Process shutdown finished

Rebooting... (status 0x9)

INIT: Sending processes the TERM signal

Deconfiguring network interfaces... done.

Sending all processes the TERM signal...

Sending all processes the KILL signal...

Deactivating swap...

Unmounting local filesystems...

Rebooting... ÿ

Rom image verified correctly

Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE

Compiled Sat 03/30/2019 7:00:46.51 by wchen64

Current image running: Boot ROM0

Last reset cause: PowerCycleRequest

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00002000

Firmware upgrade step 1...

Looking for file 'disk0:asa5500-firmware-1118.SPA'

Located 'asa5500-firmware-1118.SPA' @ cluster 870063.

###########################################################################################

Image base 0x7700a018, size 9241408

LFBFF signature verified.

Objtype: lfbff_object_rommon (0x800000 bytes @ 0x7700a238)

Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x7780a258)

INFO: FPGA version in upgrade image: 0x0300

INFO: FPGA version currently active: 0x0300

FPGA: No need to do FPGA upgrade !!!

INFO: Rommon version currently active: 1.1.15.

INFO: Rommon version in upgrade image: 1.1.18.

Active ROMMON: Preferred 0, selected 0, booted 0

Switching SPI access to standby rommon 1.

Please DO NOT reboot the unit, updating ROMMON...................

INFO: Duplicating machine state......

Reloading now as step 1 of the rommon upgrade process...

Toggling power on system board...

Rom image verified correctly

Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE

Compiled Sat 03/30/2019 7:00:46.51 by wchen64

Current image running: Boot ROM0

Last reset cause: RP-Reset

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000008

Active ROMMON: Preferred 0, selected 0, booted 0

Firmware upgrade step 2...

Detected current rommon upgrade is available, continue rommon upgrade process

Rommon upgrade reset 0 in progress

Reloading now as step 2 of the rommon upgrade process...

Rom image verified correctly

Cisco Systems ROMMON, Version 1.1.18, RELEASE SOFTWARE

Compiled Tue 09/15/2020 20:35:13.52 by wchen64

Current image running: *Upgrade in progress* Boot ROM0

Last reset cause: BootRomUpgrade

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000010

PROM B: stopping boot timer

Active ROMMON: Preferred 1, selected 1, booted 0

Looking for file 'disk0:asa5500-firmware-1118.SPA'

Located 'asa5500-firmware-1118.SPA' @ cluster 870063.

###########################################################################################

Image base 0x77008018, size 9241408

LFBFF signature verified.

Objtype: lfbff_object_rommon (0x800000 bytes @ 0x77008238)

Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x77808258)

INFO: Second time firmware update state: False

INFO: Rommon upgrade state: ROMMON_UPG_TEST

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!! Please manually or auto boot ASAOS now to complete firmware upgrade !!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Platform ASA5506 with 4096 Mbytes of main memory

MAC Address: bc:5a:56:81:d5:95

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 10 seconds

Notice the ROMMON firmware version is now 1.1.18.

ciscoasa# show module

Mod Card Type Model Serial No.

---- -------------------------------------------- ------------------ -----------

1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD24111234

sfr Unknown N/A JAD24111234

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------

1 bc5a.5681.d595 to bc5a.5681.d59e 2.4 1.1.18 9.8(2)

sfr bc5a.5681.d594 to bc5a.5681.d594 N/A N/A

Mod SSM Application Name Status SSM Application Version

---- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility

---- ------------------ --------------------- -------------

1 Up Sys Not Applicable

sfr Init Not Applicable

Saturday, January 2, 2021

Cisco ASA 5506-X Security Plus License

I had to configure a pair of Cisco ASA 5506-X firewalls and apply a Security Plus license in order to support the Active/Standby Failover (High Availability) feature. You'll find the comparison between the Base license vs. Security Plus license feature on this link.

You'll be prompted a warning message for the lack of failover license support when you try to configure the standby (failover) IP address on an ASA interface.

ASA5506-X(config-if)# interface BVI1

ASA5506-X(config-if)# nameif inside

ASA5506-X(config-if)# security-level 100

ASA5506-X(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

WARNING: Cannot configure standby IP address because this unit lack failover license support.

ASA5506-X# show version

Cisco Adaptive Security Appliance Software Version 9.8(2)

Firepower Extensible Operating System Version 2.2(2.52)

Device Manager Version 7.8(2)

Compiled on Thu 02-Apr-20 10:19 PDT by builders

System image file is "disk0:/asa982-lfbff-k8.SPA"

Config file at boot was "startup-config"

ASA5506-X up 25 mins 29 secs

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

Internal ATA Compact Flash, 8000MB

BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is bc5a.5681.d596, irq 255

2: Ext: GigabitEthernet1/2 : address is bc5a.5681.d597, irq 255

3: Ext: GigabitEthernet1/3 : address is bc5a.5681.d598, irq 255

4: Ext: GigabitEthernet1/4 : address is bc5a.5681.d599, irq 255

5: Ext: GigabitEthernet1/5 : address is bc5a.5681.d59a, irq 255

6: Ext: GigabitEthernet1/6 : address is bc5a.5681.d59b, irq 255

7: Ext: GigabitEthernet1/7 : address is bc5a.5681.d59c, irq 255

8: Ext: GigabitEthernet1/8 : address is bc5a.5681.d59d, irq 255

9: Int: Internal-Data1/1 : address is bc5a.5681.d595, irq 255

10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0

11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0

12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0

13: Ext: Management1/1 : address is bc5a.5681.d595, irq 0

14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 5 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Carrier : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 12 perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

Shared License : Disabled perpetual

Total TLS Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: JAD24111234

Running Permanent Activation Key: 0xd71be575 0xb069db6f 0xb0523db4 0x949058c8 0x44221234

Configuration register is 0x1

Image type : Release

Key Version : A

Configuration last modified by enable_15 at 11:56:07.469 UTC Tue Nov 10 2020

You'll need to register and retrieve the license key in the Cisco Licensing portal. Next, apply the license key using the global config activation-key <KEY> command and issue a reload for the license to take effect.

ASA5506-X(config-if)# activation-key 3c2dfa64 2c9281c9 5491edd8 8b4c40a4 cb356789

Validating activation key. This may take a few minutes...

Failover is different.

running permanent activation key: Restricted(R)

new permanent activation key: Unrestricted(UR)

WARNING: The running activation key was not updated with the requested key.

Proceed with update flash activation key? [confirm] <ENTER>

The flash permanent activation key was updated with the requested key,

and will become active after the next reload.

ASA5506-X(config-if)# end

ASA5506-X# reload

Proceed with reload? [confirm]

ASA5506-X#

***

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down webvpn

Shutting down sw-module

Shutting down License Controller

Shutting down File system

***

*** --- SHUTDOWN NOW ---

Process shutdown finished

Rebooting... (status 0x9)

Notice the ASA 5506-X now has the Security Plus license as well as the Maximum VLANs is now 30, Failover has been enabled for Active/Standby and VPN peers was increased to 50 (for AnyConnect VPN). The support for AnyConnect requires a separate AnyConnect Plus or Apex license.

ASA5506-X# show version

Cisco Adaptive Security Appliance Software Version 9.8(2)

Firepower Extensible Operating System Version 2.2(2.52)

Device Manager Version 7.8(2)

Compiled on Thu 02-Apr-20 10:19 PDT by builders

System image file is "disk0:/asa982-lfbff-k8.SPA"

Config file at boot was "startup-config"

ASA5506-X up 13 mins 34 secs