My Cybersecurity Journal: Cisco ASA 5506W-X Software Image Upgrade

It's been a while since I've configured a Small Office/Home Office (SOHO) firewall such as the Cisco ASA 5505. I had a nice online deal for a Cisco ASA 5506W-X for my home lab and made sure the appliance Version ID (VID) wasn't affected by the clock signal issue, otherwise it might get "bricked" sometime in the future. I considered getting a Cisco ASA 5506W-X and paid extra for the built-in wireless AP since my home users got wifi on their smart phones and tablets.

Here's a nice link for some tips in choosing a Next-Generation Firewall (NGFW). Below are photos of the good old Cisco ASA 5505 firewall.

Below are the photos of the Cisco ASA 5506W-X. It has a metallic chassis with lots of holes (for heat ventilation). You can find the LED status lights on top.

This is the front panel.

This the back panel with all the ports. You can also view the LED light status in here.

This is the power adapter (ASA5506-PWR-AC).

Compared to the old Cisco ASA 5505 firewall, the Cisco ASA 5506 has 8x Layer 3 only (routed) gig ports (no PoE) and 1x Management port (for FirePower only), it has the FirePOWER module (SSD drive) installed, it supports ASDM to manage the "classic firewall" and the FirePOWER module (starting on 6.0).

Below is the image and ASDM when it was shipped and the configuration after I did a write erase and reload on the appliance.

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.9(1)

Firepower Extensible Operating System Version 2.3(1.54)

Device Manager Version 7.5(1)

Compiled on Thu 30-Nov-17 20:18 PST by builders

System image file is "disk0:/asa991-lfbff-k8.SPA"

Config file at boot was "startup-config"

ciscoasa up 1 min 28 secs

Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

Internal ATA Compact Flash, 8000MB

BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 0078.884b.bf63, irq 255

2: Ext: GigabitEthernet1/2 : address is 0078.884b.bf64, irq 255

3: Ext: GigabitEthernet1/3 : address is 0078.884b.bf65, irq 255

4: Ext: GigabitEthernet1/4 : address is 0078.884b.bf66, irq 255

5: Ext: GigabitEthernet1/5 : address is 0078.884b.bf67, irq 255

6: Ext: GigabitEthernet1/6 : address is 0078.884b.bf68, irq 255

7: Ext: GigabitEthernet1/7 : address is 0078.884b.bf69, irq 255

8: Ext: GigabitEthernet1/8 : address is 0078.884b.bf6a, irq 255

9: Ext: GigabitEthernet1/9 : address is 0078.884b.bf6b, irq 255

10: Int: Internal-Data1/1 : address is 0078.884b.bf62, irq 255

11: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0

12: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0

13: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0

14: Ext: Management1/1 : address is 0078.884b.bf62, irq 0

15: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 5 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Carrier : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 12 perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

Shared License : Disabled perpetual

Total TLS Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: JAD20081234

Running Permanent Activation Key: 0xf319c753 0x9c0e6651 0xbc534174 0x87548123 0x04191456

Configuration register is 0x1

Image type : Release

Key Version : A

Configuration has not been modified since last system restart.

ciscoasa# show inventory

Name: "Chassis", DESCR: "ASA 5506-X with FirePOWER services, WiFi, 8GE, AC, DES"

PID: ASA5506W , VID: V06 , SN: JMX20091234

Name: "module 2", DESCR: "WLAN AP"

PID: N/A , VID: N/A , SN: N/A

Name: "Storage Device 1", DESCR: "ASA 5506-X SSD"

PID: ASA5506-SSD , VID: N/A , SN: MSA19375678 // FIREPOWER

ciscoasa# show module

Mod Card Type Model Serial No.

---- -------------------------------------------- ------------------ -----------

0 ASA 5506-X with FirePOWER services, WiFi, 8G ASA5506W JAD20081234

sfr FirePOWER Services Software Module ASA5506W JAD20084567

wlan WLAN AP N/A N/A

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------

0 0078.884b.bf62 to 0078.884b.bf6b 2.0 1.1.8 9.9(1)

sfr 0078.884b.bf61 to 0078.884b.bf61 N/A N/A 5.4.1-211

wlan none N/A N/A

Mod SSM Application Name Status SSM Application Version

---- ------------------------------ ---------------- --------------------------

sfr ASA FirePOWER Up 5.4.1-211

Mod Status Data Plane Status Compatibility

---- ------------------ --------------------- -------------

0 Up Sys Not Applicable

sfr Up Up

wlan Up Up

ciscoasa# more system:running-config

: Saved

: Serial Number: JAD20081234

: Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

: Written by enable_15 at 03:02:39.479 UTC Mon Aug 20 2018

ASA Version 9.9(1)

hostname ciscoasa

enable password $sha512$5000$nYeqAl4RK8yIfEnDFfDodg==$ywhiHnhKr/tRvokNka/oLA== pbkdf2

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

interface GigabitEthernet1/1

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/9

shutdown

no nameif

no security-level

no ip address

interface Management1/1

management-only

shutdown

no nameif

no security-level

no ip address

ftp mode passive

pager lines 24

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Whenever deploying any Cisco appliance in production, it's best practice to upgrade using the TAC recommended software. As of this writing, these are ASA 9.8.2 and ASDM 7.9(2). You'll also need to check for the ASA software and ASDM compatibility matrix.

Check the ASA flash memory and the hard coded ASA image and ASDM.

ciscoasa# dir

Directory of disk0:/

99 -rwx 74369568 16:05:36 Nov 08 2017 asa951-lfbff-k8.SPA

100 -rwx 25025404 16:06:04 Nov 08 2017 asdm-751.bin

101 -rwx 60 07:57:26 Jul 31 2018 .boot_string

11 drwx 4096 16:09:06 Nov 08 2017 log

20 drwx 4096 16:09:58 Nov 08 2017 crypto_archive

21 drwx 4096 16:10:00 Nov 08 2017 coredumpinfo

102 -rwx 109776224 14:55:34 Mar 21 2018 asa991-lfbff-k8.SPA

103 -rwx 3474 14:55:42 Mar 21 2018 oldconfig_2018Mar21_2241.cfg

104 -rwx 29197944 14:56:12 Mar 21 2018 asdm-791.bin

6 file(s) total size: 238372674 bytes

7934787584 bytes total (4473110528 bytes free/56% free)

ciscoasa#

ciscoasa# show run boot

ciscoasa#

ciscoasa# show run asdm

no asdm history enable

ciscoasa# configure terminal

ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,

which allows Cisco to securely receive minimal error and health

information from the device. To learn more about this feature,

please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)# interface g1/2

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)#

ciscoasa(config-if)# ping 192.168.1.10 // TEST PING TO TFTP SERVER/PC

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa# copy tftp://192.168.1.10/asa982-38-lfbff-k8.SPA disk0:

Address or name of remote host [192.168.1.10]?

Source filename [asa982-38-lfbff-k8.SPA]?

Destination filename [asa982-38-lfbff-k8.SPA]?

Accessing tftp://192.168.1.10/asa982-38-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Verifying file disk0:/asa982-38-lfbff-k8.SPA...

Computed Hash SHA2: ce1c9b84adefaf7f5d075ac2457c0dd2

9cc524bb6f47ffc3ae1c8566076acf9a

d62912e75cdbde19ef82a459f3de432d

4d2ef6da51ddd462960b65fce33ec8a2

Embedded Hash SHA2: ce1c9b84adefaf7f5d075ac2457c0dd2

9cc524bb6f47ffc3ae1c8566076acf9a

d62912e75cdbde19ef82a459f3de432d

4d2ef6da51ddd462960b65fce33ec8a2

Digital signature successfully validated

Writing file disk0:/asa982-38-lfbff-k8.SPA...

108648864 bytes copied in 103.820 secs (1054843 bytes/sec)

ciscoasa#

ciscoasa# copy tftp://192.168.1.10/asdm-792-152.bin disk0:

Address or name of remote host [192.168.1.10]?

Source filename [asdm-792-152.bin]?

Destination filename [asdm-792-152.bin]?

Accessing tftp://192.168.1.10/asdm-792-152.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Verifying file disk0:/asdm-792-152.bin...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Writing file disk0:/asdm-792-152.bin...

INFO: No digital signature found

32738244 bytes copied in 30.960 secs (1091274 bytes/sec)

ciscoasa# configure terminal

ciscoasa(config)# boot system ?

configure mode commands/options:

disk0: Path and filename on disk0:

disk1: Path and filename on disk1:

flash: Path and filename on flash:

tftp: A URL beginning with this prefix.

ciscoasa(config)# boot system disk0:?

configure mode commands/options:

disk0:/.boot_string disk0:/asa951-lfbff-k8.SPA

disk0:/asa982-38-lfbff-k8.SPA disk0:/asa991-lfbff-k8.SPA

disk0:/asdm-751.bin disk0:/asdm-791.bin

disk0:/asdm-792-152.bin disk0:/coredumpinfo

disk0:/crypto_archive disk0:/log

disk0:/oldconfig_2018Mar21_2241.cfg

ciscoasa(config)# boot system disk0:/asa982-38-lfbff-k8.SPA

ciscoasa(config)# asdm image disk0:/asdm-792-152.bin

ciscoasa(config)#

ciscoasa(config)# http server enable // ENABLE ASDM

ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside

ciscoasa(config)# username admin password cisco privilege 15

ciscoasa(config)# end

ciscoasa# write memory

Building configuration...

Cryptochecksum: 62692db5 16e8df84 0f3a0f8f 5b747c24

4380 bytes copied in 0.330 secs

[OK]

ciscoasa# reload // RELOAD THE ASA FOR THE NEW CODE TO TAKE EFFECT

Proceed with reload? [confirm]

ciscoasa#

***

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down webvpn

Shutting down sw-module

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.8(2)38

Firepower Extensible Operating System Version 2.2(2.90)

Device Manager Version 7.9(2)152

Compiled on Tue 12-Jun-18 13:31 PDT by builders

System image file is "disk0:/asa982-38-lfbff-k8.SPA"

Config file at boot was "startup-config"

ciscoasa up 12 secs