| 1 comments ]

This chapter covers the following topics:
• Using the CLI -- This section describes the ASA command line interface and how you
can use it to configure and display information about an ASA device.
• Understanding the Factory Default Configuration -- Every ASA comes with a factory
default or preinstalled initial configuration. This section explains the initial configuration
and how it bootstraps an ASA so you can connect and make configuration changes.
• Working with Configuration Files -- This section describes the startup and running configurations that an ASA uses as it boots up and runs.
• Working with the ASA File System -- This section covers the non-volatile Flash file
system that an ASA uses to store configuration, image, and other types of files.
• Reloading an ASA -- This section describes the ASA bootup sequence, how you can make
an ASA reload, and how you can upgrade the operating system image during a reload.
------------------------------------------------------------------------------------------------------------------------

Chapter 2: Configuration Fundamentals

Add a note here Refer to the following sections for information about these topics:

  • Add a note here 2-1: User Interface Discusses the command-line interface (CLI) methods that an administrative user can use to connect to and interact with a firewall.

  • Add a note here 2-2: Firewall Features and Licenses Covers the license activation keys that can be used to unlock firewall functions.

  • Add a note here 2-3: Initial Firewall Configuration Presents a brief overview of the methods that can be used to start configuring a firewall.

Add a note here 2-1: User Interface

Add a note here A Cisco firewall, like any other networking device, offers several ways for the administrative user to connect to and interact with the firewall. Users usually need to make changes to the firewall’s security policies and configuration, monitor firewall activity, and troubleshoot traffic handling. All interaction with a firewall is based on a common user interface, which can be described as follows:

  • Add a note hereA Cisco firewall supports user access by these methods:

    • Add a note hereCommand-line interface (CLI) by an asynchronous console connection

    • Add a note hereCLI by a Telnet session

    • Add a note hereCLI by Secure Shell (SSH) version 1.x or 2 (Adaptive Security Appliance [ASA] and Firewall Services Module [FWSM])

    • Add a note hereAdaptive Security Device Manager (ASDM) through a web browser for ASA and FWSM platforms, and PIX Device Manager (PDM) for PIX platforms running 6.3 or earlier releases

    • Add a note hereCisco Security Manager (CSM)

    • Add a note hereVPN/Security Management Solution (VMS) Firewall Management Center

  • Add a note hereA firewall also provides a user interface to the ROM monitor bootstrap code when the operating system is not running.

  • Add a note hereUsers can execute commands from the user level or from the privileged level. The user level offers basic system information commands. The privileged level offers complete access to all firewall information, configuration editing, and debugging commands.

  • Add a note hereA help system offers command syntax and command choices at any user prompt.

  • Add a note hereA history of executed firewall commands can be kept. As well, command lines can be edited and reused.

  • Add a note hereThe output from a command can be searched and filtered so that useful information can be found quickly.


Note

Add a note here Only the CLI itself is covered in this section. The mechanisms to reach it (Telnet, SSH, and so on) are covered in Chapter 4, “Firewall Management,” Section 4-4, “Managing Administrative Sessions.”


Tip

Add a note hereThe Catalyst 6500 Firewall Services Module (FWSM) does not have an accessible console connection or other physical interface. However, you can still access an FWSM from the Catalyst 6500 native IOS CLI, as if you were connected to its console. Use the following Catalyst EXEC command to connect to the FWSM in chassis slot number slot:

Add a note hereSwitch# session slot slot processor 1

Add a note here User Interface Modes

Add a note hereThe user interface of a Cisco firewall consists of several modes, each providing a different level of administrative capability and a different function. The user interface modes are as follows:

  • Add a note hereUser EXEC mode

    Add a note hereAdministrative users can connect to a firewall via the console port, Telnet session, or SSH session. By default, the initial access to a firewall places the user in user EXEC mode and offers a limited set of commands. When you connect to the firewall, a user-level password is required. A firewall designates user EXEC mode with a prompt of this form:

    Add a note hereFirewall>

    Note

    Add a note hereUser-level authentication and passwords are covered in Chapter 5, “Managing Firewall Users.”

  • Add a note herePrivileged EXEC mode

    Add a note hereAs soon as a user gains access to user EXEC mode, the enable command can be used to enter privileged EXEC or enable mode. Full access to all the executable commands is available. To leave privileged EXEC mode, use the disable, quit, or exit command. The syntax for entering privileged EXEC mode is as follows:

    Add a note hereFirewall> enable
    password: password
    Firewall#

    Add a note here Notice that the pound, or number, sign (#) is used to designate privileged EXEC mode.

  • Add a note hereConfiguration mode

    Add a note hereFrom privileged EXEC mode, you can enter configuration mode. From this mode, you can issue firewall commands to configure any feature that is available in the operating system. In PIX 6.x, all configuration is performed in one global configuration mode. Later releases, however, offer a global configuration mode and many submodes, much like the Cisco IOS software. To leave configuration mode and return to EXEC mode, enter exit or press Ctrl-z. You can also use the exit command to exit a submode and return to global configuration mode.

    Add a note hereThe syntax for entering global configuration mode is as follows:

    Add a note hereFirewall# configure terminal
    Firewall(config)#

Add a note here User Interface Features

Add a note hereWithin an administrative session, you can enter commands and get helpful information about entering commands. As well, you can filter the information that a firewall displays in a session as a result of a command. These mechanisms are discussed in the following sections.

Entering Commands

Add a note hereTo enable a feature or parameter, enter the command and its options normally. To disable a command that is in effect, begin the command with no, followed by the command. You need to include enough options to identify the command uniquely, as it exists in the firewall session or configuration. For example, the following configuration commands enable and then disable the embedded HTTP server:

Add a note hereFirewall(config)# http server enable
Firewall(config)# no http server enable

Add a note hereYou can see the configuration commands that are in effect by using one of the following commands:

Add a note hereASA, FWSM

Add a note here

Add a note hereFirewall# write terminal

Add a note hereor

Add a note here

Add a note hereFirewall# show running-config [command]

Add a note herePIX 6.3

Add a note here

Add a note hereFirewall# write terminal

Add a note hereor

Add a note here

Add a note hereFirewall# show running-config

Add a note hereor

Add a note here

Add a note hereFirewall# show command
Open table as spreadsheet

Add a note here Notice that the ASA and FWSM platforms allow you to specify a command keyword in the show running-config command. If it is included, only the related configuration commands are shown, rather than the entire configuration. PIX 6.3 shows specific configuration commands by omitting the running-config keyword with the show command syntax.


Tip

Add a note hereSome ASA and FWSM configuration commands and their options are not shown if they use their default values. To see every configuration command that is enabled or active, even if it is a default, you can use the show running-config all [command] syntax.

Add a note hereCommands and their options can be abbreviated with as few letters as possible without becoming ambiguous. For example, to enter configuration mode, the command configure terminal can be abbreviated as conf t.

Add a note hereASA and FWSM platforms also offer a keyword completion function. If you enter a shortened or truncated keyword, you can press the Tab key to make the firewall complete the keyword for you. Keyword completion can be useful when you are entering keywords that are very long and hyphenated. For example, pressing the Tab key after entering show ru produces the completed command show running-config:

Add a note hereFirewall# show ru[Tab]
Firewall# show running-config

Add a note hereThis works only if the truncated keyword is unambiguous; otherwise, the firewall cannot decide which one of several similar keywords you want. If you press Tab and the keyword stays the same, you know you have not entered enough characters to make it unambiguous.

Add a note hereYou can edit a command line as you enter it by using the left and right arrow keys to move within the line. If you enter additional characters, the remainder of the line to the right is spaced over. You can use the Backspace and Delete keys to make corrections.


Tip

Add a note hereSometimes the firewall might display an informational or error message while you are entering a command line. To see what you’ve entered so far, you can press Ctrl-l (lowercase L) to redisplay the line and continue editing.

Add a note hereFor example, suppose an administrator is trying to enter the hostname configuration command to set the firewall’s host name. Before he or she can enter the command, the firewall displays a logging message that interrupts the command line:

Add a note herepix-c# config t
pix-c(config)# hostnNov 15 2004 00:34:08 single_vf : %PIX-7-111009:
User 'enable_15' executed cmd: show interface [user presses Ctrl-l here]
pix-c(config)# hostn

Add a note herePressing Ctrl-l displays the line again without all the clutter.

Command Help

Add a note here You can enter a question mark (?) after any keyword in a command line to get additional information from the firewall. Entering the question mark alone on a command line displays all available commands for that mode (configuration or EXEC).

Add a note hereYou can also follow a command keyword with a question mark to get more information about the command syntax. Doing this in PIX 6.3 displays the command syntax of all commands that use that keyword. For example, entering arp ? causes the firewall to show the syntax of the arp command, as well as the show arp and clear arp commands.

Add a note hereASA and FWSM platforms offer context-based help, much like the Cisco IOS software. Entering a question mark after a keyword causes the firewall to list only the possible keywords or options. For example, entering show arp ? results in the following output:

Add a note hereFirewall# show arp ?
statistics Show arp statistics
| Output modifiers

Firewall# show arp

Add a note hereHere, show arp can be followed by statistics, a pipe symbol (|), or the Enter key ().

Add a note hereWith an ASA platform, you can also use the question mark with a partially completed command keyword if you do not know the exact spelling or form. The firewall displays all possible keywords that can be formed from the truncated word. For example, suppose you do not remember what commands can be used to configure access lists. Entering access? in configuration mode reveals the possibilities:

Add a note hereFirewall(config)# access?
access-group access-list
Firewall(config)# access

Add a note hereNotice that the truncated command keyword is displayed again, ready to be completed with more typing.

Add a note hereIf you enter a command but use the wrong syntax, you see the following error:

Add a note hereType help or ''?' for a list of available commands

Add a note hereASA and FWSM platforms also display a carat (^) symbol below the command line location to point out the error. For example, suppose a user forgets and enters the command config type rather than config term:

Add a note hereFirewall# config type
^
ERROR: % Invalid input detected at '^' marker.
Firewall#

Add a note hereThe carat points to the keyword type, starting at the y, where the syntax error begins.

Command History

Add a note here The firewall keeps a history of the last 19 commands that were issued in each interactive session. You can see the entire history list for your current session with the show history command.

Add a note hereYou can use the command history to recall a previous command that you want to use again. This can save you time in entering repetitive commands while allowing you to make edits or changes after you recall them.

Add a note hereEach press of the up arrow key () or Ctrl-p recalls the next older or previous command. Each press of the down arrow key () or Ctrl-n recalls the next most recent command. When you reach either end of the history cache, the firewall displays a blank command line.

Add a note hereWhen commands are recalled from the history, they can be edited as if you just entered them. You can use the left arrow key () or right arrow key () to move within the command line and begin typing to insert new characters. You can also use the Backspace or Delete key to delete characters.


Note

Add a note hereThe arrow keys require the use of an American National Standards Institute (ANSI)-compatible terminal emulator (such as the VT100).

Searching and Filtering Command Output

Add a note hereA show command can generate a long output listing. If the listing contains more lines than the terminal session can display (set using the pager command, whose default is 24 lines), the listing is displayed a screenful at a time, with the following prompt at the bottom:

Add a note here<---More--->

Add a note hereTo see the next screen, press the spacebar. To advance one line, press the Enter key. To exit to the command line, press the q key.

Add a note hereYou can use a regular expression (reg-expression) to match against lines of output. Regular expressions are made up of patterns—either simple text strings (such as permit or route) or more complex matching patterns. Typically, regular expressions are regular text words that offer a hint to a location in the output of a show command. You can use the following command structure to perform a regular-expression search:

Add a note hereFirewall# show command ... | {begin | include | exclude | grep [-v]} reg-expression

Add a note hereTo search for a specific regular expression and start the output listing there, use the begin keyword. This can be useful if your firewall has a large configuration. Rather than using the spacebar to eventually find a certain configuration line, you can use begin to jump right to the desired line.

Add a note hereTo display only the lines that include a regular expression, use the include (or grep) keyword. To display all lines that do not include a regular expression, use the exclude (or grep -v) keyword.

Add a note here A more complex regular expression can be made up of patterns and operators. Table 2-1 lists and defines the characters that are used as operators.

Add a note here Table 2-1: Regular-Expression Operators
Open table as spreadsheet

Add a note hereCharacter

Add a note hereDescription

Add a note here.

Add a note hereMatches a single character.

Add a note here*

Add a note hereMatches zero or more sequences of the preceding pattern.

Add a note here+

Add a note hereMatches one or more sequences of the preceding pattern.

Add a note here?

Add a note hereMatches zero or one occurrences of the preceding pattern.

Add a note here^

Add a note hereMatches at the beginning of the string.

Add a note here$

Add a note hereMatches at the end of the string.

Add a note here_

Add a note hereMatches a comma, braces, parentheses, the beginning or end of a string, or a space.

Add a note here[ ]

Add a note hereDefines a range of characters as a pattern.

Add a note here( )

Add a note hereGroups characters as a pattern. If it is used around a pattern, the pattern can be recalled later in the expression using the backslash (\) and the pattern occurrence number.

Add a note hereFor example, the following command can be used to display all the logging messages with message ID 302013 currently stored in the logging buffer:

Add a note hereFirewall# show log | include 302013
302013: Built outbound TCP connection 1788652405 for outside:69.25.38.107/80
(69.25.38.107/80) to inside:10.1.198.156/1667 (207.246.96.46/52531)
302013: Built outbound TCP connection 1788652406 for outside:218.5.80.219/21
(218.5.80.219/21) to inside:10.1.100.61/3528 (207.246.96.46/52532)
[output truncated]

Add a note hereMessage 302013 records TCP connections built in either the inbound or outbound direction. To display only the inbound TCP connections recorded, the regular expression could be changed to include 302013, any number of other characters (.*), and the string inbound:

Add a note hereFirewall# show log | include 302013.*inbound
302013: Built inbound TCP connection 1788639636 for outside:216.117.177.135/54780
(216.117.177.135/54780) to inside:10.1.3.16/25 (207.246.96.46/25)
Firewall#

Add a note hereYou might also use a regular expression to display command output that contains IP addresses within a range. For example, the following command filters the output to contain only IP addresses that begin with 10.10.5, 10.10.6, and 10.10.7:

Add a note hereFirewall# show log | include 10.10.[5-7].*

Terminal Screen Format

Add a note here By default, all output from the firewall is displayed for a terminal session screen that is 80 characters wide by 24 lines long. To change the terminal screen width, you can use the following configuration command:

Add a note hereFirewall(config)# terminal width characters

Add a note hereHere, characters is a value from 40 to 511. You can also specify 0, meaning the full 511-character width.

Add a note hereTo change the screen length (the number of lines displayed when paging through a large amount of output), you can use the following configuration command:

Add a note hereFirewall(config)# pager [lines number]

Add a note hereHere, number can be any positive value starting at 1. If you use only the pager keyword, the page length returns to its default of 24 lines.

Add a note hereYou can also disable screen paging completely by using pager lines 0. This action might be useful if you are capturing a large configuration or logging message output with a terminal emulator. A more efficient practice would be to let all the output scroll by into the emulator’s capture buffer; otherwise, you would have to use the spacebar to page through the output and then later remove all the <--- More ---> prompts that were captured too.


2-2: Firewall Features and Licenses

Add a note hereWhen a Cisco firewall runs an image of the operating system, it must have the proper license activation keys to unlock the required features. To see a list of features and their current availability on a firewall, you can use the following EXEC command:

Add a note hereFirewall# show version

Add a note here Example 2-1 shows some sample output from a PIX Firewall. The show version command displays the current version of the firewall operating system (6.3(4) in this case), the firewall’s elapsed uptime, and some information about the hardware. You can find the amount of RAM memory, Flash memory, and the MAC addresses of the physical interfaces here too. In this example, the firewall is a model PIX-525 and has 256 MB of RAM, 16 MB of Flash, two ethernet interfaces, and two gb-ethernet interfaces. (Here, ethernet implies a 10/100BASE-TX interface; Gigabit Ethernet interfaces are called gb-ethernet.)

Add a note here Example 2-1: Sample Output from the PIX 6.3 show version Command

Add a note hereFirewall# show version

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

Firewall up 252 days 7 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5
0: ethernet0: address is 0030.8587.446e, irq 10
1: ethernet1: address is 0030.8587.446f, irq 11
2: gb-ethernet0: address is 0003.4725.1f97, irq 5
3: gb-ethernet1: address is 0003.4725.1e32, irq 11
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 8
Maximum Interfaces: 12
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 431030631 (0x19b10167)
Running Activation Key: 0xb0751733 0xd6201f9f 0x135e15a6 0xef5e1f26
Configuration last modified by enable_15 at 22:00:46.880 EST Thu Feb 24 2005
Firewall#

Add a note here The shaded text lists all the firewall features. This sample firewall has a valid license to operate as one of two firewalls in a failover pair. The firewall can use the DES, 3DES, and AES encryption methods and has four physical interfaces, with the capability to add more if needed.

Add a note hereHowever, notice that the firewall has a limit of 8 physical interfaces and a maximum of 12 interfaces. How is it possible to have up to 12 interfaces? Cisco firewalls can also support logical interfaces, in the form of virtual LANs (VLANs). A total of 12 interfaces, either physical or logical, can be configured for use.

Add a note hereFor comparison, Example 2-2 shows the show version output from an ASA 5510 running release 8.0 of the operating system. The output format is only slightly different.

Add a note here Example 2-2: Sample Output from the ASA 8.0 show version Command

Add a note hereFirewall# show version

Cisco Adaptive Security Appliance Software Version 8.0(0)235
Device Manager Version 6.0(0)97

Compiled on Wed 07-Mar-07 14:37 by builders
System image file is "disk0:/asa800-235-k8.bin"
Config file at boot was "startup-config"

Firewall up 3 days 23 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0016.c789.c8a4, irq 9
1: Ext: Ethernet0/1 : address is 0016.c789.c8a5, irq 9
2: Ext: Ethernet0/2 : address is 0016.c789.c8a6, irq 9
3: Ext: Ethernet0/3 : address is 0016.c789.c8a7, irq 9
4: Ext: Management0/0 : address is 0016.c789.c8a8, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:

Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
Advanced Endpoint Assessment : Disabled

This platform has a Base license.

Serial Number: JMX1014K070
Running Activation Key: 0x70092e4e 0x507e4e04 0xa8f1f16c 0x85c41864
0x4917ef91
Configuration register is 0x1
Configuration last modified by enable_15 at 00:06:07.574 EDT Thu Mar 22 2007
Firewall#

Add a note here Notice that several of the licensed features are disabled, because this firewall has a Base license.

Add a note here The show version output from a FWSM platform is similar, listing its licensed features. Example 2-3 shows the command output.

Add a note here Example 2-3: Sample Output from the FWSM 3.2 show version Command

Add a note hereFirewall# show version
FWSM Firewall Version 3.1(4)
Compiled on Fri 08-Dec-06 16:55 by dalecki

Firewall up 16 days 14 hours
failover cluster up 40 days 20 hours

Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash TOSHIBA THNCF128MBA @ 0xc321, 20MB

0: Int: Not licensed : irq 5
1: Int: Not licensed : irq 7
2: Int: Not licensed : irq 11

Licensed features for this platform:
Maximum Interfaces : 1000
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 20
GTP/GPRS : Disabled
VPN Peers : Unlimited

Serial Number: SAD0912013X
Running Activation Key: 0x2d5557af 0x85b15342 0x5cced864 0xa4e560f8
Configuration last modified by enable_1 at 04:38:10.700 EST Sun Feb 11 2007
Firewall#

Add a note hereNotice that the FWSM has a maximum of 1,000 interfaces. Because the FWSM has no physical interfaces to connect, all of the 1,000 interfaces are logical VLAN interfaces.

Add a note hereThe maximum supported memory, number of interfaces, and number of concurrent connections vary across the family of Cisco firewalls. Table 2-2 shows how the models and their resources break down.

Add a note here Table 2-2: Firewall Models, Licenses, and Supported Resources
Open table as spreadsheet

Add a note hereModel

Add a note hereMemory (MB)

Add a note herePhysical Interfaces

Add a note hereVirtual Interfaces

Add a note hereVPN Peers

Add a note hereConcurrent Connections

Add a note hereSecurity Contexts (Max)

Add a note here FWSM

Add a note here1024

Add a note here-

Add a note here1,000

Add a note here-

Add a note here1,000,000

Add a note here250

Add a note here ASA 5540

Add a note here1024

Add a note hereFour 10/100/1000, one 10/100

Add a note here200

Add a note here5,000

Add a note here400,000

Add a note here50

Add a note here ASA5520

Add a note here512

Add a note hereFour 10/100/1000, one 10/100

Add a note here150

Add a note here750

Add a note here280,000

Add a note here20

Add a note here ASA 5510

Add a note here256

Add a note hereFive 10/100

Add a note here50[1]

Add a note here100[2]

Add a note here250

Add a note here50,000[1]

Add a note here130,000[2]

Add a note here0[1]

Add a note here5[2]

Add a note here ASA 5505

Add a note here256

Add a note hereEight 10/100, two PoE

Add a note here3 (non-trunking)[1]

Add a note here20 (trunking)[2]

Add a note here10[1]

Add a note here25[2]

Add a note here10,000[1] 25,000[2]

Add a note here0[1]

Add a note here0[2]

Add a note here PIX 535

Add a note here1024[3]

Add a note here512[4]

Add a note here10

Add a note here150

Add a note here2,000

Add a note here500,000

Add a note here50

Add a note here PIX 525

Add a note here256[3]

Add a note here128[4]

Add a note here8

Add a note here100

Add a note here2,000

Add a note here280,000

Add a note here50

Add a note here PIX 515E

Add a note here64[3]

Add a note here32[4]

Add a note here6

Add a note here25

Add a note here2,000

Add a note here130,000

Add a note here5

Add a note here PIX 506E

Add a note here32[3]

Add a note here0[4]

Add a note here2

Add a note here2

Add a note here25

Add a note here25,000

Add a note here-

Add a note here PIX 501

Add a note here16[3]

Add a note here0[4]

Add a note here2

Add a note here-

Add a note here10

Add a note here7,500

Add a note here-

Add a note here [1]Base license

Add a note here [2]Security Plus license

Add a note here [3]PIX Unrestricted license

Add a note here [4]PIX Restricted license

Add a note here Some firewall platforms can support high availability by operating in failover pairs. One firewall can run in an active mode, while the other can run in a standby mode or an active mode. The failover pair capabilities of the FWSM, ASA, and PIX are as follows:

  • Add a note hereThe FWSM platform always allows an active/active or active/standby failover pair to be configured.

  • Add a note hereAll models of ASA allow active/active or active/standby, except for the ASA 5510 and ASA 5505. Failover is not supported with the Base license. With the Security Plus license, the ASA 5510 can run in either active/active or active/standby, while the ASA 5505 can run in active/standby without keeping state information.

  • Add a note herePIX firewalls can operate in a failover pair with the Unrestricted (UR) license, but not with the Restricted (R) license. The PIX can also have a Failover (FO) license, allowing it to run in an active/standby pair, but not as a standalone firewall. The Failover-Active/Active (FO-AA) license allows a PIX to run in an active/active pair, but not as a standalone firewall.

Add a note hereFirewall features are unlocked by a license activation key. Beginning with ASA 7.0, the activation key is a 20-byte string consisting of five groups of eight hexadecimal digits each. Prior releases use a 16-byte string consisting of four groups of eight hexadecimal digits each.


Tip

Add a note hereThe Catalyst 6500 FWSM comes standard with an Unrestricted license. Because of this, it does not use an activation key.

Add a note hereIf your ASA or PIX firewall does not have the 56-bit Data Encryption Standard (DES), 168-bit Triple DES (3DES), or 256-bit Advanced Encryption Standard (AES) encryption methods enabled, you can obtain a free license activation key from Cisco.com. You need an active Cisco.com user ID to access the license request pages at http://www.cisco.com/go/license. Under the Licenses Not Requiring a PAK section, click on the click here for available licenses link.

Add a note hereFind the Cisco ASA or PIX listing under Security Products and click on the license link. You have to fill out an Encryption Software Export Distribution Authorization Form to get permission to legally download and use strong encryption technology from Cisco.

Add a note hereYou can also register your firewall license and request an activation key to upgrade any of the other features. To do this, go to http://www.cisco.com/go/license and enter the Product Authorization Key (PAK).

Add a note hereWhen you request any type of license upgrade on Cisco.com, you must also enter your firewall serial number. You can find the serial number, programmed into the firewall hardware or the Flash memory at the factory, by issuing the show version command. The serial number is used to calculate a license activation key; therefore, the activation key works only with the firewall it was intended to support.

Add a note here Upgrading a License Activation Key

Add a note here A firewall keeps its activation key stored in nonvolatile Flash memory, along with an image of its operating system. The key and image are read, copied into RAM, and used when the firewall boots up.

Add a note hereYou also can download a new key and a new operating system image to a running firewall. The new key and operating system image are immediately stored in Flash memory, because the firewall is already running from its RAM resources.

Add a note hereYou can see the current activation key (the one copied into RAM) by issuing the following EXEC command:

Add a note hereFirewall# show activation-key

Add a note here Example 2-4 shows a sample of the output from an ASA command. Notice that this firewall has the same key in both Flash and running (RAM) memory. This only means that the key has not been updated or changed since the firewall was booted up.

Add a note here Example 2-4: Sample Output from the show activation-key Command

Add a note hereFirewall# show activation-key
Serial Number: 807243559
Running Activation Key: 0xc422440f 0x2eb1445a 0x46fb4413 0x74a344ee 0x4b33d295
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 5
GTP/GPRS : Enabled
VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

The flash activation key is the SAME as the running key.
Firewall#

Add a note hereBefore you can enter a new activation key, the firewall must be running the exact same operating system image as the one stored in Flash memory. This ensures that the features unlocked by the activation key are applicable to the most recent image present on the firewall. If the images differ, you see the following message from the show activation-key command:

Add a note hereThe flash image is DIFFERENT from the running image.
The two images must be the same in order to examine the flash activation key.

Add a note hereIn this case, the firewall must be reloaded so that the image in Flash is the one being run.

Add a note here You can enter a new license activation key in one of two ways:

  • Add a note here ROM monitor mode

    Add a note hereAfter an image of the firewall operating system has been downloaded via TFTP from monitor mode, the firewall asks if a new activation key is needed. The new key is added before the image is run.

  • Add a note here Configuration mode

    Add a note hereFirewall# activation-key activation-key-tuples

    Add a note here activation-key-tuples is a string of four groups (PIX 6.3 or FWSM) or five groups (ASA) of eight hexadecimal digits each, provided by Cisco. Each tuple or group of eight digits can begin with 0x to designate hexadecimal notation, but this is not necessary.

Add a note hereFor example, a new activation key is entered on an ASA platform as follows:

Add a note here

Add a note hereFirewall# activation-key 0xcc055f66 0xd4c45b68 0x98505048 0x8a8c5890 0x4b35d295

License Features for this Platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 5
GTP/GPRS : Enabled
VPN Peers : Unlimited

This machine has an Unrestricted (UR) license.

Both running and flash activation keys were updated with the requested key
Firewall#

2-3: Initial Firewall Configuration

Add a note hereA Cisco firewall can be configured through the CLI on the console port. You can enter configuration mode with the following privileged EXEC command:

Add a note hereFirewall# configure terminal

Add a note hereCommands can then be entered one at a time. To end configuration mode and return to EXEC mode, you can press Ctrl-z or enter exit. Chapters 3 through 10 cover all the firewall features and configuration commands.


Tip

Add a note here Whenever you make configuration changes to a firewall, you should always make sure the running configuration is saved to a nonvolatile location. Otherwise, if the firewall is rebooted or if power is lost, your configuration changes also are lost.

Add a note hereYou can save the running configuration to the firewall’s nonvolatile Flash memory with the write mem command. Chapter 4 in Section 4-3, “Managing Configuration Files,” discusses this procedure in more detail.

Add a note hereYou can use a firewall management application such as ASDM, PDM, or Firewall Management Center (Firewall MC, a part of the VMS software) to make configuration changes on a firewall. If you intend to do this, you need to give the firewall a minimal “bootstrap” configuration so that the management application can communicate with and manage it.

Add a note hereYou can use the setup EXEC command to start the bootstrap procedure. The firewall then prompts you for the necessary values. At a minimum, the firewall needs the following parameters that are collected by the setup command:

  • Add a note hereEnable password

  • Add a note hereCurrent time (Coordinated Universal Time [UTC] or Greenwich Mean Time [GMT])

  • Add a note hereCurrent date

  • Add a note hereIP address of the firewall’s inside interface (where it reaches the management application)

  • Add a note hereFirewall’s host name

  • Add a note hereFirewall’s domain name (used to generate an SSL certificate for web management access)

  • Add a note hereManagement station’s IP address


1 comments

Savannah said... @ August 28, 2017 at 10:12 PM

Good post. I learn something totally new and challenging on blogs I stumble upon on a daily basis. It will always be interesting to read articles from other authors and practice something from their websites...



HP Envy 5540 Wireless Setup

Post a Comment