Cisco ASA Documentation

From ITCwiki
Revision as of 17:54, 26 April 2021 by BenFranske (talk | contribs)
Jump to navigation Jump to search

Upgrading the Software on ASA 5506

If Your Cisco ASA 5506 has outdated system image or ASDM software you should update them.

  1. Ensure you have a working IP connection between the ASA and one of the PCs
  2. Use the TFTPd software on the PC to make the directory with the ASA software files available over TFTP.
    • NOTE: On our Netlab PCs the ASA software is located on the Desktop in the "CCNA Security Files\ASA Software" directory
  3. Use the copy tftp: flash: command to copy the ASA software AND the ASDM software to the ASA, you need to copy two files!
    • NOTE: The ASA software starts with asa9 and ends with .SPA
    • NOTE: The ASDM software starts with asdm- and ends with .bin DO NOT copy the "openjre" version unless you have specifically been told to do so.
  4. Enter config mode on the ASA
  5. Use the boot system flash:asa9-...SPA command (with the correct ASA software filename you just copied) to set the ASA to boot to the new software.
  6. Use the asdm image flash:asdm-...bin command (with the correct ASDM software filename you just copied) to set the ASA to use the new ASDM software.
  7. Save your configuration with the write mem command.
  8. Reload the ASA with the reload command.
  9. Check the version is correct with the show version command
  10. Check the old version filenames with the dir flash:' command
  11. Use the del flash:filename.bin command (replacing filename.bin with the correct filename) to delete the old ASA software file AND the old ASDM software file.
  12. Congratulations the ASA and ASDM software is updated

Adding Anyconnect Package to ASA 5506

If your Cisco ASA 5506 does not have the Anyconnect deployment package you will not be able to install the Anyconnect VPN client from the ASA on a client PC.

  1. Ensure you have a working IP connection between the ASA and one of the PCs
  2. Use the TFTPd software on the PC to make the directory with the ASA software files available over TFTP.
    • NOTE: On our Netlab PCs the ASA software is located on the Desktop in the "CCNA Security Files\ASA Software" directory
  3. Use the copy tftp: flash: command to copy the Anyconnect web deployment software to the ASA
    • NOTE: The Anyconnect web deployment software starts with anyconnect-win- and ends with -webdeploy-k9.pkg
  4. Congratulations, the Anyconnect web deployment software is installed

Activating VPN-3DES-AES License on an ASA 5505

If your Cisco ASA 5505 gives you an error message stating "The 3DES/AES algorithms require a VPN-3DES-AES activation key." Follow these steps to activate the free 3DES-AES license.

  1. Run the show activation-key command on your ASA. Note that the Encryption-3DES-AES line is listed as "Disabled" also note the Serial Number which is included in the output
  2. Go to the Cisco Licensing page at https://tools.cisco.com/SWIFT/LicensingUI/Quickstart and login with your Cisco login
  3. Go to the "Devices" tab on the "Product License Registration" page at Cisco
  4. Click "Add Devices"
  5. Choose "ASA 5500 Series" for the "Product Family"
  6. Enter in the serial number for your ASA which you got from the "show activation-key" command and click "OK".
  7. Once the device shows up in your list of devices hover over the serial number and click the blue arrow to the right of the serial number and choose "Download License"
  8. Open the ZIP file which downloads and open the ASA3DES... ZIP file
  9. Open the ASA3DES...LIC file with notepad
  10. At the bottom of the file will be the serial number plus 5 groups of hexadecimal digits. You will need to add a "0x" on to the front of each group of hexadecimal digits.
  11. Enter the activation-key command on your ASA you will follow it with the five groups of hex digits from your license file like activation-key 0x8c07de7b 0x0c5cd0bc 0x30c27dac 0xba7c5870 0x840a7c9d (note this particular code is invalid and you need to generate one on the Cisco site specific to your serial number and press enter.
  12. You will probably receive a warning or notice
  13. Run the show activation-key command on your ASA. Note that the Encryption-3DES-AES line is now listed as "Enabled"