Cisco Asa 5505 Keygen For Mac
Requires FXOS 2.8(1).Firewall FeaturesAbility to see port numbers in show access-list output.The show access-list command now has the numerickeyword. You can use this to view port numbers in the access control entriesrather than names, for example, 80 instead of www.The object-group icmp-type command is deprecated.Although the command remains supported in this release, theobject-group icmp-type command is deprecated andmight be removed in a future release.
Q&A for network engineers. Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Please change all ICMP-type objects toservice object groups ( object-group service) and specifyservice icmp within the object.Kerberos Key Distribution Center (KDC) authentication.You can import a keytab file from a Kerberos Key Distribution Center (KDC), andthe system can authenticate that the Kerberos server is not being spoofed beforeusing it to authenticate users. To accomplish KDC authentication, you must set upa host/ ASAhostname service principalname (SPN) on the Kerberos KDC, then export a keytab for that SPN. You then mustupload the keytab to the ASA, and configure the Kerberos AAA server group tovalidate the KDC.New/Modified commands: aaa kerberosimport-keytab, clear aaa kerberoskeytab, show aaa kerberos keytab,validate-kdc.New/Modified screens: Configuration Device Management Users/AAA AAA Kerberos, Configuration Device Management Users/AAA AAA Server Groups Add/Edit dialog box for Kerberos server groups.High Availability and Scalability FeaturesConfiguration sync to slave units in parallelThe master unit now syncs configuration changes with slave units in parallel bydefault. Released: September 25, 2019FeatureDescriptionPlatform FeaturesASA for the Firepower 1010We introduced the ASA for the Firepower 1010. Some configuration commands are not compatible with accelerated cluster joining; if these commands are present on the unit,even if accelerated cluster joining is enabled, configuration syncing will always occur. You must remove the incompatibleconfiguration for accelerated cluster joining to work. If you attempt to configure any features that can use strong encryption before you have the license—even if you only configureweak encryption—then your HTTPS connection will be dropped on that interface, and you cannot reconnect.
The exception to thisrule is if you are connected to a management-only interface, such as Management 1/1. SSH is not affected. If you lose yourHTTPS connection, you can connect to the console port to reconfigure the ASA, connect to a management-only interface, or connectto an interface not configured for a strong encryption feature.No modified commands.No modified screens.Additional NTP authentication algorithmsFormerly, only MD5 was supported for NTP authentication. The ASA now supports the following algorithms:.MD5.SHA-1.SHA-256.SHA-512.AES-CMACNew/Modified commands: ntp authentication-keyNew/Modified screens:Configuration Device Setup System Time NTP Add button Add NTP Server Configuration dialog box Key Algorithm drop-down listASA Security Service Exchange (SSE) Telemetry Support for the Firepower 4100/9300With Cisco Success Network enabled in your network, device usage information and statistics are provided to Cisco which isused to optimize technical support. The telemetry data that is collected on your ASA devices includes CPU, memory, disk, orbandwidth usage, license usage, configured feature list, cluster/failover information and the like.New/Modified commands: service telemetryand show telemetryNew/Modified screens:.Configuration Device Management Telemetry.Monitoring Properties TelemetrySSH encryption ciphers are now listed in orderfrom highest to lowest security for pre-definedlistsSSH encryption ciphers are now listed in orderfrom highest security to lowest security forpre-defined lists (such as medium or high). Released: May, 2020FeatureDescriptionRouting FeaturesMulticast IGMP interface state limit raised from 500 to 5000The multicast IGMP state limit per interface was raised from 500to 5000.New/Modified commands: igmp limitNo ASDM support.VPN FeaturesSupport for configuring the maximum in-negotiation SAs as anabsolute valueYou can now configure the maximum in-negotiation SAs as anabsolute value up to 15000; formerly, only a percentage wasallowed.New/Modified commands: crypto ikev2 limitmax-in-negotiation-sa valueNo ASDM support.New Features in ASA 9.12(3). Released: October 25, 2018FeatureDescriptionPlatform FeaturesASAv VHD custom images for AzureYou can now create your own custom ASAv images on Azure using a compressed VHD image available from Cisco.
To deploy usinga VHD image, you upload the VHD image to your Azure storage account. Then, you can create a managed image using the uploadeddisk image and an Azure Resource Manager template. Azure templates are JSON files that contain resource descriptions and parameterdefinitions.ASAv for AzureThe ASAv is available in the Azure China Marketplace.ASAv support for DPDKDPDK (Dataplane Development Kit) is integrated into the dataplane of the ASAv using poll-mode drivers.ISA 3000 support for FirePOWER module Version 6.3The previous supported version was FirePOWER 5.4.Firewall FeaturesCisco Umbrella supportYou can configure the device to redirect DNS requests to Cisco Umbrella, so that your Enterprise Security policy defined inCisco Umbrella can be applied to user connections. You can allow or block connections based on FQDN, or for suspicious FQDNs,you can redirect the user to the Cisco Umbrella intelligent proxy, which can perform URL filtering. The Umbrella configurationis part of the DNS inspection policy.New/Modified commands: umbrella, umbrella-global, token, public-key, timeout edns, dnscrypt, show service-policy inspect dns detailNew/Modified screens:Configuration Firewall Objects Umbrella, Configuration Firewall Objects Inspect Maps DNSGTP inspection enhancements for MSISDN and Selection Mode filtering, anti-replay, and user spoofing protectionYou can now configure GTP inspection to drop Create PDP Context messages based on Mobile Station International SubscriberDirectory Number (MSISDN) or Selection Mode.
Released: May 9, 2018FeatureDescriptionVPN FeaturesSupport for legacy SAML authenticationIf you deploy an ASA with the fix for, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore,to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Becauseof security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6. This option will bedeprecated in the near future.New/Modified screens:Configuration Remote Access VPN Network (Client) Access AnyConnect Connection Profiles page Connection Profiles area Add button Add AnyConnect Connection Profile dialog boxConfiguration Remote Access VPN Clientless SSL VPN Access Connection Profiles page Connection Profiles area Add button Add Clientless SSL VPN Connection Profile dialog boxNew/Modified options: SAML External Browser check boxNew Features in ASA 9.9(2) /ASDM 7.9(2). Released: March 26, 2018FeatureDescriptionPlatform FeaturesASAv support for VMware ESXi 6.5The ASAv virtual platform supports hosts running on VMware ESXi 6.5. Released: April 24, 2019FeatureDescriptionVPN FeaturesAdd subdomains to webVPN HSTSAllows domain owners to submit what domains should be included in the HSTS preload list for web browsers.New/Modified commands: hostname(config-webvpn) includesubdomainsNew/Modified screens:Configuration Remote Access VPN Clientless SSL VPN Access Advanced Proxies Enable HSTS SubdomainsfieldAlso in 9.12(1).Administrative FeaturesAllow non-browser-based HTTPS clients to access the ASAYou can allow non-browser-based HTTPS clients to access HTTPS services on the ASA.
By default, ASDM, CSM, and REST API areallowed. Released: July 2, 2018FeatureDescriptionPlatform FeaturesFirepower 2100 Active LED now lights amber when in standby modeFormerly, the Active LED was unlit in standby mode.Firewall FeaturesSupport for removing the logout button from the cut-through proxy login page.If you configure the cut-through proxy to obtain user identity information (the AAA authentication listener), you can nowremove the logout button from the page. This is useful in case where users connect from behind a NAT device and cannot bedistinguished by IP address. When one user logs out, it logs out all users of the IP address.New/Modified commands: aaa authentication listener no-logout-button.No ASDM support.Trustsec SXP connection configurable delete hold down timerThe default SXP connection hold down timer is 120 seconds. You can now configure this timer, between 120 to 64000 seconds.New/Modified commands: cts sxp delete-hold-down period, show cts sxp connection brief, show cts sxp connectionsNo ASDM support.VPN FeaturesSupport for legacy SAML authenticationIf you deploy an ASA with the fix for, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore,to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method.
Becauseof security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6. Released: August 28, 2017FeatureDescriptionPlatform FeaturesASA for the Firepower 2100 seriesWe introduced the ASA for the Firepower 2110, 2120, 2130, and 2140. Similar to the Firepower 4100 and 9300, the Firepower2100 runs the base FXOS operating system and then the ASA operating system as an application. The Firepower 2100 implementationcouples FXOS more closely with the ASA than the Firepower 4100 and 9300 do (pared down FXOS functions, single device imagebundle, easy management access for both ASA and FXOS).FXOS owns configuring hardware settings for interfaces, including creating EtherChannels, as well as NTP services, hardwaremonitoring, and other basic functions. You can use the Firepower Chassis Manager or the FXOS CLI for this configuration. TheASA owns all other functionality, including Smart Licensing (unlike the Firepower 4100 and 9300). The ASA and FXOS each havetheir own IP address on the Management 1/1 interface, and you can configure management of both the ASA and FXOS instancesfrom any data interface.We introduced the following commands: connect fxos, fxos https, fxos snmp, fxos ssh, ip-clientWe introduced the following screens:Configuration Device Management Management Access FXOS Remote ManagementDepartment of Defense Unified Capabilities Approved Products ListThe ASA was updated to comply with the Unified Capabilities Approved Products List (UC APL) requirements.
In this release,when you enter the fips enable command, the ASA will reload. Both failover peers must be in the same FIPS mode before you enable failover.We modified the following command: fips enableASAv for Amazon Web Services M4 instance supportYou can now deploy the ASAv as an M4 instance.We did not modify any commands.We did not modify any screens.ASAv5 1.5 GB RAM capabilityStarting in Version 9.7(1), the ASAv5 may experience memory exhaustion where certain functions such as enabling AnyConnector downloading files to the ASAv fail. You can now assign 1.5 GB (up from 1 GB) of RAM to the ASAv5.We did not modify any commands.We did not modify any screens.VPN FeaturesHTTP Strict Transport Security (HSTS) header supportHSTS protects websites against protocol downgrade attacks and cookie hijacking on clientless SSL VPN. It lets web serversdeclare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, andnever via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in.We introduced the following commands: hsts enable, hsts max-age ageinsecondsWe modified the following screens: Configuration Remote Access VPN Clientless SSL VPN Access Advanced ProxiesInterface FeaturesVLAN support for the ASAv50The ASAv50 now supports VLANs on the ixgbe-vf vNIC for SR-IOV interfaces.We did not modify any commands.We did not modify any screens.New Features in ASA 9.8(1.200). This release is only supported on the ASAv for Microsoft Azure.
These features are not supported in Version 9.8(2).FeatureDescriptionHigh Availability andScalability FeaturesActive/Backup High Availability for ASAv on Microsoft AzureA stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the systemto the backup ASAv in the Microsoft Azure public cloud.We introduced the following commands: failover cloudNo ASDM support.New Features in ASDM 7.8(1.150). Released: May 15, 2017FeatureDescriptionPlatform FeaturesASAv50platformThe ASAv virtual platform has added a high-end performance ASAv50 platform that provides 10 Gbps Firewall throughput levels.The ASAv50 requires ixgbe-vf vNICs, which are supported on VMware and KVM only.SR-IOV on the ASAv platformThe ASAv virtual platform supports Single Root I/O Virtualization (SR-IOV) interfaces, which allows multiple VMs to sharea single PCIe network adapter inside a host. ASAv SR-IOV support is available on VMware, KVM, and AWS only.Automatic ASP load balancing now supported for the ASAvFormerly, you could only manually enable and disable ASP loadbalancing.We modified the following command:aspload-balance per-packet autoWe modified the following screen:Configuration Device Management Advanced ASP LoadBalancingFirewall FeaturesSupportfor setting the TLS proxy server SSL cipher suiteYou cannow set the SSL cipher suite when the ASA acts as a TLS proxy server.
Formerly,you could only set global settings for the ASA using thessl ciphercommand on theConfiguration DeviceManagement Advanced SSLSettings Encryption page.We introduced the following command:servercipher-suiteWe modified the following screen:Configuration Firewall UnifiedCommunications TLS Proxy,Add/Edit dialog boxes,Server Configuration page.Globaltimeout for ICMP errorsYou cannow set the idle time before the ASA removes an ICMP connection after receivingan ICMP echo-reply packet. When this timeout is disabled (the default), and youenable ICMP inspection, then the ASA removes the ICMP connection as soon as anecho-reply is received; thus any ICMP errors that are generated for the (nowclosed) connection are dropped. This timeout delays the removal of ICMPconnections so you can receive important ICMP errors.We added the following command:timeouticmp-errorWe modified the following screen:Configuration Firewall Advanced GlobalTimeouts.High Availability andScalability FeaturesImprovedcluster unit health-check failure detectionYou can now configure a lower holdtime for the unit health check:.3 seconds minimum. The previous minimum was.8 seconds.This feature changes the unit health check messaging scheme to heartbeats in the data plane from keepalives in the control plane. Using heartbeats improves the reliability and the responsiveness of clustering by not being susceptibleto control plane CPU hogging and scheduling delays.
Note that configuring a lower holdtime increases cluster control linkmessaging activity. We suggest that you analyze your network before you configure a low holdtime; for example, make sure aping from one unit to another over the cluster control link returns within the holdtime/3, because there will be three heartbeat messages during one holdtime interval. Version 9.6(3)was removed from Cisco.com due to bug.FeatureDescriptionAAA FeaturesSeparateauthentication for users with SSH public key authentication and users withpasswordsInreleases prior to 9.6(2), you could enable SSH public key authentication( sshauthentication) without also explicitly enabling AAA SSHauthentication with the Local user database ( aaa authentication ssh console LOCAL). In 9.6(2),the ASA required you to explicitly enable AAA SSH authentication. In thisrelease, you no longer have to explicitly enable AAA SSH authentication; whenyou configure thesshauthentication command for a user, local authentication isenabled by default for users with this type of authentication. Moreover, whenyou explicitly configure AAA SSH authentication, this configuration onlyapplies for for usernames withpasswords, and you can use any AAA server type ( aaa authentication ssh console radius1, forexample).
For example, some users can use public key authentication using thelocal database, and other users can use passwords with RADIUS.We did not modify any commands.We did not modify any screens.Also in Version 9.8(1).New Features in ASDM 7.6(2.150). Not all accounts are approved for permanent license reservation. If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing registration state.
The ASAv9.5.2(200) features, including Microsoft Azure support, are not available in9.6(1). They are available in 9.6(2).FeatureDescriptionPlatform FeaturesASA for the Firepower 4100 seriesWe introduced the ASA for the Firepower 4110, 4120, and 4140.Requires FXOS 1.1.4.We did not add or modify any commands.We did not add or modify any screens.SD cardsupport for the ISA 3000You cannow use an SD card for external storage on the ISA 3000.
Unwanted distortion is caused by a signal which is 'too strong'. If an audio signal level is too high for a particular component to cope with, then parts of the signal will be lost. This results in the rasping distorted sound. To illustrate this point, the pictures below represent a few seconds of music which has been recorded by a digital. How to distort audio. That piece demonstrates a more reasonable use of distortion. Note only the solo instrument is distorted. Naturally, this needs to be applied before the audio has reached final mix stage. Applying distortion on a complete mix is going to distort everything. If that's what you want, it's okay. Just so you know.
The card appears asdisk3 in the ASA file system. Note that plug and play support requires hardwareversion 2.1 and later. Use theshowmodule command to check your hardware version.We did not add or modify any commands.We did not add or modify any screens.Dualpower supply support for the ISA 3000For dualpower supplies in the ISA 3000, you can establish dual power supplies as theexpected configuration in the ASA OS. If one power supply fails, the ASA issuesan alarm. Verion 9.5(3) was removed from Cisco.com due to bug.FeatureDescriptionRemote Access FeaturesConfigurable SSH encryption and HMAC algorithm.Users canselect cipher modes when doing SSH encryption management and can configure HMACand encryption for varying key exchange algorithms.
You might want to changethe ciphers to be more or less strict, depending on your application. Note thatthe performance of secure copy depends partly on the encryption cipher used. Bydefault, the ASA negotiates one of the following algorithms in order: 3des-cbcaes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the firstalgorithm proposed (3des-cbc) is chosen, then the performance is much slowerthan a more efficient algorithm such as aes128-cbc. To change the proposedciphers, usessh cipher encryption customaes128-cbc, for example.We introduced the following commands:sshcipher encryption, ssh cipher integrity.We introduced the following screen:Configuration DeviceManagement Advanced SSHCiphersAlso available in 9.1(7) and9.4(3).New Features in ASAv9.5(2.200) /ASDM 7.5(2.153). This releasesupports only the ASAv.FeatureDescriptionPlatform FeaturesMicrosoftAzure support on the ASAv10MicrosoftAzure is a public cloud environment that uses a private Microsoft Hyper VHypervisor. The ASAv runs as a guest in the Microsoft Azure environment of theHyper V Hypervisor.
The ASAv on Microsoft Azure supports one instance type, theStandard D3, which supports four vCPUs, 14 GB, and four interfaces.Licensing FeaturesPermanentLicense Reservation for the ASAvFor highlysecure environments where communication with the Cisco Smart Software Manageris not allowed, you can request a permanent license for the ASAv.Note. Not all accounts are approved for permanent licensereservation. Make sure you have approval from Cisco for this feature before youattempt to configure it.Weintroduced the following commands:licensesmart reservation, license smart reservation cancel, license smart reservationinstall, license smart reservation request universal, license smart reservationreturnNo ASDM support.SmartAgent Upgrade to v1.6The smartagent was upgraded from Version 1.1 to Version 1.6. This upgrade supportspermanent license reservation and also supports setting the Strong Encryption(3DES/AES) license entitlement according to the permission set in your licenseaccount.Note.
If youdowngrade from Version 9.5(2.200), the ASAv does not retain the licensingregistration state. This release supports only the ASA on the Firepower 9300.FeatureDescriptionPlatform FeaturesVPN support for the ASA on the Firepower 9300With FXOS 1.1.3, you can now configure VPN features.Firewall FeaturesFlow off-load for the ASA on the Firepower 9300You can identify flows that should be off-loaded from the ASA and switched directly in the NIC (on the Firepower 9300). Released: November 30, 2015FeatureDescriptionPlatform FeaturesCisco ISA 3000 SupportThe Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with GigabitEthernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features forthis model include a customized transparent mode default configuration, as well as a hardware bypass function to allow trafficto continue flowing through the appliance when there is a loss of power.We introduced the following command: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delayWe modified the following screen: Configuration Device Management Hardware BypassAlso in Version 9.4(1.225).Firewall FeaturesDCERPC inspection improvements and UUID filteringDCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages. You can also now filter on DCERPC messageuniversally unique identifiers (UUIDs) to reset or log particular message types.
There is a new DCERPC inspection class mapfor UUID filtering.We introduced the following command: match not uuid. We modified the following command: class-map type inspect.We added the following screen: Configuration Firewall Objects Class Maps DCERPC.We modified the following screen: Configuration Firewall Objects Inspect Maps DCERPC.Diameter inspectionYou can now inspect Diameter traffic. Released: November 11, 2015FeatureDescriptionPlatform FeaturesSupport for ASA FirePOWER 6.0The 6.0 software version for the ASA FirePOWER module is supported on all previously supported device models.Support for managing the ASA FirePOWER module through ASDM for the 5512-X through 5585-X.You can manage the ASA FirePOWER module using ASDM instead of using Firepower Management Center (formerly FireSIGHT ManagementCenter) when running version 6.0 on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X, 5506W-X,5508-X, and 5516-X when running 6.0.No new screens or commands were added.New Features in ASDM 7.5(1.90). Released: October 14, 2015FeatureDescriptionRemote Access FeaturesAnyConnect Version 4.2 supportASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM).
NVM enhances the enterprise administrator’s abilityto do capacity and service planning, auditing, compliance, and security analytics. The NVM collects the endpoint telemetryand logs both the flow data and the file reputation in the syslog and also exports the flow records to a collector (a third-partyvendor), which performs the file analysis and provides a UI interface.We modified the following screen: Configuration Remote Access VPN Network (Client) Access AnyConnect Client Profile (a new profile called Network Visibility Service Profile)New Features in ASAv 9.5(1.200) /ASDM 7.5(1). This versiondoes not support the Firepower 9300 ASA security module or the ISA 3000.FeatureDescriptionFirewall FeaturesGTPv2 inspection and improvements to GTPv0/1 inspectionGTPinspection can now handle GTPv2. Released: April 25, 2016FeatureDescriptionFirewall FeaturesConnection holddown timeout for route convergenceYou can now configure how long the system should maintain a connection when the route used by the connection no longer existsor is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce theholddown timer to make route convergence happen more quickly.
This releasesupports only the Cisco ISA 3000.FeatureDescriptionPlatform FeaturesCisco ISA3000 SupportThe CiscoISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. Itis low-power, fan-less, with Gigabit Ethernet and a dedicated management port.This model comes with the ASA Firepower module pre-installed. Special featuresfor this model include a customized transparent mode default configuration, aswell as a hardware bypass function to allow traffic to continue flowing throughthe appliance when there is a loss of power.We introduced the following commands:hardware-bypass, hardware-bypass manual, hardware-bypassboot-delay, show hardware-bypassWe introduced the following screen:Configuration DeviceManagement Hardware BypassThehardware-bypass boot-delay command is not available inASDM 7.5(1).This feature is not availablein Version 9.5(1).New Features in ASA 9.4(1.152) /ASDM 7.4(3). Firepower Chassis Manager 1.1.1 does not support any VPN features (site-to-site or remote access) for the ASA security moduleon the Firepower 9300.High Availability FeaturesIntra-chassis ASA Clustering for the Firepower 9300You can cluster up to 3 security modules within the Firepower 9300 chassis. Released: March 30, 2015FeatureDescriptionPlatform FeaturesASA 5506W-X, ASA 5506H-X, ASA 5508-X, ASA 5516-XWe introduced the ASA 5506W-X with wireless access point, hardened ASA 5506H-X, ASA 5508-X, and ASA 5516-X models.We introduced the following command: hw-module module wlan recover image, hw-module module wlan recover image.We did not modify any ASDM screens.Certification FeaturesDepartment of Defense Unified Capabilities Requirements (UCR) 2013 CertificationThe ASA was updated to comply with the DoD UCR 2013 requirements. See the rows in this table for the following features thatwere added for this certification:.Periodic certificate authentication.Certificate expiration alerts.Enforcement of the basic constraints CA flag.ASDM Username From Certificate Configuration.ASDM management authorization.IKEv2 invalid selectors notification configuration.IKEv2 pre-shared key in HexFIPS 140-2 Certification compliance updatesWhen you enable FIPS mode on the ASA, additional restrictions are put in place for the ASA to be FIPS 140-2 compliant.
Restrictionsinclude:.RSA and DH Key Size Restrictions—Only RSA and DH keys 2K (2048 bits) or larger are allowed. For DH, this means groups 1 (768bit), 2 (1024 bit), and 5 (1536 bit) are not allowed.Note. The key size restrictions disable use of IKEv1 with FIPS.Restrictions on the Hash Algorithm for Digital Signatures—Only SHA256 or better is allowed.SSH Cipher Restrictions—Allowed ciphers: aes128-cbc or aes256-cbc.
KB ID 0001091Â
Problem
Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface.
Solution
Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X?
A: No, that would be nice, truth be told if the 5505 is running an OS newer than 8.3, about 90% of the config can be copy/pasted if you know what you are doing.
The ASA 5506 Interfaces are different.
- Unlike its predecessor (and just about all other Cisco equipment), the interfaces start at number 1 (the 5505 starts at 0).
- The 5506 Interfaces are the opposite way round (left to right).
- The 5506 has IP addresses applied to its physical interfaces. Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN. Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).*
*UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation;
So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be;
VLAN Note: You might be wondering why no ports have been put into VLAN 1? By default all ports are in VLAN 1, So above, ports 0/1 and 0/3 to 0/7 are all in VLAN 1.
Outside IP Note: Yours may say ‘dhcp setroute’ if it does not have a static IP , that’s fine.
To convert that (Assuming you are NOTÂ going to use the BVI interface, (see link above!);
AnyConnect Has Changed
If you use AnyConnect then prepare for a little hand wringing. The 5505 could support up to 25 SSLVPN connections. On a 5506 they are actually called AnyConnect now, and it supports up to 50.
There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into AnyConnect 4 licensing, I’ve already written about that at length.
Q: Does this mean I can’t use my AnyConnect 3 (or earlier) packages in the new 5506?
A: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.
I’m working on the assumption that we are going to load in the AnyConnect 4 packages and use those. With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I have to ring Cisco and use my employers partner status to get the client software ðŸ™x81
In addition to getting new AnyConnect Packages and loading them into the new 5506. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the AnyConnect settings in.
Below you can see I’ve got a profile on my 5505.
Tools > File Transfer > File Transfer > Between Local PC and Flash. (Do the reverse to get the file(s) into the new 5506).
Note: You can also do this from CLI by copying the file to a TFTP server.
Below is a typical AnyConnect config from an ASA 5505, I’ve highlighted the lines that will cause you problems.
ASA Transferring Certificates From One ASA to Another
I appreciate a lot of you wont be using certificates, and even if you use AnyConnect you just put up with the certificate error. That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). So set the host name, domain-name, and then generate the keys like so;
OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. For each scenario here’s what I recommend you do;
Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewall
Externally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. (Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought).
If you have purchased a certificate you will have already gone though the process below;
The easiest option for you is to go where you purchased the cert, download it again, and import it into the new firewall. But here’s where you find out you forgot the username and password you used, or the guy who sorted this out has left the company etc. If that is the case all is not lost. You can export an identity certificate, either from the ADSM;
Cisco ASA Export Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a ‘pass-phrase’.
Cisco ASA Export Certificates From Command Line.
To do the same at CLI the procedure is as follows;
Cisco ASA Import Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.
Cisco ASA Import Certificates From Command Line.
To do the same at CLI the procedure is as follows, Note: You need to paste in the text from the output.
Â
Assorted Firewall Migration ‘Gotchas’
Time (Clock Setting)
If you do any AAA via Kerberos or LDAP, then not having the time correct on the new ASA might get you locked out of it. I would always suggest setting up NTP so do that before you restart.
ARP Cache
Not on the ASA, but on the devices the ASA is connecting to, (routers and switches etc). Unplug an ASA 5505 and plug in an ASA 5506, and nine times out of ten you will not get comms. This is because the device you are connecting to has cached the MAC address of the old firewall in its ARP cache. So either reboot the device, (or it thats not practical, lower the ARP cache to about 30 seconds).
ASA 5505 to 5506 Config To Copy And Paste
Below I’ll put a full config for an ASA 5505. If the text is normal,the commands can be copy and pasted directly into the new firewall. If the text is RED, then you can NOT, and I will have outlined the problems above.
Related Articles, References, Credits, or External Links
NA