Enable ssh on a Cisco PIX firewall

To enable ssh on a Cisco Pix firewall, firstly make sure you have set a hostname and domain name:

pixfirewall(config)#hostname myfirewall

myfirewall(config)# domain-name oasysadmin.local

Set an enable password and telnet password:

myfirewall(config)# enable password 3n48lePa55word

myfirewall(config)# passwd t3ln3tPa55word

Next generate an RSA key pair by issuing the following command:

myfirewall(config)# ca generate rsa key 2048

Then save the key:

myfirewall(config)# ca save all

Next specify the hosts or networks that you want to be able to access the device through ssh:

ssh 192.168.1.0 255.255.255.0 inside

Finally use an ssh client such as Putty to access your device, specifying pix as the username and your telnet password as the password.

 

Quick basic configuration of a Cisco ASA firewall for custom IP address and ASDM access

Here are a few quick commands to wipe a Cisco ASA series firewall, resetting it to factory defaults, and then enabling the device for an IP address on your own subnet rather than the default 192.168.1.0/24, as well as setting up ASDM and telnet and ssh access. This gives you a very basic configuration from which you can access the device. First connect to the device via the console port and run the following commands to wipe the device:

ciscoasa> enable

ciscoasa# conf t

ciscoasa(config)# configure factory-default

Once the device has loaded the default configuration, disable DHCP on the inside interface to prevent the device dishing out IP addresses. This may not be relevant in your environment but in ours DHCP is provided elsewhere:

ciscoasa(config)# no dhcpd enable inside

ciscoasa(config)# no dhcpd address 192.168.1.5-192.168.1.254 inside

Set the ip address for the inside LAN on interface vlan1 if this is the vlan you are using for the inside network:

ciscoasa(config)# int vlan1

ciscoasa(config-if)# ip address 10.0.0.1 255.255.255.0

ciscoasa(config-if)# exit

Enable the http server, and allow access from the inside subnet

ciscoasa(config)# http server enable

ciscoasa(config)# http 10.0.0.0 255.255.255.0 inside

Configure the local AAA authentication database and create a new user account to log in to ASDM with:

ciscoasa(config)# aaa authentication http console LOCAL

ciscoasa(config)# username oasysadmin password Pa55word

Enable telnet and/or ssh on the inside interface if required:

ciscoasa(config)# telnet 10.0.0.0 255.255.255.0 inside

ciscoasa(config)# ssh 10.0.0.0 255.255.255.0 inside

ciscoasa(config)# aaa authentication ssh console LOCAL

Set the enable password

ciscoasa(config)# enable password Pa55word

Save the configuration and reload

ciscoasa(config)# write mem

ciscoasa(config)# exit

ciscoasa# reload

Upgrading the ASA and ADSM software on a Cisco ASA series firewall

Firstly telnet or ssh in to your ASA device, in this example I am using an ASA 5505 with a security plus license installed.

telnet 192.168.0.1

Type in your telnet password. At the prompt type:

enable

At this stage you can use the show version command to show the current running ASA software version. The show bootvar command will also show you which software image file the device is using. Next type:

show disk0:

This will show you the current contents of your flash memory and also the amount of free space. It is important that you check that there is enough free space in flash memory to accomodate the new image files that you want to upload before doing so. In this example the current running versions were:

asa821-k8.bin

asdm-621.bin

I also noticed a couple of other software images taking up space in the flash memory which were asa831-k8.bin and asdm-631.bin. Knowing that these were not currently in use, and that I would be upgrading to a more recent version I decided to delete these to free up space by issuing the following commands:

delete asa831-k8.bin

delete asdm-631.bin

Having downloaded asa842.bin and asdm645-206.bin from cisco.com, I next copied these the the flash memory on the ASA, as shown in the prompts and commands below:

copy tftp disk0:

address or name of remote host [192.168.0.10]?   Press ‘Return’ to confirm or enter a different ip address for an alternative tftp server

source filename [asa821-k8.bin]? asa842-k8.bin

destination filename [asa842-k8.bin]? Press return to confirm the destination filename

Ths ASA software image will copy from the tftp server to flash memory.

copy tftp disk0:

address or name of remote host [192.168.0.10]?   Press ‘Return’ to confirm or enter a different ip address for an alternative tftp server

source filename [asa821-k8.bin]? asdm-645-206.bin

destination filename [asdm-645-206.bin]? Press return to confirm the destination filename

The ASDM software image will copy from the tftp server to flash memory.

Enter configuration mode:

conf t

Next set the new ASA software image to be the boot image using the following command:

boot system disk0:/asa842-k8.bin

Then set the new ASDM software image to be the preferred ASDM image:

asdm image disk0:/asdm-645-206.bin

Issuing the following commands to save these settings:

exit

write mem

and then the following command to restart the ASA device:

reload

At this stage you should be done although in this example I came up against another issue that I will explain for completeness. After rebooting the ASA the device came up fine but on trying to access ASDM, after logging in the status bar would hang on 15% with a status of ‘Discovering Device Information’. I was unable to access ASDM. Notes on cisco.com explained that after the software upgrade is completed the system will upgrade the configuration on the following boot. When upgrading from 8.2.1 to 8.4.2 the subsequent configuration upgrade caused an error log to be written to flash in the format:

upgrade_startup_errors_datetime.log

These error logs can be viewed by issuing the command:

show startup-config errors

In this case the content of these log files was:

INFO: MIGRATION – Saving the startup errors to file ‘flash:upgrade_startup_errors_201112201404.log’ Reading from flash… ! REAL IP MIGRATION: WARNING In this version access-lists used in ‘access-group’, ‘class-map’, ‘dynamic-filter classify-list’, ‘aaa match’ will be migrated from using IP address/ports as seen on interface, to their real values. If an access-list used by these features is shared with per-user ACL then the original access-list has to be recreated. INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not detectable by automated Real IP migration. If your deployment contains such scenarios, please verify your migrated configuration is appropriate for those overlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated migration process.

INFO: MIGRATION – Saving the startup configuration to file

INFO: MIGRATION – Startup configuration saved to file ‘flash:8_2_1_0_startup_cfg.sav’ *** Output from config line 4, “ASA Version 8.2(1) ” NAT migration logs: INFO: NAT migration completed. Real IP migration logs:  No

In order to complete the configuration upgrade it was necessary to save the config to memory as stated here:

write mem

After restarting the ASA device a second time ASDM was accessible, and the upgrade was complete.

References:

Cisco ASA 5500 Migration to Version 8.3 and Later

Release Notes for the Cisco ASA 5500 Series, 8.4(x)

PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example

Error setting up firewall using SDM on a Cisco 857W

Today I encountered the following error while installing basic firewall settings using Cisco Security Device Manager (SDM) 2.5 on a Cisco 857W router:

class-map type inspect imap match-any sdm-app-imap

Error detected as this command. Click OK

Basically this meant that the firewall rules generated by SDM couldn’t be applied to the device. A little Googling discovered that this is due to the fact that there is a bug in SDM which causes it not to pick up that the Cisco 857W does not support zone based firewall functionality. The fix was to set up a single inspection rule on one of the interfaces from the CLI, and then restart SDM and try to create the basic firewall config again.

So to fix this from the CLI apply an inspection rule to one of the interfaces, in this case Dialer0:

conf t

ip inspect name myrule tcp

int dialer0

ip inspect myrule out

exit

After doing this restart SDM and try to apply the basic firewall config again, and it should work, also removing the rule you created above in the process.

 

 

Upgrading the adsl modem firmware on Cisco 877W router

In order to ensure compatibility and stability with your ISPs equipment in the exchange, it is at times necessary to upgrade the adsl modem firmware on your Cisco router. Download the appropriate firmware for your router (in this case a Cisco 877W). It is essential you get the correct version so take care to make sure you have the correct one. Some older updates can be found here:

ftp://ftp.cisco.com/pub/access/800/

You will need a Cisco Smartnet subscription to get the latest firmware.

Once you have downloaded the firmware (in this case adsl_alc_20190_4.0.018.bin), you need to rename the file to adsl_alc_20190.bin

Telnet into your router and check the current firmware version by running the command:

show dsl interface

From the output of the command you can see under the ‘Operation FW’ section it shows the current firmware file and version, and also that under the ‘FW Source’ it shows the location as embedded.

Next we need to copy the new firmware file to the flash memory on the router using tftp. You can use the Cisco tftp server software to do this. or alternatively download Solarwinds free tftp server software.

Place the firmware file you renamed earlier into the tftp servers root directory and then issue the following command on your router:

copy tftp flash 

fill in the ip address for your tftp server and the source and destination filename adsl_alc_20190.bin

issue the reload command to restart your router:

reload

Once your router is back up telnet into it again and run the following command again to see the result:

show dsl interface

As you can see the ‘Operation FW’ now shows the new firmware version, and the ‘FW Source’ as external. If for any reason you have a problem with the updated firmware, you can easily roll back to the embedded version by deleting the adsl_alc_20190.bin from the routers flash memory.

This can be done by issuing the following command:

delete adsl_alc_20190.bin

When asked to confirm the file deletion just press ‘Enter’