Cisco ASA – Update Activation Key (From ASDM)

KB ID 0001662

Problem

I recently did a post on adding extra licences to AnyConnect, (with the current surge of people working from home). I exclusively work at command line, so when I was asked how to do the same in the ASDM I had to go and check 🙂

Solution

Connect to your firewalls ASDM console, then navigate to > Configuration > Device Management > Licensing > Activation Key > Enter you new Activation Key > Update Activation Key.

Before I’m asked: Your activation key lives on the flash memory within you firewall so you should not need to save the config, (unless you have made other changes), or are prompted to do so by the ASDM, (which will know if theres any pending changes).

Related Articles, References, Credits, or External Links

Cannot Access / Open ASDM

ASDM on Windows 10: ‘Cannot find Javaw.exe?’

 

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0000927 

NOTE: THIS ARTICLE IS FOR THE OLD VERSION OF GNS3

GO HERE FOR THE NEW ONE

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.

Solution

Note: At time of writing he latest version is 8.6

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

3. Option 2.

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

9. When complete click Close > Save > Close.

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences.

n

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

13. Save > OK > Apply.

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

[box]

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

[/box]

Set the Kernel cmd line option to;

[box]

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

[/box]

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

17. Finally select the vmlunuz file > Open.

18. Save > OK > Apply.

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

[/box]

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0001079 

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.</p?

Solution

Note: At time of writing the latest version is 1.3.6</p?

1. Download GNS3, I usually accept all the defaults.

2. Edit > Preferences > Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

Adding Router Images to GNS 3

3. Dynamips > IOS Routers > New > Add in your route images > Follow instructions.</p?

Note: DONT Email me and ask for router images, go to Cisco and get them legally, (or use Google).

4. Make sure you take the time to calculate the ‘Idle-PC finder’ value for each router, or in large topologies you might quickly eat all your CPU power!

5. Continue adding routers as required.</p?

6. You can now drag a router onto the workspace and power it on.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

7. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to ASA 8.4(2).

8. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

9. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.</p?

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0:
{Enter}

[/box]

10. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.</p?

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to default.

n

12. Give it a sensible name.

13. Navigate to, and select the disk image you downloaded above.

14. You can now drag a Qemu Guest machine onto the work space, and console into it.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

Upgrading a PIX 506E to Version 7

KB ID 0000764

Problem

As far as Cisco is concerned you can’t upgrade a PIX 506E past version 6.3(5) PIX 506E and 501 Firewall Image and PDM Upgrade

However if you have a spare one lying around and you want to have a play, you CAN get it to version 7.1(2).

Note: It is possible to run the 8.0(2) version of the PIX OS on a 506E, Howerver you need to decompress the image and make some changes to it before it will work (usung lzma.exe). I could not find any decent details on how to do this, and I’m not really a code jockey. If anyone would like to document that and send me the details, I’ll publish it here.

Solution

Memory For the PIX 506E

Your first task is to get some more memory in the firewall. There are two slots on the board and only one will be populated with a 32MB PC133 chip. You need to be at AT LEAST 64MB to attempt this upgrade.

Opening the PIX 506E Chassis

What memory Do I need to find? Any PC133 will work, the memory in the firewall is non ECC, so if you locate some ECC memory you will need to replace the on board memory. Because it will not boot if you mix them (I know I tried). It’s not fussy if you use ECC or non ECC, as long as you don’t mix them. (Note: A lot of the ECC memory I found that worked, was ex server RAM, and it was fine, but the chips were “too tall” to get the lid back on the firewall afterwards.)

Can I use PC100? Yes! And you can mix PC100 and PC133, and the firewall will still boot (This is what I did).

Perform the Upgrade

1. Connect to the firewall via console cable, just to prove it’s still version 6, issue a show version command, Note the RAM and version number;

Important: At this point take a copy of the firewall Activation Key! [box]

Petes-PIX> en

Password:
Petes-PIX# show version

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
Petes-PIX up 1 min 5 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Output removed for the sake of space!

Serial Number: 810412141 (0x304de999)
Running Activation Key: 0x2d796132 0x68c660cd 0x334cac62 0xcaeddaaa

Configuration has not been modified since last system restart.

Petes-Pix#

[/box]

2. Before continuing make sure you have the 7.1(2) version of the PIX Operating system, and you have a TFTP Server set up ready to send you that file. The new OS needs so much flash memory you WILL NOT be able to run the ASDM*. First erase all files from the flash memory and reboot.

*You could try running th ASDM form your TFTP Server. [box]

Petes-PIX# clear flashfs

Petes-PIX# show flash
flash file system: version:0 magic:0x0
file 0: origin: 0 length:0
file 1: origin: 0 length:0
file 2: origin: 0 length:0
file 3: origin: 0 length:0
file 4: origin: 0 length:0
file 5: origin: 0 length:0

Petes-PIX# reload

Proceed with reload? [confirm]

Rebooting.

[/box]

3. Press Esc as the firewall boots to boot into ROMMON mode. Then set it to load its operating system from your TFTP server (here running on my laptop at 172.16.254.207). [box]

Use BREAK or ESC to interrupt flash boot.
PRESS ESC 
Use SPACE to begin flash boot immediately.

Flash boot in 10 second.
Flash boot interrupted.

0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 0019.aabe.d624

Use ? for help.

monitor> address 172.16.254.240
address 172.16.254.240
monitor> server 172.16.254.207
server 172.16.254.207
monitor> file pix712.bin
file pix712.bin
monitor> tftp
tftp pix712.bin@172.16.254.207 .......................................
......................................................................
.........................................................

Received 6764544 bytes

Cisco PIX admin loader (3.0) #0: Tue Mar 14 16:46:07 PST 2006

#####################################################
#####################################################
#####################################################
#####################################################
#####################################################

64MB RAM

Total NICs found: 2

mcwa i82559 Ethernet at irq 11 MAC: 0019.aabe.d624
mcwa i82559 Ethernet at irq 10 MAC: 0019.aabe.d623

BIOS Flash=am29f400b @ 0xd8000

Old file system detected. Attempting to save data in flash
Flash filesystem is corrupted (0x0).

Could not save data in flash.

Initializing flashfs...

flashfs[7]: Checking block 0...block number was (-2131)

Output removed for the sake of space!

flashfs[7]: Checking block 61...block number was (0)
flashfs[7]: erasing block 61...done.
flashfs[7]: 0 files, 1 directories
flashfs[7]: 0 orphaned files, 0 orphaned directories
flashfs[7]: Total bytes: 7870464
flashfs[7]: Bytes used: 1024
flashfs[7]: Bytes available: 7869440
flashfs[7]: flashfs fsck took 52 seconds.
flashfs[7]: Initialization complete.

Need to burn loader....

Erasing sector 0...[OK]
Burning sector 0...[OK]

INFO: Unable to read firewall mode from flash

Cisco PIX Security Appliance Software Version 7.1(2)

Copyright (c) 1996-2006 by Cisco Systems, Inc.

[/box]

4. Now the operating system is in memory but if you rebooted the firewall it would not work, you need to configure the IP address, some basic settings, and copy the new OS to the firewall permanently. [box]

pixfirewall> enable

Password:
pixfirewall# show flash

Directory of flash:/

No files in directory

7870464 bytes total (7868416 bytes free)

pixfirewall# configure terminal
pixfirewall(config)# int Ethernet1
pixfirewall(config-if)# ip address 172.16.254.240 255.255.255.0
pixfirewall(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
pixfirewall(config-if)# no shutdown
pixfirewall(config-if)# exit
pixfirewall(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# ping 172.16.254.207

Sending 5, 100-byte ICMP Echos to 172.16.254.207, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/36/180 ms

pixfirewall(config)# copy tftp://172.16.254.207/pix712.bin flash

Address or name of remote host [172.16.254.207]?

Source filename [pix712.bin]?

Destination filename [pix712.bin]?

Accessing tftp://172.16.254.207/pix712.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file flash:/pix712.bin...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
6764544 bytes copied in 64.950 secs (105696 bytes/sec)

pixfirewall(config)# show flash

Directory of flash:/

5 -rw- 6764544 11:37:32 Feb 08 2013 pix712.bin

7870464 bytes total (1103872 bytes free)

[/box]

5. Change the firewall so that it uses this file to boot from, save the changes, and then reboot. [box]

pixfirewall(config)# boot system pix712.bin
INFO: Converting pix712.bin to flash:/pix712.bin

pixfirewall(config)# write mem

Building configuration...
Cryptochecksum: f59a9bd3 3129b8bc 474b2415 52f2db0f

1049 bytes copied in 0.430 secs
[OK]

pixfirewall(config)# reload

Proceed with reload? [confirm]

--- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down File system

--- SHUTDOWN NOW ---

Rebooting....

[/box]

6. Post reboot you should be upgraded. [box]

pixfirewall> enable
Password:
pixfirewall# show version

Cisco PIX Security Appliance Software Version 7.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is "flash:/pix712.bin"
Config file at boot was "startup-config"

pixfirewall up 10 secs

Hardware: PIX-506E, 64 MB RAM, CPU Pentium II 300 MHz

Flash E28F640J3 @ 0xfff00000, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0019.aabe.d623, irq 10
1: Ext: Ethernet1 : address is 0019.aabe.d624, irq 11

The Running Activation Key is not valid, using default settings:

Licensed features for this platform:

Maximum Physical Interfaces : 2
Maximum VLANs : 2
Inside Hosts : Unlimited
Failover : Not supported
VPN-DES : Disabled
VPN-3DES-AES : Disabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled

pixfirewall#
[/box]

6. Finally add the original activation key you took note of in step one back into the firewall. [box]

pixfirewall# configure terminal
pixfirewall#(config)# activation-key 0x2d796132 0x68c660cd 0x334cac62 0xcaeddaaa
pixfirewall(config)# write mem

Building configuration...
Cryptochecksum: f59a9bd3 3129b8bc 474b2415 52f2db0f

1049 bytes copied in 0.430 secs
[OK]

pixfirewall(config)#

[/box]

Related Articles, References, Credits, or External Links

NA