Install Ubuntu KVM

Ubuntu KVM KB ID 0001890

Problem

I’ve been looking at KVM for a couple of reasons, firstly people are looking at VMware alternatives, now there’s no ‘free version‘, and secondly the firm I work for have potentially a large KVM to VMware migration on the horizon, so I thought I’d build it on the test bench and see how best to address that migration scenario.

Note: This was written with Ubuntu version 24.04, which was current at the time of publication, if the experience has taught me anything it’s the commands and procedures may well change in future versions. If you are reading this in the distant future and something needs tweaking let me know below, so I can try to keep things up to date.

Solution : Ubuntu KVM

Update Ubuntu.

I’m assuming you’ve already got an Ubuntu server installed ready to go, the first task is to ensure its fully up to date.

[box]

sudo apt update && sudo apt upgrade -y

[/box]

    

Go and have a coffee, when complete simply reboot the server.

[box]

[ -e /var/run/reboot-required ] && sudo reboot

[/box]

Ubuntu KVM (CPU Checker)

All modern physical servers will now have the virtualisation CPU elements enabled in BIOS, It’s been many years since I had to go and enable them, but if you on an old piece of tin, or someone’s disabled them, you need to check they are available. Note: This is more a problem id you intent to run Ubuntu nested inside another hypervisor like VMware ESX, or Hyper-V where you have to manually expose the virtualisation elements to a guest VM (often called nested virtualisation).

To make sure, we install cpu-checker.

[box]

sudo apt install cpu-checker

[/box]

Then to test the CPU run the kvm-ok command and ensure it responds KVM acceleration can be used.

[box]

sudo kvm-ok

[/box]

Ubuntu Install KVM

Use the following command.

[box]

sudo apt -y install libvirt-daemon-system bridge-utils qemu-kvm libvirt-daemon

[/box]

Then install the additional components and tools we may require.

[box]

sudo apt install virtinst libosinfo-bin virt-top libguestfs-tools 

[/box]

Finally ensure all is well run virsh version and ensure the components look like the following (note some may have newer versions depending on how far in the future you are following along).

[box]

virsh version 

[/box]

     

Ubuntu KVM: Install Cockpit

Cockpit is a web based GUI where you can directly interrace with Linux, you can create run and manage your virtual machines from command line, but this is a little easier for most people.

[box]

sudo apt install cockpit 

[/box]

When complete add the machines plugin (for managing virtual machines) and podman plugin (for managing containers).

[box]

sudo apt install cockpit-{machines,podman}

[/box]

 

Then enable Cockpit to AutoStart with the host and check its status. Take note of the port it is running on (highlighted below, this is usually TCP port 9090).

[box]

sudo systemctl enable --now cockpit.socket
systemctl status cockpit.socket

[/box]

 

Connect to the Ubuntu KVM server using a web browser to port 9090 (https://{ip-address-or-host-name}:9090 and log in.

Select “Turn on administrative access” and supply your password to authenticate again.

Ubuntu KVM Creating Guest VMs

I prefer to have the ISO files that I will build my VMs from on the server itself, so I upload them into the /tmp directory on the Ubuntu host. Below I’m using WinSCP because its free and it’s simple to use,

In Cockpit navigate to virtual Machines > Create VM.

Enter the details, and the path to the ISO file you uploaded above > Create and Run.

Now if you select the server you get a nice VNC remote console which you can interact with to build and manage the server remotely.

What you will notice is at this point your VMS get an IP address from the KVM host which will NAT the traffic to the outside world, which is fine. But if you want to access these VMs FROM the outside world then you have a problem (no, routing the traffic back to the KVM server manually or adding static routes to your other devices does not work) Well it didn’t for me! So a more likely scenario is you want bridged networking, where your VMs will get an IP address on your live LAN. I’ll be showing you how to do that next

Related Articles, References, Credits, or External Links

Ubuntu Setting a Static IP

Fortigate Blank Web Page?

KB ID 0001713

Problem

I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following.

Note: I have a couple of management VMs in EVE-G (Windows 7 and Server 2012), they had a mixture of IE, Chrome and Firefox on them but still I could not get in?

Solution

All forums yielded no more info other than ‘Check you have allowed access for http“. But as you can see (above) for Fortinet Logo is on the windows I was hitting the firewall and http was allowed? (Also the http daemon was running inside the appliance.

Just for fun I connected the outside interface to my test network, allowed http, and tried from there, it worked perfectly? So I deployed another Fortigate and connected the ‘inside’ interface to my test network, again it worked fine? At this point it was becoming obvious that my management machines browsers were probably the problem. Is I deployed a new Kali Linux VM fired up Firefox and;

That took a LOT longer than it needed to!

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – Update Activation Key (From ASDM)

KB ID 0001662

Problem

I recently did a post on adding extra licences to AnyConnect, (with the current surge of people working from home). I exclusively work at command line, so when I was asked how to do the same in the ASDM I had to go and check 🙂

Solution

Connect to your firewalls ASDM console, then navigate to > Configuration > Device Management > Licensing > Activation Key > Enter you new Activation Key > Update Activation Key.

Before I’m asked: Your activation key lives on the flash memory within you firewall so you should not need to save the config, (unless you have made other changes), or are prompted to do so by the ASDM, (which will know if theres any pending changes).

Related Articles, References, Credits, or External Links

Cannot Access / Open ASDM

ASDM on Windows 10: ‘Cannot find Javaw.exe?’

 

Cisco ASA Site to Site VPN ‘Using ASDM’

KB ID 0000072

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Do the same from command line

Below is a walk-through for setting up one end of a site to site VPN Tunnel using a Cisco ASA appliance – Via the ASDM console. Though if (like me) you prefer using the Command Line Interface I’ve put the commands at the end.

click image for full subnet information

Solution

VPN Setup Procedure carried out on ASDM 6.4

Note: The video above uses IKE v1 and IKE v2, in reality you would choose one or the other, and for IKE v2 both ASA 5500 firewalls need to be running OS 8.4(1) or above.

VPN Setup Procedure carried out on ASDM 5.2

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Site-to-Site VPN” > Next.

3. Enter the Peer IP address (IP of the other end of the VPN tunnel – I’ve blurred it out to protect the innocent) > Select “Pre Shared Key” and enter the key (this needs to be identical to the key at the other end. > Give the tunnel group a name or accept the default entry of its IP address. > Next.

4. Choose the encryption protocol (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication Method (SHA or MD5), and choose the Diffie Hellman Group (1, 2, 5 or 7). Note the other end must match, this establishes phase 1 of the tunnel. > Next.

5. Now select the Encryption Protocols (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication method (SHA, MD5 or None). Note this is for phase 2 and will protect the encrypted traffic “In Flight”. > Next.

6. Now you need to specify what traffic to encrypt, on the left hand side enter the network or host details (of what’s behind the ASA you are working on), and on the right hand side the IP address of the network or host that’s behind the other VPN endpoint.  Note the other end should be a mirror image. > Next.

7. Review the Settings (Note I’ve blurred the IP address out again) > Next.

8. Back at the ASDM console commit the settings to the ASA memory, Click File > “Save Running Configuration to Flash.”

ASA 5500 VPN Setup from command line

[box]

object network Site-A-SN
subnet 192.168.1.0 255.255.255.0
object network Site-B-SN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN
access-list outside_1_cryptomap extended permit ip object Site-A-SN object Site-B-SN
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer {Other Ends IP Address}
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
ikev1 pre-shared-key 12345678901234567890asdfg

[/box]

ASA 5500 VPN for Version 8.2 and older firewalls

[box]

access-list outside_20_cryptomap extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer {Other Ends IP Address}
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
pre-shared-key 12345678901234567890asdfg

[/box]

 

Related Articles, References, Credits, or External Links

Original article written 09/11/09

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Cisco ASA Static (One to One) NAT Translation

KB ID 0000691

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access).

This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X.

Note: This solution is for firewalls running versions above version 8.3. If you are unsure what version you are running use the following article.

Find out your Cisco ASA version (Operating system and ASDM)

If you only have one public IP address you would need to carry out port forwarding instead.

Cisco ASA 5500 (and PIX) Port Forwarding

Solution

In the following example I will statically NAT a public IP address of 81.81.81.82 to a private IP address behind the ASA of 172.16.254.1. Finally I will allow traffic to it, (in this example I will allow TCP Port 80 HTTP/WWW traffic as if this is a web server).

Create a Static NAT and allow web traffic via ASDM

Note for the command line alternative see below.

1. Connect to the ADSM.

2. Configuration > Firewall > NAT Rules > Add > Add “Network Object” NAT Rule.

3. Give the ‘object’ a name (I usually prefix them with obj-{name}) > It’s a Host > Type in it’s PRIVATE IP address > Tick the NAT section (press the drop-down if its hidden) > Static > Enter it’s PUBLIC IP address > Advanced > Source = Inside > Destination > Outside > Protocol TCP. Note: You could set this to IP, but I’m going to allow HTTP with an ACL in a minute, so leave it on TCP > OK > OK > Apply.

4. Now navigate to Firewall > Access Rule > Add > Add Access Rule.

5. Interface = outside > Permit > Source = any > Destination = PRIVATE IP of the host > Service > Press the ‘more’ button > Locate TCP/HTTP > OK > OK > Apply.

6. Then save your work with a File > Save Running Configuration to Flash.

Create a Static NAT and allow web traffic via Command Line

1. Connect to the ASA via Command Line.

2. Log In > Go to enable mode > Go to configure terminal mode.

[box]

User Access Verification

Password:*******
 
Type help or '?' for a list of available commands.
 PetesASA> enable
 Password: *******
 PetesASA# conf t
 PetesASA(config)
[/box]

3. First I’m going to allow the traffic to the host (Note: after version 8.3 we allow traffic to the private (per-translated IP address). This assumes you don’t have an inbound access list if you are unsure execute a “show run access-group” and if you have one applied substitute that name for the word ‘inbound’.

Warning before carrying out applying the ‘access-group’ command, see the following article;

Cisco ASA – ‘access-group’ Warning

[box]

PetesASA(config)# access-list inbound permit tcp any host 172.16.254.1
PetesASA(config)# access-group inbound in interface outside[/box]

4. Then to create the static translation.

[box]

PetesASA(config)# object network obj-172.16.254.1 
PetesASA(config-network-object)# host 172.16.254.1 
PetesASA(config-network-object)# nat (inside,outside) static 81.81.81.82 
PetesASA(config-network-object)# exit 
PetesASA(config)#
[/box]

5. Then save the changes.

[box]
PetesASA(config)# wr mem 

Building configuration... 
Cryptochecksum: 89faae4b 7480baa4 bf634e87 470d2d30 
6224 bytes copied in 1.10 secs (6224 bytes/sec) 
[OK]
[/box]

Static NAT Commands to Copy & Paste

[box]

access-list inbound permit tcp any host 172.16.254.1
access-group inbound in interface outside
object network obj-172.16.254.1
 host 172.16.254.1
 nat (inside,outside) static 81.81.81.82
[/box]

Note: Check and change the values in bold as appropriate

Related Articles, References, Credits, or External Links

NA

Juniper SRX Firewall – Allow Web Management from Outside

KB ID 0000708 

Problem

Assuming you already have web management enabled, and you want to access it from the outside (the untrusted zone).

Solution

1. Log into the web console of the Juniper.

2. Navigate to Security > Zones/Screen > Select the ‘Untrust’ Zone > Edit > Host inbound traffic – Interface > Select the Outside interface > Under Interface services add in ‘http’ > OK.

3. Then to save the change click Action > Commit.

4. Test Externally.

Related Articles, References, Credits, or External Links

NA

 

PIX 506E and 501 Firewall Image and PDM Upgrade

KB ID 0000065 

Problem

Note: PIX 515E and above, can still be upgraded to version 8.0(4) click here for details

Some people will wonder why I’m bothering to write this up, but the truth is, there are LOADS of older PIX firewalls out there in the wild, and all the PIX 501’s and 506E’s that are being retired from corporate use are being bought on ebay, or being put on IT departments test benches. This page deals with PIX version 6 if you are upgrading to version 7 or above,then you need to be on a PIX 515E (or a 525/535) and DO NOT follow these instructions, CLICK HERE. The “Smaller” PIX firewalls (501 and 506E) can only be upgraded to version 6.3(5) and the PDM can only be upgraded to 3.0(4).

Pre-Requisites

1. Before you do anything you will need a TFTP server and have it set up accordingly, for instructions CLICK HERE.

2. I suggest you backup your firewall configuration also, for instructions CLICK HERE.

3. You need to be able to get the Image and PDM versions from Cisco, you will need a valid support contract to be eligible for updates.

4. You will need a CCO Login to the Cisco Site (this is free to set up.

Solution

1. First things first; lets download the software you need CLICK HERE

2. Log in with your CCO username and password

Remember a CCO login is free of charge and simple to set up but to download software you need a valid Cisco contract or SmartNet.

3. For this example I’m upgrading a PIX 501 so I’m going to need a system image and a PDM file.

4. Download the files above and put then in your TFTP server root directory, then start your TFTP Server.

5. Log into your PIX firewall via the console cable, Telnet, or SSH, then enter enable mode, supply the firewall with the enable password. [box]

User Access Verification

Password:
Type help or '?' for a list of available commands.

Pix> enable

Password: ********

Pix#

[/box]

6. Now you need to copy in the new system file you do this with a “Copy tftp flash” command NOTE you can use copy tftp flash:image but it defaults to that anyway 🙂

[box]Pix# copy tftp flash[/box]

7. You will need to give it the IP address of your TFTP server and the name of the image file to copy over.

[box]

Address or name of remote host [0.0.0.0]? 10.254.254.51
Source file name [cdisk]? pix635.bin
copying tftp://10.254.254.51/pix635.bin to flash:image

[/box]

8. You will be asked to confirm, do so by typing yes and pressing enter, the file will then upload and the old image file will be erased from the firewalls memory.

[box]

[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
Received 2101248 bytes
Erasing current image
Writing 1978424 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed
Pix#

[/box]

9. The quickest way to load the new image into memory is to restart the firewall do this with a reload command, then press enter to confirm.

[box]

Pix# reload
Proceed with reload? [confirm]

[/box]

10 After the firewall has restarted log in, enter enable mode and issue a “show version” command, and you will see the new version displayed.

[box]

User Access Verification

Type help or '?' for a list of available commands. 
Pix> enable
Password: ******** 
Pix# show version

Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(2)

{{{rest of output omitted}}}}

[/box]

Upgrade Procedure Step 2 PDM Image

1. The procedure for upgrading the PDM is almost identical, again have the new PDM image on your TFTP server’s root directory, and the TFTP server running. Log into your PIX firewall via the console cable, Telnet or SSH, then enter enable mode, and then supply the firewall with the enable password.

[box]

User Access Verification
Password:
Type help or '?' for a list of available commands.
Pix> enable
Password: ********
Pix#

[/box]

2. This time the command is copy tftp flash:pdm

[box]Pix# copy tftp flash:pdm[/box]

3. You will need to give it the IP address of your TFTP server and the name of the file to copy over.

[box]

Address or name of remote host [0.0.0.0]? 10.254.254.51
Source file name [cdisk]? pdm-304.bin
copying tftp://10.254.254.51/pdm-304.bin to flash:pdm

[/box]

4. You will be asked to confirm, do so by typing yes and pressing enter, the file will then upload and the old pdm file will be erased from the firewalls memory.

[box]

[yes|no|again]? yes
Erasing current PDM file
Writing new PDM file
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
PDM file installed.
Pix#

[/box]

5. Unlike an Image file a PDM upgrade does not require a reboot you can check its worked straight away by issuing a show version command.

[box]

Pix# show version 
Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4)

{{{rest of output omitted}}}}
[/box]

6. View of both files being copied out from your TFTP Server.

7. All done! – Time for a coffee – just make sure everything is up and working.

Related Articles, References, Credits, or External Links

NA

Backup and Restore a Cisco Firewall.

KB ID 0000076

Problem

There are many different versions of PIX and ASA Firewalls. So, if you want to get a backup of the configuration and save it elsewhere,  (so in the event of a failure, (or more likely someone tinkering and breaking the firewall)). you will be able to recall and restore that configuration. By far the easiest method is to use a TFTP server – and it works on ALL versions, so learn it once and use it many times.

Note: Some people flatly refuse to use command line, if that’s you, you can also backup and restore from the ASDM click here.

OK for starters you need to get a TFTP server – while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I’ve put information on how to get it and how to set it up (about 5 min’s work) HERE. Or if you have a Mac it’s built in.

I’ll assume at this point you have the TFTP server installed and running, and you know the IP address of machine that’s running it.

NOTE: TFTP uses UDP Port 69, if you have firewalls in between the one you are working on, and the TFTP server then this port needs to be open.

Solution

1. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.

[box]

Petes-ASA> enable
Password:*********
Petes-ASA#

[/box]

2. To back up the firewall you need to specify the IP address of where you want to send it(i.e. the TFTP server), what you want to call the backup, and you tie them together with a “Write Net” command. The syntax is,

write net {ip address}:{filename}

[box]

Petes-ASA# write net 172.254.1.2:firewall_backup
Building configuration...
INFO: Default tftp-server not set, using highest security interface
Cryptochecksum: 85c211cb 3099b392 9e7206e6 e1548bcd
!
[OK]
Petes-ASA#

[/box]

3. On your TFTP server you will see that a file has been received.

4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore.

Restore

1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory.

2. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.

[box]

Petes-ASA> enable
Password:*********
Petes-ASA#

[/box]

3. Enter configuration mode using the “conf t” command.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# 

[/box]

4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command.

[box]

Petes-ASA(config)# copy tftp start

[/box]

5. Supply it with the IP address of your TFTP Server.

[box]

Address or name of remote host []? 172.254.1.2

[/box]

6. Supply it with the name of the file you backed up earlier.

[box]

Source filename []? firewall_backup

[/box]

7. The file will get copied over.

[box]

Accessing tftp://172.254.1.2/firewall_backup...!
Writing system file...
!
2974 bytes copied in 0.90 secs
Petes-ASA(config)#

[/box]

8. On your TFTP server you will see the file being “copied out”

9. Not finished yet, the file now lives in the “Startup” configuration so its not been loaded from memory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter.

[box]

Petes-ASA(config)# reload

Proceed with reload? [confirm] {Enter}

Petes-ASA(config)#

*** *** — START GRACEFUL SHUTDOWN — Shutting down isakmp Shutting down webvpn Shutting down File system

 

** *** — SHUTDOWN NOW —

 

[/box]

10. After the reboot, you will be running on the restored configuration.

Note: With a Version 6 Firewall – restoring a config from TFTP simply “Merges” the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring

clear config all

Backup a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Backup Configuration > Browse to a Location to Save the File > If you have certificates to backup, then choose and confirm a password > OK.

2. Watch the progress > Close > OK.

Restore a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Restore Configuration  >Browse to the .zip file you saved earlier > Select File > Next > Restore.

2. If you are restoring certificates enter the password you used above > OK > Then choose whether to ‘replace‘ the config on the firewall, or ‘merge‘ the restored config with the one on the firewall.

 

3. The ASDM will detect theres been a change, just drag that window to one side, Wait for the restore to finish > Close. You will probably need to reconnect to the firewall now.

 

Related Articles, References, Credits, or External Links

MAC OS X TFTP Software

Backup and Restore a Cisco Router with TFTP

Install and Use a TFTP Server

Find out your Cisco ASA version (Operating system and ASDM)

KB ID 0000690 

Problem

With all the command changes that have come in in the past few versions, it seems when I get asked ‘how do you do xyz?” my first question is ‘What is the OS version on your ASA?’

So next time I get a blank look, I can just point them here.

Also see: ASA 5505 Determine Your License Version

Solution

Get your ASA version and ASDM version from the ASDM.

1. Connect to the ASA via ASDM.

2. Home > Device Dashboard > Device Information.

Get your ASA version and ASDM version from Command Line.

1. Connect to the ASA via CLI.

2. Execute the following command;

[box]show ver[/box]

Note: This is the shortened version of ‘show version‘.

To download new ASA software go here, (Note: Valid Cisco Warranty/SmartNet, and CCO account required to download software).

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco ASA5500 Update System and ASDM (From ASDM)

Cisco ASA5500 Update System and ASDM (From CLI)