This brings me to the end of my recent FTD articles. Although this is not a complete run though of all the capabilities, it will point you in the right direction to enable;
Each of these is a ‘Licensed Feature‘ which means it’s going to cost you. Not only that, but you need to have the licences in your Cisco Smart Account before you start.
Connect to the FTD via the FDM web console. > Smart Licence > View Configuration > Enable Threat, Malware, and URL License.
Make sure it looks like this, before proceeding.
Mines got a ‘vanilla’ (factory default) policy, (allow everything out). But it’s set to TRUST, you need to change that to ALLOW, (you can’t do advanced inspection while it’s set to trust) > OK.
FTD: Enable IDS/IPS Intrusion Policy
With a policy access rule selected > Intrusion Policy > Enable > Select the level you want (they are pretty self explanatory, and if you have worked with Cisco IDS before you will be familiar) > OK.
Note: By default the FTD will be in IPS mode (prevention), If you want to change to IDS mode (detection). Then select policies > Security Policies > Intrusion > Inspection Mode > Edit > Chose ‘detection’ > OK
FTD: Enable AMP Policy
While in the access policy > File Policy > Block Malware All > OK.
FTD: Enable URL Filtering Policy
Now we need to create a new access rule and set its action to BLOCK. Create (add) a new access rule > Make sure it is ABOVE your default TRUST or ALLOW rule > Give it a name > Set the action to BLOCK > Then I’m simply adding the inside zone as the source, and the outside zone as the destination > URLs.
Then simply add in either the individual URLs you want to block. Or (more sensibly) the URL Category, i.e. Adult, Social Networking, or Gambling etc. you want to block > OK > OK.
FTD: Enable Application Inspection (AVC)
Cisco have had AVC for a long time, but not many people use it, it’s the ability to perform up-to layer 7 (application layer) inspection and blocking. So let’s say you want to let your employees use LinkedIn but you don’t want them to use the job search, you can block that, or you want to block BitTorrent traffic, you can also do that with AVC. There are thousands of different options.
Like URL filtering you need to enable this on an access rule that’s set to BLOCK (here I’m lazily adding to the same one as my URL blocking, I suggest in production you create one just for AVC).
DONT FORGET: No changes will be applied untill you save and deploy the changes. (WHICH TAKES AGES!)
Related Articles, References, Credits, or External Links
Cisco have done this for a while, the first time I saw it was years ago on a 5585, but all the NGFW models now have a ‘Serial Number” and a “Chassis Serial Number”. Normally you don’t care unless you need to log a TAC call online. So you issue a show version command, take a note of the serial number, and then it says, there’s no record of that serial number?
Solution
Just to be clear
SmartNets are registered to the Chassis Serial Number, this is NOT the serial number shown with a ‘show version‘ command.
Software (e.g. AnyConnect) is licensed to the Serial Number that IS shown with a ‘show version‘ command.
As a general rule, Cisco ASA chassis serial numbers start with JMX, and the serial numbers start with JAD.
How to Locate the Cisco ASA ‘Chassis Serial Number’
Well it’s printed on the chassis of course, but if it’s in a rack or a thousand miles away, that’s not much help! To get it remotely you use the ‘show inventory’ command;
Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.
So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”
I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.
Note: If you are using Server 2003 it will need SP1 (at least) and this update.
Solution
To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.
Install Microsoft Windows 2008 R2 Key Management Service (EASY)
1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.
3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.
4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Install Microsoft Windows 2008 R2 Key Management Service from Command Line
You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.
3. Now we need to activate the Windows Server > Run the following command;
[box]
c:\Windows\System32\slui.exe
[/box]
Select “Activate Windows online now” > Follow the on screen prompts.
4. When complete, it should tell you that it was successfully activated.
5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Testing the Key Management Server
Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)
Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.
Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).
1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.
2. From your client machines you can test that they can see the SRV record, by running the following command;
[box]
nslookup -type=srv _vlmcs._tcp
[/box]
Note: If this fails, can your client see the DNS server? And is it in the domain?
3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;
[box]
cscript c:\Windows\System32\slmgr.vbs /dli
[/box]
4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;
Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038
5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.
Troubleshooting KMS Clients
To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.
[box]
cd c:\windows\system32
slmgr /dli
[/box]
For further troubleshooting, see the following links.
In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.
1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”
Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).
I had a load of Cisco Catalyst 3560 switches that needed ‘ipbase’ licenses adding to them today. I’ve messed about with plenty of ASA license upgrades before, but not switches.
Solution
1. First thing you need is a Cisco PAK, this may be in an email or turn up in a cardboard envelope.
2. Go to http://www.cisco.com/go/license and log in (if you don’t already have a Cisco CCO account you can create one for free). Enter your PAK and select ‘fulfil’.
3. Select ‘All Quantities’ > Next.
4. Enter your product ID and serial number (see below).
To locate your Product ID (PID), and serial number (SN), on the switch issue a ‘show license udi’ command.
5. Accept the agreement > ensure your email address is correct > Submit.
6. Select ‘Download’ to get the license straight away (it will get emailed to you shortly).
Note: If it does not turn up in your email, check your junk email folder, I’m sure Microsoft Outlook does this on purpose!
7. You will have a file with a big long name and a .lic extension. If you want you can copy this onto the switch via TFTP, but let’s keep things simple and use a FAT32 formatted USB drive.
8. Before we start let’s check the license on the switch. I’m running my ipbase license on an evaluation, this is what we are going to add a permanent license for.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: 7 weeks 5 days
License Type: Evaluation
License State: Active, In Use
License Priority: Low
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
10. Then copy the .lic file to the switches flash memory.
[box]
Mar 30 04:13:18.466: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
Petes-Switch#copy usbflash0: flash:
Source filename []? FDO1818X123_201410200338212345.lic
Destination filename [FDO1818X123_201410200338212345.lic]? {Enter}
Copy in progress...C
1152 bytes copied in 0.041 secs (28098 bytes/sec)
Petes-Switch#
[/box]
11. Install the new license.
[box]
Petes-Switch#license install flash:/FDO1818X123_2014102003382212345.lic
Installing licenses from "flash:/FDO1818X123_2014102003382212345.lic"
Installing...Feature:ipbase...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
Petes-Switch#
Mar 30 04:19:35.643: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560x
Next reboot level = ipbase and
License = ipbase
Mar 30 04:19:36.146: %LICENSE-6-INSTALL: Feature ipbase 1.0 was installed in this device.
UDI=WS-C3560X-24T-L:FDO1818X123;
StoreIndex=1:Primary License Storage
Petes-Switch#
[/box]
12. The license wont take effect until you reload the switch.
[box]
Petes-Switch#write mem
Building configuration...
[OK]
Petes-Switch#reload
Proceed with reload? [confirm]{Enter}
Mar 30 04:20:43.104: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
[/box]
13.Post reboot, check and the license should now be permanent.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
[/box]
Related Articles, References, Credits, or External Links
VMware View is a big product, deploying it can be daunting, and if you’re not sure what you’re doing it’s pretty easy to deploy ‘misconfigured’, or at the very least not configured as well as it should. I’m going to run though most requirements, but it would seem sensible to break this up into a few different articles.
Solution
Configuring Windows Active Directory for VMware View
1. Before you start, on your domain controller open active directory users and computers (dsa.msc). Create an OU for your View Desktops, also to make administration easier create a separate OU for any linked clones you are going to deploy. In the example below I’ve nested one inside the other to keep my AD neat and tidy.
2. Also whilst in AD users and computers, create some groups, one for ViewUsers, and one for ViewAdministrators. Add in your users to the groups as required.
Note: You can call the groups whatever you like, and have as many different groups as you like.
3. Now connect to your Virtual Center Server, and add the domain ViewAdministrators group to the LOCAL Administrators group on that server.
Installing and configuring VMware View 5
4. Run the installer for VMware Connection Server (there is a x32 and an x64 version, make sure you download the correct one as VMware call the x64 bit version VMware-viewconnectionserver-x86_64-5.0.1-640055.exe, which at first glance looks like a x32 bit file). Accept all the defaults until you see the following screen, and select View Standard Server.
View Standard Server: Select if this is the first Connection Server you are deploying. View Replica Server: Select this if you already have a connection server and you want to copy the configuration from that server, once in operation it just becomes a standard replica server. View Security Server: Usually placed on an edge network or in a DMZ to broker connection requests. View Transfer Server: Only required if your clients are going to use ‘Local Mode’ for their View desktops..
5. Accept all the defaults and finish the installation.
6. Connect to the VMware View administrator console, this is a web connection to https://{Connection-server-name/admin Note: Adobe Flash is required for it to work.
7. The first time you connect it will take you straight to View Configuration > Product Licencing and Usage > Select “Edit Licence” and type/paste in your licence key.
8. To point the connection server to your virtual center server, select View Configuration > Servers > vCenter Server section > Add.
9. Give it the vCenter server name, and a username and password for a user who is a member of your ViewAdministrators group.
Note: If your vCenter server has VMware composer installed this is where you would enable it. At this time I do not, but I will return here later after I’ve installed it when I cover VMware Composer and ‘linked clones’.
Related Articles, References, Credits, or External Links
Some versions of Windows 8 (Windows 8 Pro for example) ask for the unlock code as soon as you install them, I installed Windows 8 Enterprise on my PC at home today, and I couldn’t even change my user photo, because Windows hadn’t activated. When I tried, this is what happened.
Solution
As I had not yet installed a Windows unlock code, it’s safe to assume it had it’s in built KMS code, so I would need to change it to my own Windows code.
1. Press Windows Key+X to bring up the Advanced Context Menu >Select ‘Command Prompt (Admin)’.
2. Run the following command (where 12345-ABCDE-12345-ABCDE-12345 is YOUR Windows code);
Seen when adding an Office 2010 KMS key on a Windows 2008 R2 KMS Server.
Note: Using the Microsoft Office 2010 KMS Host License pack as per this article.
An error occurred: 0x80072F8F
To display the error text run the following:
slui.exe 0x2a 0x80072F8F
Solution
1. If you do run the command that they have asked you to, all you get is;
Code:
0x80072F8F
Description:
A Security error occurred
2. Not very helpful, however some Google searching turned up the solution. Check the time on the KMS server is correct, mine was way out.
Note: This had happened because the domain controller was on an ESXi host with the incorrect time, the KMS server took its time from the domain controller when it booted. (Domain clients typically take their time from the DC holding the PDC emulator role).
IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).
Solution
Run the following command to see if you have the correct license installed.
[box]
Petes-Router#show license features
[/box]
Cisco IOS Setup CBAC (IOS Firewall Classic)
1. Declare the protocols you want to inspect.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ip inspect name IOS-FW tcp
Petes-Router(config)#ip inspect name IOS-FW udp
Petes-Router(config)#ip inspect name IOS-FW icmp
[/box]
2. Apply that inspection inbound on the inside interface (that’s traffic going out).
[box]
Petes-Router(config)#interface FastEthernet 0/1
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#
[/box]
4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.
Note: If you have VPN traffic this will NOT break it.
[box]
Petes-Router(config)#interface Dialer0
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#exit
*Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#
[/box]
Cisco Zone Based Firewall Setup
The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).
Note: CBAC Settings (if used), must be removed before configuring ZBF.
1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#zone security SZ-INSIDE
Petes-Router(config-sec-zone)#description Local Area Network
Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE
Petes-Router(config-sec-zone)#description Wide Area Network (Internet)
Petes-Router(config-sec-zone)#exit
[/box]
2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.
Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;
Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).
[box]
Petes-Router(config)#ip access-list extended ACL-OUTBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53
Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND
Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#ip access-list extended ACL-INBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
[/box]
3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.
[box]
Petes-Router(config)#policy-map type inspect PM-OUTBOUND
Petes-Router(config-pmap)#class type inspect CM-OUTBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected
Note: The Above is not really true - we have defined the port in the ACL
Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
Petes-Router(config)#policy-map type inspect PM-INBOUND
Petes-Router(config-pmap)#class type inspect CM-INBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected
Note: The Above is fine, it drops everything that's not VPN traffic anyway.
Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
[/box]
4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.
Each model in the Cisco ASA 5500 range comes with a range of licences and features, to add these features you can purchase them from a Cisco reseller. You will then need to apply the licence to the device.
Solution
1. Your first step is to purchase the Licence you require from an authorised cisco reseller.
2. When your licence arrives you need to locate the PAK that is on the certificate.
3. You need the Serial number of the ASA 5500, to get this either look on the chassis of the device or issue a “show version” command.
[box]
PetesASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(3)
Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"
PetesASA up 5 days 17 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : Cnlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 001d.70df.3e28, irq 9
1: Ext: Ethernet0/1 : address is 001d.70df.3e29, irq 9
2: Ext: Ethernet0/2 : address is 001d.70df.3e2a, irq 9
3: Ext: Ethernet0/3 : address is 001d.70df.3e2b, irq 9
4: Ext: Management0/0 : address is 001d.70df.3e27, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 25
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: JMX1234ABCD
Running Activation Key: 0x5c385c4d 0xf8344dbb 0xac3161c8 0xaf983c24 0x88888888
Configuration register is 0x1
Configuration has not been modified since last system restart.
[/box]
4. So the one above has a serial Number of JMX1234ABCD.
5. Now you have the PAK and the serial number, you need to register them with Cisco Go there, login with a Cisco CCO account name. Enter the PAK Code > Submit.
6. Check the PAK details, and add more as required > Click “All Done”.
7. Enter the Serial Number of the ASA and tick “I Agree..” > Enter/Check your details > Enter the Licensee details (If Different) > Continue.
8. Read the Summary > Submit > Wait for it to stop saying “Processing” > When complete it should “Go Green” and say Registration Complete.
9. If can take a little while for the licence to be emailed to you and USUALLY goes straight to Junk Mail (Thanks Microsoft, that’s not funny!)
10. When the Licence comes in, the detail that you need is the activation key, it will look like….
dd12eb50 9e16d5bb 45b2a92c 78901838 44999999
11. You add this licence to the ASA with an “activation-key” command:
[box]
PetesASA> enable
Password: ***********
PetesASA# configure terminal
PetesASA(config)# activation-key dd12eb50 9e16d5bb 45b2a92c 78901838 44999999
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 50
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5510 Security Plus license.
Both running and flash activation keys were updated with the requested key.
PetesASA(config)#
[/box]
12. That’s the licence added.
Note: In the example above I added a licence to increase the web VPN peers from 25 to 50 (Which you can see if you compare the two pieces of code).
If you are having problems with internal clients NOT getting through the firewall, the license on your ASA 5505 may be ‘to small’.
ASA 5505 License Differences
Essentially the licenses come in 10 user, 50 user, and unlimited*. You can also have a Security Plus License, this increases IPSEC VPN’s from 10 to 25, and adds Active/Standby failover, Dual ISP Support, and DMZ Support.
*Note: These figures are the concurrent total users, for internal clients making connections through the firewall, from the internal VLAN to the external VLAN (not between internal VLANS). If you have no default route defined then the limit is placed in ALL hosts on ALL VLANS.
From Cisco
In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.
Solution
To locate your license version issue the following command whilst in enable mode. ‘sho ver or show version’.
code?
ASA 5505 10 User License
ASA5505 50 User License
ASA 5505 Unlimited License
ASA 5505 Security Plus License
Related Articles, References, Credits, or External Links