Cisco Firewall Port Forwarding

KB ID 0000077

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Note2: If your firewall is running a version older than 8.3 you will need to scroll down the page.

Port forwarding on Cisco firewalls can be a little difficult to get your head around, to better understand what is going on remember in the “World of Cisco” you need to remember two things…..

1. NAT Means translate MANY addresses to FEW Addresses

2. PAT Means translate MANY addresses to ONE Address.

Why is that important you ask? Well most networking types assume NAT is translating one address to many, BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection outbound might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it.

Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address – so if only one port can go to one IP address then that’s going to give you port forwarding 🙂

To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people, and the GUI is not intuitive for configuring port forwarding, (the ADSM is better than the old PIX PDM) but most people, (me included,) prefer to use command line to do port forwarding.

Below you will find;

Option 1 (Use ASDM)
Option 2 Use Command Line Interface
Option 3 Use PDM (PIX v6 Only)

Option 1: Port Forwarding Using ASDM

Note: This option uses ASDM Version 7.9(2) If yours is older see below;

Connect to the ASDM, Configuration > Firewall > NAT Rules > Right Click ‘Network Object Nat Rules’ > Add ‘Network Object’ Nat Rule.

Name = “Give the internal server/host a sensible name” > Type = Host > IP Address = The internal / private IP address > Type = Static > Translated address = Outside > Advanced > Source Interface = Inside > Destination Interface = Outside > Protocol = TCP  > Real port = http > Mapped Port = http > Ok > OK > Apply.

Note: This assumes your Outside interface is called outside, Inside interface is called inside and you want to port TCP port 80 (http).

Configuration > Firewall > Access Rules > Right Click ‘Outside Interface” > Add Access Rule.

Interface = Outside > Action = Permit > Source = Any > Destination {Browse}  > Locate the object you created earlier > Add to Destination > OK.

Service {Browse} > Select the Port you require (i.e. http) > OK.

OK > Apply > When you have tested it works, save the changes.

 

Using Older ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select “Add Access Rule.”

2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp (for example) > OK > Apply.

3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click “Add Static NAT Rule.”

4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick “Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port = smtp (for example) > OK > Apply.

5. File > “Save Running Configuration to Flash.”

Option 2 Use the Command Line to Port Forward (Post Version 8.3)

Note: Port forwarding changed on PIX/ASA devices running OS 8.3 and above, in regards to port forwarding. There is no longer a global command, for a full run-down of the changes click here.

If you issue a global command after version 8.3 you will see this error,

ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I’ve got a server at 10.254.254.5 and it’s a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice
User Access Verification#
Password:********
Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password:********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Create an object for the web server that the traffic is going to be forwarded to.

[box]

Petes-ASA(config)# object network Internal_Web_Server
Petes-ASA(config-network-object)# host 10.254.254.5

[/box]

5. Then create a NAT translation for the port to be forwarded. Then you can exit the network object prompt.

[box]

Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http
Petes-ASA(config-network-object)# exit

[/box]

6. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

[box]

Petes-ASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http

[/box]

7. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

8. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

All the commands to Copy & Paste (Post v 8.3);

[box]

object network Internal_Web_Server
 host 10.254.254.5
nat (inside,outside) static interface  service tcp http http
access-list inbound permit tcp any object Internal_Web_Server eq http
access-group inbound in interface outside 

[/box]

Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example we will assume I’ve got a server at 10.254.254.1 and it’s a mail server so I want to forward all TCP Port 25 traffic to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice

User Access Verification
Password:*******

Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password: ********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA#show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DON’T have an access-group entry for inbound traffic then we will do that at the end!

5. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

6. Lastly the command that actually does the port forwarding, (static command). And allow the traffic in.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface smtp 10.254.254.1 smtp netmask 255.255.255.255
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq smtp

[/box]

7. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Option 3 Use the PIX Device Manager (PIX Version 6 Only)1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click “Rule”s > Add or Right click an incoming rule and select > “Insert Before” or “Insert After”.

2. Under the “Action” select “Permit”, Under Source Host/Network Select “Outside”, and all the zeros, Under Destination Host/Network Select “Inside” and all the zeros then set the “Destination Port” to smtp > OK > Apply.

3, Now select the “Translation Rules” tab, Rules Add or Right click a rule and select “Insert before” or “Insert After”.

4. In this example I’ve set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I’ve blurred out the public IP Address you will need to add this also) > OK > Apply.

5. Finally save your work > File > “Save Running Configuration to Flash.” > Exit.

Related Articles, References, Credits, or External Links

ASA 5500 – Port Forwarding To A Different Port

Cisco ASA – Port Forward a ‘Range of Ports’

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Microsoft Azure To Cisco ASA Site to Site VPN

KB ID 000116

Problem

The one reason I prefer Cisco over Microsoft is they rarely change things, you learn how to do something and it’s learned. This is the second time have had to write this article purely because the Azure UI has changed!

 

Virtual Network Gateway Options

With VPN’s into Azure you connect to a Virtual Network Gateway, of which there are TWO types Policy Based, and Route Based. This article will deal with Policy Based, for the more modern Route based option, see the following link;

Microsoft Azure ‘Route Based’ VPN to Cisco ASA

Policy Based

These came first, essentially they work like this, “If traffic is destined for remote network (x) then send the traffic ‘encrypted’ to local security gateway (y).”  Note: Where Local Security Gateway is a firewall at YOUR site, NOT in Azure! This is the way traditionally VPNs have been done in Cisco ASA, In Cisco Firewall speak it’s the same as “If traffic matches the interesting traffic ACL, then send the traffic ‘encrypted’ to the IP address specified in the crypto map”. 

Advantages:

  • Can be used on older Cisco Firewalls (ASA 5505, 5510, 5520, 5550, 5585).
  • Can be used on newer Cisco Firewalls (ASA 5506-x, 5508-X, 5512-x, 5515-x, 5516-x, 5525-X, 5545-X, 5555-x, 5585-X)
  • Can be used with Cisco ASA OS (pre 8.4) IKEv1 only,

Disadvantages

  • Can only be used for ONE connection from your Azure Subnet to your local subnet. Note: You could ‘hairpin’ multiple sites over this one tunnel, but that’s not ideal.

Route Based

These were typically used with routers, because routers use Virtual Tunnel Interfaces to terminate VPN tunnels, that way traffic can be routed down various different tunnels based on a destination, (which can be looked up in a routing table). But Cisco ASA now supports Virtual Tunnels Interfaces (After version 9.7(1))

Advantages

  • Can be used for VPNs to multiple sites.

Disadvantages

  • Requires Cisco ASA OS 9.7(1) So no ASA 5505, 5510, 5520, 5550, 5585 firewalls can use this.

Configure Azure for ‘Policy Based’ IPSec Site to Site VPN

You may already have Resource Groups and Virtual Networks setup, if so you can skip the first few steps.

Sign int0 Azure > All Services > Resource Groups > Create Resource Group > Give your Resource Group a name, and select a location > Create.

 

OK, if you’re used to networking this can be a little confusing, we are going to create a virtual network, and in it we are going to put a virtual subnet, (yes I know this is odd, bear with me!) It’s the ‘Subnet Name ‘and ‘address range‘ that things will actually connect to, (10.0.0.0/24).

All Services > Virtual Networks > Create Virtual Network > Give the Virtual Network a name, a subnet, select your resource group > Then create a Subnet, give it a name and a subnet > Create.

To further confuse all the network engineers, we now need to add another subnet, this one will be used by the ‘gateway’. If you are  a ‘networking type’ it’s part of the virtual network, but is more specific than the subnet you already created. 

With your virtual network selected >Subnets > +Gateway Subnet.

You can’t change the name, (you could before, then it wouldn’t work, which was strange, but I suppose it’s fixed now) >  put in another network that’s part of the Virtual-Network, but does not overlap with the subnet you created in the previous step > OK.

All Services > Virtual Network Gateways > Create Virtual Network Gateway > Name it > Policy Based (Note: This will change the SKU to Basic) > Create New Public IP > Give it a Name > Create.

Note: This will take a while, go and put the kettle on! Make sure all running tasks and deployments are complete before continuing.

You can do the next two steps together, but I prefer to do then separately, or it will error if the first one does not complete!

Now you need to create a Local Security Gateway. (To represent your Cisco ASA). All Services > Local Security Gateway > Create Local Security Gateway > Name it > Supply the public IP > Supply the Subnet(s) ‘behind’ the ASA > Select your Resource Group > Create.

Finally create the VPN > Select your Virtual Network Gateway > Connections > Add.

Give the tunnel a name > Site-to-Site IPSec > Select your Local Network Gateway (ASA) > Create a pre-shared-key (you will need this for the ASA config!) > Select your Resource Group > OK.

Configure the Cisco ASA for ‘Policy Based’ Azure VPN

I read somewhere that the ASA had to be at 9.1? That’s not true, I’ve done it with a firewall running 8.3, and I’ve read blog posts from people who have done this with a Cisco PIX (running version 6). But the firewall does have to support AES encryption (‘show version’ will tell you). There are some subtle differences in the code which I will point out below, but essentially you should be running an OS newer than 8.4 for this config to work. (As I’ve said I’ll address 8.4, and 8.3 (or earlier) below).

Connect to the ASA and create an object group for your local subnet, and the subnet that you are using in Azure, (Called Azure-SN above).

[box]

Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object-group network OBJ-AZURE-SN
Petes-ASA(config-network-object-group)# description Azure Subnet
Petes-ASA(config-network-object-group)# network-object 10.0.0.0 255.255.255.0
Petes-ASA(config-network-object-group)# exit
Petes-ASA(config)# object-group network OBJ-LOCAL-SN
Petes-ASA(config-network-object-group)# description Local Subnet
Petes-ASA(config-network-object-group)# network-object 192.168.100.0 255.255.255.0
Petes-ASA(config-network-object-group)# exit 

[/box]

Then create an access-list, this will alert the firewall that there is some ‘interesting traffic’ that needs to be encrypted (we will call this ACL later on, from the crypto-map). Then create a NAT rule that stops traffic that’s going over the VPN tunnel from being NATTED.

[box]

Petes-ASA(config)# access-list ACL-AZURE-VPN extended permit ip object-group OBJ-LOCAL-SN object-group OBJ-AZURE-SN
Petes-ASA(config)# nat (inside,outside) 1 source static OBJ-LOCAL-SN OBJ-LOCAL-SN destination static OBJ-AZURE-SN OBJ-AZURE-SN no-proxy-arp route-lookup

[/box]

Our VPN is going to use a pre-shared-key, (you created in Azure above). It will use AES-256 for encryption, SHA for hashing, and Diffie Hellman version 2 for key exchange. So we need to have a matching ‘phase 1’ (that’s ISAKMP) policy.

[box]

Petes-ASA(config)# crypto ikev1 policy 5
Petes-ASA(config-ikev1-policy)# authentication pre-share
Petes-ASA(config-ikev1-policy)# encryption aes-256
Petes-ASA(config-ikev1-policy)# hash sha
Petes-ASA(config-ikev1-policy)# group 2
Petes-ASA(config-ikev1-policy)# lifetime 28800
Petes-ASA(config-ikev1-policy)# exit

[/box]

Enable ISAKMP (version 1) on the outside interface, then configure the parameters that will be used in ‘phase 2’ (that’s IPSEC). Note: If your outside interface is called something else like Outside or WAN substitute that!

[box]

Petes-ASA(config)# crypto ikev1 enable outside 
Petes-ASA(config)# crypto ipsec ikev1 transform-set AZURE-TRANSFORM  esp-aes-256 esp-sha-hmac
Petes-ASA(config)# crypto ipsec security-association lifetime seconds 3600
Petes-ASA(config)# crypto ipsec security-association lifetime kilobytes 102400000

[/box]

Next, you need a tunnel-group, in this case the only job of the tunnel group has is to keep  the pre-shared-key (PSK) to the peer you specify. Which in this case is the Azure Gateway.

[box]

Petes-ASA(config)# tunnel-group 40.113.16.195 type ipsec-l2l
Petes-ASA(config)# tunnel-group 40.113.16.195 ipsec-attribute
Petes-ASA(config-tunnel-ipsec)#  ikev1 pre-shared-key supersecretpassword
Petes-ASA(config-tunnel-ipsec)# exit

[/box]

The thing that ties it all together is the crypto map. Here I’ve called it “AZURE-CRYPTO-MAP”, WARNING if you already have a crypto map, use the name of that one, or all your existing VPNS will stop working, (show run crypto will tell you). This is because, you can only have one crypto map applied to an interface, but you can have many crypto map numbers, i.e crypto map {NAME} {NUMBER} {COMMAND}. And each VPN tunnel has its own number.

[box]

Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN
Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195
Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set AZURE-TRANSFORM
Petes-ASA(config)# crypto map AZURE-CRYPTO-MAP interface outside

[/box]

There are a couple of extra commands you will need, these are sysops commands. Their purpose set things globally, and are generally hidden from the config, (i.e ‘show run’ wont show them). These are recommendations from Azure. The first one drops the maximum segment size to 1350.The second command keeps the TCP session information even if the VPN tunnel drops.

[box]

Petes-ASA(config)# sysopt connection tcpmss 1350
Petes-ASA(config)# sysopt connection preserve-vpn-flows
Petes-ASA(config)# exit

[/box]

Testing Azure to Cisco ASA VPN

To test we usually use ‘ping’, the problem with that is, if you are using Windows Servers they will have their Windows firewall on by default, which blocks pings, (bear this in mind when testing). Also your ASA needs to be setup to allow pings, (try pinging 8.8.8.8 that usually responds), if yours doesn’t then configure your ASA to allow ping traffic.

As mentioned above, you might want to turn the firewalls off to test.

On the Cisco ASA you can see the tunnel is established at Phase 1 (ISAKMP)

[box]

Petes-ASA# show cry isa               

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 40.113.16.195
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 

[/box]

If yours says something else, (or nothing at all) then phase 1 has not established. You need to Troubleshoot phase 1 of the VPN tunnel. (Probably: Public IP is wrong, or pre-shared-key (shared secret) has been mistyped, check these first).

Assuming that’s working, your next test is to make sure that Phase 2 has established. You should see packets encrypting and decrypting.

[box]

Petes-ASA(config)# show cry ipsec sa
interface: outside
    Crypto map tag: AZURE-CRYPTO-MAP, seq num: 1, local addr: 128.65.98.43

      access-list ACL-AZURE-VPN extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
      current_peer: 40.113.16.195


      #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 128.65.98.43/0, remote crypto endpt.: 40.113.16.195/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 97624DA8
      current inbound spi : D7705547
              
    inbound esp sas:
      spi: 0xD7705547 (3614463303)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 335872, crypto-map: AZURE-CRYPTO-MAP
         sa timing: remaining key lifetime (kB/sec): (97199999/3556)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x97624DA8 (2539802024)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 335872, crypto-map: AZURE-CRYPTO-MAP
         sa timing: remaining key lifetime (kB/sec): (97199999/3556)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Petes-ASA(config)# 

[/box] If phase 2 did not connect, then you need to troubleshoot phase 2 of the VPN tunnel. (Probably: Transform set is wrong, or routing being the ASA is not working).

Azure to Cisco VPN ‘Policy Based’ IKEv1 Complete Code Snippets to Copy and Paste

(Change the values highlighted in red) WARNING: re-read the warning about crypto map names above! [box]

VERSION 8.4 AND NEWER
!
object-group network OBJ-AZURE-SN
 description Azure Subnet
 network-object 10.0.0.0 255.255.255.0
exit
 object-group network OBJ-LOCAL-SN
 description Local Subnet
 network-object 192.168.100.0 255.255.255.0
exit 
!
access-list ACL-AZURE-VPN extended permit ip object-group OBJ-LOCAL-SN object-group OBJ-AZURE-SN
!
nat (inside,outside) 1 source static OBJ-LOCAL-SN OBJ-LOCAL-SN destination static OBJ-AZURE-SN OBJ-AZURE-SN
!
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
!
crypto ikev1 enable outside   
!
crypto ipsec ikev1 transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
!
tunnel-group 40.113.16.195 type ipsec-l2l
tunnel-group 40.113.16.195 ipsec-attribute
 ikev1 pre-shared-key 1234567890asdfg
!
crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN
crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195
crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set AZURE-TRANSFORM
!
crypto map AZURE-CRYPTO-MAP interface outside
!
sysopt connection tcpmss 1350
!
sysopt connection preserve-vpn-flows


VERSION 8.4 (BEFORE IKEv2 WAS INTRODUCED)

!
object-group network OBJ-AZURE-SN
 description Azure Subnet
 network-object 10.0.0.0 255.255.255.0
exit
 object-group network OBJ-LOCAL-SN
 description Local Subnet
 network-object 192.168.100.0 255.255.255.0
exit 
!
access-list ACL-AZURE-VPN extended permit ip object-group OBJ-LOCAL-SN object-group OBJ-AZURE-SN
!
nat (inside,outside) 1 source static OBJ-LOCAL-SN OBJ-LOCAL-SN destination static OBJ-AZURE-SN OBJ-AZURE-SN
!
crypto isakmp policy 5
authentication pre-share 
encryption aes-256 
hash sha 
group 2 
lifetime 28800
!
crypto isakmp enable outside 
!
crypto ipsec transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600 
crypto ipsec security-association lifetime kilobytes 102400000
!
tunnel-group 40.113.16.195 type ipsec-l2l 
tunnel-group 40.113.16.195 ipsec-attribute 
pre-shared-key 1234567890asdfg
!
crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN 
crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195 
crypto map AZURE-CRYPTO-MAP 1 set ikev1 transform-set AZURE-TRANSFORM !
crypto map AZURE-CRYPTO-MAP interface outside 
!
sysopt connection tcpmss 1350
!
sysopt connection preserve-vpn-flows


OLDER THAN VERSION 8.3 (BEFORE NAT SYNTAX CHANGED)

!
name 10.0.0.0 OBJ-AZURE-SN
name 192.168.100.0 OBJ-LOCAL-SN
!
access-list ACL-AZURE-VPN extended permit ip OBJ-LOCAL-SN 255.255.255.0 OBJ-AZURE-SN 255.255.0.0 
!
access-list NO-NAT-TRAFFIC extended permit ip OBJ-LOCAL-SN 255.255.255.0 OBJ-AZURE-SN 255.255.0.0 
nat (inside) 0 access-list NO-NAT-TRAFFIC
!
crypto isakmp policy 5
authentication pre-share 
encryption aes-256 
hash sha 
group 2 
lifetime 28800 
!
crypto isakmp enable outside 
!
crypto ipsec transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600 
crypto ipsec security-association lifetime kilobytes 102400000 
!
tunnel-group 40.113.16.195 type ipsec-l2l 
tunnel-group 40.113.16.195 ipsec-attribute 
pre-shared-key 1234567890asdfg
!
crypto map AZURE-CRYPTO-MAP 1 match address ACL-AZURE-VPN 
crypto map AZURE-CRYPTO-MAP 1 set peer 40.113.16.195 
crypto map AZURE-CRYPTO-MAP 1 set transform-set AZURE-TRANSFORM 
!
crypto map AZURE-CRYPTO-MAP interface outside 
!
sysopt connection tcpmss 1350
!
sysopt connection preserve-vpn-flows

[/box]

Related Articles, References, Credits, or External Links

Microsoft Azure To Cisco ISR Router Site to Site VPN

Azure to Cisco VPN – ‘Failed to allocate PSH from platform’

Factory Reset a Cisco Firewall

KB ID 0000007 

Problem

You want to wipe the firewall’s config and revert to the factory settings (passwords blank – management or inside set to 192.168.1.1 and DHCP enabled, with all other settings wiped).

Solution

1. Connect to the ASA via the console Cable. CLICK HERE

2. log in and go to configure terminal mode.

3. Execute the following command “config factory-default

4. Press the space bar a few times to execute the commands.

5. When you get back to command prompt Execute the following command “reload save-config noconfirm” (Or on a Cisco PIX, write mem {enter} > reload {enter}{enter}).

6. The Firewall will reboot, (set to factory settings).

Procedure carried out on a Cisco ASA 5508-X (Running version 9)

 

Procedure carried out on a Cisco PIX 515E (Running version 8)

Note: Now the management interface, (if you have one) will be set to lease DHCP addresses. If you don’t have a management interface, (i.e. you have an  ASA 5505, or an older PIX,) then the inside interface will lease DHP addresses instead. The outside interface will be set to obtain its IP address via DHCP.

Related Articles, References, Credits, or External Links

Cisco ASA – Password Recovery / Reset

Cisco PIX (500 Series) Recovery

Cannot Access / Open ASDM

KB ID 0000458

Problem

Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.

Solution

Make sure the client machine you are using is not the problem

1. The ASDM runs using Java make sure the machine has Java installed.

Note: If you are using Java version 7 Update 51 see the following article.

Unable to Access ASDM – “Unable to launch device manager from…”

2. Make sure the internet browser you are using is supported:

Operating System
Browser
 
Java SE Plug-in1
Internet Explorer
Firefox2
Safari
Chrome

Microsoft Windows

10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP

Yes

Yes

No support

Yes

8.0

Apple Macintosh OS X:

10.6
10.5
10.4

No support

Yes

Yes

Yes (64 bit only)

8.0

Ubuntu Linux 14.04
Debian Linux 7

N/A

Yes

N/A

Yes

8.0 (Oracle only)

Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.

Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!

4. Can another machine access the ASDM?

5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.

Make sure the ASA is configured correctly, and your PC is “allowed” access

1. Connect to the firewall using either SSH, Telnet, or via the Console Cable.

2. Log into the firewall, go to enable mode > Enter the enable password

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#

[/box]

3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”

[box]

PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside

[/box]

Note: if the command is NOT there, you need to issue the following three commands:

[box]

PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)# 

[/box]

Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).

4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:

[box]

PetesASA# configure terminal
PetesASA(config)# http 10.254.254.5 255.255.255.255 inside
PetesASA(config)# http 10.254.254.0 255.255.255.0 inside
PetesASA(config)# http 123.123.123.123 255.255.255.255 outside
PetesASA(config)# write mem
Building configuration...

Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

5. At this point try and access the ASDM again.

6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.

[box]

PetesASA# show run asdm
asdm image disk0:/asdm-739.bin

Note: on a Cisco PIX the results will look like..

PetesPIX# show run asdm
asdm image flash:/asdm-501.bin

[/box]

7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.

[box]

PetesASA# show flash
--#-- --length-- -----date/time------ path
142 15943680 May 08 2010 18:10:42 asa831-k8.bin
144 14240396 May 08 2010 18:11:50 asdm-739.bin
3 2048 Jul 21 2009 12:04:26 log
6 2048 Apr 28 2010 15:08:32 crypto_archive
163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin
164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin
147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg
148 2048 Jul 21 2009 12:04:54 sdesktop
150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2.3.0254-k9.pkg


127135744 bytes total (29583360 bytes free)

[/box]

Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.

Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).

[box]

PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco Allowing Remote Management

Cisco ASA5500 Update System and ASDM (From ASDM)

Cisco Firewalls and PING

KB ID 0000351

Problem

With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside.

OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.

Also See:

Cisco ASA 5500 Allowing Tracert

Solution

Cisco ASA and Cisco PIX (version 7 and above) From CLI

Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map). Connect to the firewall and use the following commands from config terminal mode. then save the changes with a “write mem” command.

[box]

PetesASA>
PetesASA> enable
Password:********
PetesASA# conf t
PetesASA(config)# policy-map global_policy
PetesASA(config)# (config-pmap)#class inspection_default
PetesASA(config)#inspect icmp
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 
8695 bytes copied in 3.670 secs (2898 bytes/sec)
 [OK] 
PetesASA(config)#

[/box]

Cisco ASA and Cisco PIX (version 7 and above) From ASDM

Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select “inspection_default” > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.

Cisco PIX (version 6 and below) From CLI

Older firewalls do not have an inspection map, nor was there a “fixup” for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called “inbound”, and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the “show access-group” will tell you what is applied to the outside interface),

e.g.

[box]

PetesASA>
PetesASA> enable
Password: ********
PetesASA# show access-group
access-group inbound in interface outside <<This ones called inbound.

[/box]

If you already have an access-list applied then simply substitute the name word “inbound” for the name on your ACL.

[box]

PetesASA# conf t
PetesASA(config)# access-list inbound permit icmp any any echo-reply 
PetesASA(config)# access-list inbound permit icmp any any time-exceeded 
PetesASA(config)# access-list inbound permit icmp any any unreachable
PetesASA(config)# access-list inbound permit icmp any any source-quench

[/box]

If you HAD an inbound ACL skip this step, If you didn’t have one you need to apply the ACL with an access-group command.

[box]

PetesASA(config)# access-group inbound in interface outside

[/box]

Lastly save your work with a write mem command.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#

[/box]

Cisco PIX (version 6 and below) From PDM

Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select “echo-reply”> OK > Apply > File > Save running configuration to flash.

Then repeat for time-exceeded, unreachable and source-quench

Stop Interfaces replying to Ping traffic

As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the “icmp” command.

[box]

Syntax
icmp {permit or deny} {any or IP and subnet}{type of icmp traffic}{interface name}

Example
icmp deny any echo outside

[/box]

Do the same from ASDM

Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash.

Do the same from PDM

Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.

If you are still having problems, see the following article;

Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)

Related Articles, References, Credits, or External Links

NA

Ubuntu – Managing Cisco Devices via Serial / Rollover Cable

KB ID 0000400 

Problem

A while back I ran though “Managing Cisco ASA devices via the ASDM with Ubuntu“, I prefer to work at command line, with a new firewall my only choice is via the console port, In a windows environment I can fire up Hyperterminal and I’m away. With Linux there a couple of things to do first.

Solution

Step 1 (Get the Serial / RS232 / COM Port working)

As pictured above, this is being done on my Acer Netbook so I don’t have a serial port. I need to use a USB to Serial converter, If your machine has a serial port then simply skip this section.

1. Plug in your serial converter and wait a few seconds, open a terminal window (Applications > Accessories > Terminal) and issue the following command,

[box]dmesg[/box]

2. Amazingly it looks like been installed with the correct driver, without any effort by me at all! Lets make sure, unplug the USB to serial converter then issue the following command,

[box]lusb[/box]

Then plug the device back in and run the same command, notice the serial port has popped onto the list.

Note: If you not as lucky as me follow the excellent advice here to install the drivers you need.

Step 2 Install and Configure Minicom

1. Open a terminal window and issue the following command,

[box]sudo apt-get install minicom[/box]

Tap in your password, then enter “Y” for yes when prompted.

4. We need to know the connection name for the USB to Serial converter, issue the following command (See mines called ttyUSB0).

[box]dmesg | grep tty[/box]

5. Now lets fire up Minicom with the following command,

[box]sudo minicom[/box]

Tap in your password again, then as requested press CTRL+A, then Z.

6. To configure the serial settings press O (that’s O for Oscar not zero).

7. Select “Serial Port Setup”.

8. Press A to set the device.

9. As we discovered (above) ours is called ttyUSB0, so change the device to /dev/ttyUSB0.

10. Press C to change the connection speed to 9600 baud, Press Q (to set 8 bits, no stop bit, and 1 parity bit. On mine this was set by default), press {enter} to exit.

11. Press F to turn off hardware flow control (Some posts will say leave it on, I generally turn if off and I’ve never seen anything break!). Press G to disable software flow control (if enabled).

12. Then Select “Save setup as..”, and give is a sensible name. (If you went back too far simply press O again to get back here).

13. Now the settings are saved you can launch them at anytime with,

[box]sudo minicom {filename}[/box]

Note: Sometimes your serial drive gets locked up but a reboot will solve the problem.

14. Here’s me connected to an ancient old catalyst switch.

15. And the baby PIX on my test network.

Note: If your keystrokes are not getting sent: From the main menu (CTRL+A then Z) Press E to turn on local echo.

 

Related Articles, References, Credits, or External Links

NA

AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’

KB ID 0000406 

Problem

While attempting to connect to a Cisco firewall with a Linux client (In my case Ubuntu 10.10,) using AnyConnect you see the following error.

Or on MAC OSX

Error:
Cisco AnyConnect VPN Client
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.

Note: You may also see this error on a Mac OSX, or a Windows CE machine.

Solution

Package location (ASDM version 6.2)

Package location (ASDM version 7.1)

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Mail Routing Issue ‘451 5.7.3 Cannot achieve Exchange Server authentication’

KB ID 0000791

Problem

While putting in a New Exchange 2010 server today, I test moved a mailbox to this new site, and could not get mail to flow to the Exchange 2010 server at the clients main site.

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host , but that did not succeed. Either there are no alternative hosts, or delivery failed to all alternative hosts.

Mail flowed from the main site to this new site, and internal mail at the new site was fine, but any mail destined for the main site, or going external (because the main site has the only server that can use the Exchange organization send connector) would fail with this error.

Solution

I did a lot of trawling to try and find the answer to this, and discovered lots of reasons for this to happen, so rather than just posting what fixed mine, from the most popular to the most obscure try these in order, and attempt to send mail after each step.

Note: Any change on an Exchange Server’s Receive Connectors should be followed by you restarting the Microsoft Exchange Transport Service (on the server you made the change on) before you try again.

1. On the server you are trying to send TO, check the properties of the Default receive connector and ensure ‘Exchange Server authentication’ is selected.

2. On the server you are trying to send TO, If you have a connector configured to ‘relay’ mail, make sure that the server(s) or network specified DOES NOT include the IP address of the server you cannot send FROM. Also Make sure on the authentication tab ‘Exchange Server authentication’ is NOT selected.

3. If you have Cisco PIX Firewalls between these two mail servers (running version 6 or earlier) make sure smtp fixup is disabled.

[box]

Petes-PIX>
Petes-PIX> enable
Password: *******
Petes-PIX# configure terminal
Petes-PIX(config)# no fixup protocol smtp 25
Petes-PIX(config)# write mem

Building configuration...
Cryptochecksum: f59a9bd3 3129b8bc 474b2415 52f2db0f

1049 bytes copied in 0.430 secs
[OK]

[/box]

4. If you have Cisco ASA Firewalls between these two mail servers, then remove esmtp from the default inspection map.

Cisco ASA Disable ESMTP Inspection

At this point I admitted defeat and picked up the phone and called Microsoft. One of their support engineers looked at the connectors and settings, and tested the DNS, had me create a new connector, still mail refused to flow. He did however get me pointed in the right direction. When attempting to Telnet to the Exchange server on the main site this is what we saw;

This is what we should be seeing;

Eureka!

I put all the firewalls in, so I know how they are configured, and I know this client has a CSC module in the ASA 5510 at the mail site, I managed to get the output above by rebooting that module, as soon as it was back online we reverted to the short list again. Also while the CSC was rebooting all the mails stuck on the outbound queue cleared.

Enabling CSC Bypass for a Remote Mail Server

Note: Your class-maps, and access-lists may have different names but this should point you in the right direction.

1. Connect to the ASA, view the policy-maps in use.

[box]

Petes-ASA# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect ip-options
class global-class <<<<< Here we go
csc fail-open <<<< This is the one we are looking for
!
Petes-ASA#

[/box]

2. We can see the class-map the CSC is using is called ‘global-class’, let’s take look at that.

[box]

Petes-ASA# show run class-map global-class
!
class-map global-class
match access-list global_mpc <<<< Here's how its being applied
!

[/box]

3. Now we know that’s being applied with an access-list called global_mpc, let’s see what that’s doing.

[box]

Petes-ASA# show run access-list global_mpc
access-list global_mpc extended deny ip host 10.1.0.253 any
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Petes-ASA#

[/box]

Note: Remember permit means inspect and deny means don’t inspect, you can see mine’s set not to scan the CSC update traffic because that’s good practice;

Cisco CSC Module – Stop it scanning its own update traffic

4. So I just need to add in the IP of the Exchange server I cannot send from to make its traffic bypass the CSC Module. Remember to put it at the top so it gets processed before the permit or it will get ignored.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# access-list global_mpc line 1 extended deny ip host 10.3.0.2 any

[/box]

5. Finally save the changes.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Jeebu Mathew at Microsoft for his assistance, and pointing me in the right direction.

PIX 506E and 501 Firewall Image and PDM Upgrade

KB ID 0000065 

Problem

Note: PIX 515E and above, can still be upgraded to version 8.0(4) click here for details

Some people will wonder why I’m bothering to write this up, but the truth is, there are LOADS of older PIX firewalls out there in the wild, and all the PIX 501’s and 506E’s that are being retired from corporate use are being bought on ebay, or being put on IT departments test benches. This page deals with PIX version 6 if you are upgrading to version 7 or above,then you need to be on a PIX 515E (or a 525/535) and DO NOT follow these instructions, CLICK HERE. The “Smaller” PIX firewalls (501 and 506E) can only be upgraded to version 6.3(5) and the PDM can only be upgraded to 3.0(4).

Pre-Requisites

1. Before you do anything you will need a TFTP server and have it set up accordingly, for instructions CLICK HERE.

2. I suggest you backup your firewall configuration also, for instructions CLICK HERE.

3. You need to be able to get the Image and PDM versions from Cisco, you will need a valid support contract to be eligible for updates.

4. You will need a CCO Login to the Cisco Site (this is free to set up.

Solution

1. First things first; lets download the software you need CLICK HERE

2. Log in with your CCO username and password

Remember a CCO login is free of charge and simple to set up but to download software you need a valid Cisco contract or SmartNet.

3. For this example I’m upgrading a PIX 501 so I’m going to need a system image and a PDM file.

4. Download the files above and put then in your TFTP server root directory, then start your TFTP Server.

5. Log into your PIX firewall via the console cable, Telnet, or SSH, then enter enable mode, supply the firewall with the enable password. [box]

User Access Verification

Password:
Type help or '?' for a list of available commands.

Pix> enable

Password: ********

Pix#

[/box]

6. Now you need to copy in the new system file you do this with a “Copy tftp flash” command NOTE you can use copy tftp flash:image but it defaults to that anyway 🙂

[box]Pix# copy tftp flash[/box]

7. You will need to give it the IP address of your TFTP server and the name of the image file to copy over.

[box]

Address or name of remote host [0.0.0.0]? 10.254.254.51
Source file name [cdisk]? pix635.bin
copying tftp://10.254.254.51/pix635.bin to flash:image

[/box]

8. You will be asked to confirm, do so by typing yes and pressing enter, the file will then upload and the old image file will be erased from the firewalls memory.

[box]

[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
Received 2101248 bytes
Erasing current image
Writing 1978424 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed
Pix#

[/box]

9. The quickest way to load the new image into memory is to restart the firewall do this with a reload command, then press enter to confirm.

[box]

Pix# reload
Proceed with reload? [confirm]

[/box]

10 After the firewall has restarted log in, enter enable mode and issue a “show version” command, and you will see the new version displayed.

[box]

User Access Verification

Type help or '?' for a list of available commands. 
Pix> enable
Password: ******** 
Pix# show version

Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(2)

{{{rest of output omitted}}}}

[/box]

Upgrade Procedure Step 2 PDM Image

1. The procedure for upgrading the PDM is almost identical, again have the new PDM image on your TFTP server’s root directory, and the TFTP server running. Log into your PIX firewall via the console cable, Telnet or SSH, then enter enable mode, and then supply the firewall with the enable password.

[box]

User Access Verification
Password:
Type help or '?' for a list of available commands.
Pix> enable
Password: ********
Pix#

[/box]

2. This time the command is copy tftp flash:pdm

[box]Pix# copy tftp flash:pdm[/box]

3. You will need to give it the IP address of your TFTP server and the name of the file to copy over.

[box]

Address or name of remote host [0.0.0.0]? 10.254.254.51
Source file name [cdisk]? pdm-304.bin
copying tftp://10.254.254.51/pdm-304.bin to flash:pdm

[/box]

4. You will be asked to confirm, do so by typing yes and pressing enter, the file will then upload and the old pdm file will be erased from the firewalls memory.

[box]

[yes|no|again]? yes
Erasing current PDM file
Writing new PDM file
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
PDM file installed.
Pix#

[/box]

5. Unlike an Image file a PDM upgrade does not require a reboot you can check its worked straight away by issuing a show version command.

[box]

Pix# show version 
Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4)

{{{rest of output omitted}}}}
[/box]

6. View of both files being copied out from your TFTP Server.

7. All done! – Time for a coffee – just make sure everything is up and working.

Related Articles, References, Credits, or External Links

NA