Dec 10

Upgrading a Cisco ASA5525-X

Recently I had the opportunity to setup two brand new Cisco ASA 5525-X firewalls. I have setup brand new ASA 5510’s, 5520’s, 5540’s and even a pair of 5585-20’s, but this was the first time I was able to work with the new 5500-X series.

As always, the first step after getting it out of the box and powered up is to upgrade the software that it’s running. Normally I have to configure a port with an IP, set an IP on my laptop with an IP in that subnet and then use TFTP. (Of course you need to download the correct version from www.cisco.com)


Knowing that the USB port didn’t work on the 5500 series, I inserted a USB memory stick to find out that the USB port on this 5525-X doesn’t work.

I then connected my laptop to the Management port on the ASA. My laptop pulled a DHCP address from the ASA of 192.168.1.2. I was then able to easily issue the TFTP commands and transfer the IOS image without having to set a single IP address. Kudos to Cisco for this feature.

After transferring the software to the flash, I modified the boot statement. I don’t like to remove the old IOS just in case the new file is corrupt or isn’t found located for some reason. I issued the following commands to change the order of boot to make sure the new file is first.

The first command adds the new boot statement, the 2nd line removes the old boot statement, then the 3rd line adds the old boot statement back in so it is in the correct order. Then save your configuration and reload.

ciscoasa(config)# boot system disk: 0:/asa912-smp-k8.bin
ciscoasa(config)# no boot system disk0:/asa861-2-smp-k8.bin
ciscoasa(config)# boot system disk0:/asa861-2-smp-k8.bin

ciscoasa# wr mem
Building configuration…
Cryptochecksum: 318f9d39 9785f6db 6c97e495 79369448
2851 bytes copied in 0.640 secs
[OK]
ciscoasa#

Cisco did a good job adding the DHCP feature on the management port to make the upgrade easy.

What other devices have you used that the vendor did a good job at making the software upgrade easy?

Please share your experiences with upgrading the ASA’s, any good or bad experiences you can share?

If you enjoyed this article, please consider sharing it with the social media icons below!!

Aug 22

Cisco ASA Firewall requiring a static nat statement when NAT-Control is off

In released version 8.2 and before, the Cisco ASA 5500 platform gave the user a choice to enable NAT-Control or not. When NAT-Control was enabled, every IP had to have a NAT statement to traverse the firewall, even if it was translated to itself. I found that even thought NAT-Control was off, I still needed a static NAT statement for an individual subnet to work. With out the NAT statement, the traffic was blocked.

I found that I had a Global statement for this subnet so those devices could go to the internet and be translated to a single public IP. Those same devices were trying to access resources in a DMZ with a lower security level.

I found the following documentation from Cisco.com that explains why I needed the static NAT statement with NAT-Control shut off.

“When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group
of addresses when they access any lower or same security level interface; you must apply a global
command with the same NAT ID on each interface, or use a static command. NAT is not required for
that group when it accesses a higher security interface because to perform NAT from outside to inside
you must create a separate nat command using the outside keyword. If you do apply outside NAT, then
the NAT requirements preceding come into effect for that group of addresses when they access all higher
security interfaces. Traffic identified by a static command is not affected.”

See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 172.16.1.3-172.16.1.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40

Just because NAT-Control is off, don’t assume you don’t need that static NAT statement!!!