Firmware upgrade

Copy (SCP) firmware

scp asa<VERSION>-<PATCH>-smp-k8.bin asa.domain.tld:disk0:/asa<VERSION>-<PATCH>-smp-k8.bin

On newer versions of scp the default protocol is SFTP!
Use -O flag to switch back to SCP/RCP protocol if ASA doesn’t support SFTP.

Upgrade firmware

! Deactivate old boot image
no boot system disk0:/asa963-1-smp-k8.bin

! Add new image as primary boot with old as backup
boot system disk0:/asa964-3-smp-k8.bin
boot system disk0:/asa963-1-smp-k8.bin

! Save changes to config
write memory

! This will cause the standby firewall to reload
failover reload-standby

! After getting messages that standby has rebooted, 
! verify that failover is ready
show failover

! This forces active firewall to become standby, and standby to active
no failover active

! reload new standby firewall after failing over
failover reload-standby

Cheat Sheet

Create full-backup of everything

This will create a full backup including all passwords, private and public keys and so on.
It can be used to spin up an exact copy on different hardware or in a lab.

backup /noconfirm passphrase sUp3rP4$$ location disk0:/backup_20241106

Enable/Disable log output in terminal

terminal monitor

# stop log output

terminal no monitor

Disable pagination

terminal pager 0

NAT/PAT translation table

show xlate
clear xlate lport 500 type dynamic local 1.2.3.4

Show access-group

# sh run | incl access-gr
access-group inside_to_outside_dmz in interface inside
access-group stgoffice_to_inside_outside in interface stgoffice
access-group dmz_to_inside_outside in interface dmz
access-group guestwireless_to_inside_outside in interface guestwlan
access-group allowarius in interface outside-itenos
access-group outside_to_inside_dmz in interface outside-telekom

Show object (oneline)

# show running-config object in-line | incl 11.89
object network ADDR_STGMON001 host 192.168.11.89

Delete tunnel-group

No need to empty the tunnel group!

clear configure tunnel-group 1.2.3.4

Packet tracer

packet-tracer input <input interface name> <protocol> <source ip> <source port> <destination ip> <destination port> [detailed]
# packet-tracer input inside tcp 192.168.68.10 1234 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 62.x.y.1 using egress ifc  outside-telekom

[...]

accelerated security path filter tables

This shows the detailed compiled filter list for an ACL (in/out)

# show asp table filter [access-list <acl-name>] [hits]

out id=0x7f6c84f1ccb0, priority=13, domain=filter-aaa, deny=false
        hits=0, user_data=0x7f6c6fcd8840, filter_id=0xf(CARANOACL), protocol=6
        src ip=192.168.160.0, mask=255.255.255.0, port=3389
        dst ip=10.219.106.60, mask=255.255.255.255, port=0
out id=0x7f6c7df487e0, priority=13, domain=filter-aaa, deny=false
        hits=0, user_data=0x7f6c6fcd86c0, filter_id=0xf(CARANOACL), protocol=6
        src ip=10.219.106.60, mask=255.255.255.255, port=3389
        dst ip=192.168.160.0, mask=255.255.255.0, port=0

IPSec

IPSec Tunnel-Template

route outside-interface-name 192.168.160.0 255.255.255.0 <IP of outside-interface-name>

object network NET_FIRMNAME 
 subnet 192.168.0.0 255.255.255.0

object-group network GRP_FIRMNAME_REMOTE_ACCESS
 network-object object NET_10.0.0.0_24
 network-object object NET_DMZ
 network-object object NET_Server

access-list DC_to_FIRMNAME_ENCDOM extended permit ip object-group GRP_FIRMNAME_REMOTE_ACCESS object NET_FIRMNAME
access-list FIRMANEACL extended permit icmp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 3389
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 22
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 6556

nat (inside,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup
nat (dmz,outside-telekom) source static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS destination static NET_FIRMNAME NET_FIRMNAME no-proxy-arp route-lookup

group-policy FIRMNAMEACCESSPOLICY internal
group-policy FIRMNAMEACCESSPOLICY attributes
 vpn-filter value FIRMANEACL
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy FIRMNAMEACCESSPOLICY
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key <PSK>
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>
 

crypto map outside-telekom_map 40 match address DC_to_FIRMNAME_ENCDOM
crypto map outside-telekom_map 40 set peer 1.2.3.4
crypto map outside-telekom_map 40 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-telekom_map 40 set ikev2 ipsec-proposal AES256
crypto map outside-telekom_map 40 set pfs group5
crypto map outside-telekom_map 40 set security-association lifetime kilobytes unlimited

IPSec debugging

Show established isakmp sa’s:

show crypto isakmp sa
show isakmp sa

Show established ipsec sa’s:

show crypto ipsec sa
show ipsec sa
show ipsec sa peer a.b.c.d

Start show/follow logs (Debuglevel = 100):

debug crypto isakmp 100
debug crypto ipsec 100

no debug crypto isakmp
no debug crypto ipsec

Tear down tunnel

# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 100.11.12.13
Index        : 7186                   IP Addr      : 100.11.12.13   <-- note index number
Protocol     : IKEv1
Encryption   : IKEv1: (1)AES256       Hashing      : IKEv1: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 12:35:24 CEST Mon Apr 30 2018
Duration     : 1h:39m:56s

# vpn-sessiondb logoff index 7186

Restart tunnel

clear ipsec sa peer 100.11.12.13

SSL-VPN / Anyconnect

SSL-VPN Client info

show vpn-sessiondb
show vpn-sessiondb anyconnect
show vpn-sessiondb full anyconnect

Certificate handling

Create BASE64 encoded certificate

echo "-----BEGIN PKCS12-----" > cert.pfx.base64; 
base64 cert.pfx >> cert.pfx.base64; 
echo "-----END PKCS12-----" >> cert.pfx.base64

Insert Cert into ASA

crypto ca import trustpoint-remote.domain.tld-2020 pkcs12 <password>

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIIVmQIBAzCCFV8GCSqGSIb3DQEHAaCCFVAEghVMMIIVSDCCD/8GCSqGSIb3DQEHBqCCD/Awgg/s
AgEAMIIP5QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI72fdKN6IkNECAggAgIIPuMXN/b7v
       <snip>
hTI1xlJM6sI+Axo3UwflV10Kc+KsGBfNjnlxQDElMCMGCSqGSIb3DQEJFTEWBBRrAoZRSm257M2O
mu49GEiimnYqAjAxMCEwCQYFKw4DAhoFAAQUOmTsXE2LkxjxBKjPHWA9mizi+XkECGu5W+dQgEbq
AgIIAA==
-----END PKCS12-----
quit
% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully

Activate new trustpoint

ssl trust-point trustpoint-remote.domain.tld-2020 outside

SSL/TLS ciphers

# show ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
  ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
  ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
  DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
  [...]
ssl cipher default custom "AES128-SHA:AES256-SHA"
ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA"
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA"

Tags:

Leave a Reply

Related News

FabricOS

26.06.2025

Brocade switches

21.05.2025

You may have missed

FabricOS

26.06.2025

Nmap

25.06.2025

Nginx

25.06.2025

NIC-Bonding

25.06.2025

Create Loopback Device

25.06.2025

Change HW MAC Address

25.06.2025