Differences

This shows you the differences between two versions of the page.

--- cisco:cisco_main [2022/11/25 15:12] – srohr
+++ cisco:cisco_main [2023/08/07 15:45] (current) – srohr
@@ Line 1: / Line 1: @@
+====== Cisco ======
+===== BOOTROM Update =====
+<code>
+Cisco ASA 5500-X ROMMON 1.1.18 Firmware Release Notes
+The ASA 5500-X ROMMON firmware is applicable to the following units:
+ASA 5506-X/ASA 5506H-X/ASA 5506W-X/ASA 5508-X/ASA 5516-X
+These are the changes based on the ASA 5500-X ROMMON firmware version 1.1.16 release: 1.1.18 Release
+- CSCvu12608: ASA5506/5508/5516 devices not booting up properly / Boot loop
+- CSCvv65674: ASA5506/5508/5516 ROMMON: ASAOS crashed when timebased key is added and reload
+Upgrade guide
+The link is the ROMMON upgrade guide:
+https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/admin-swconfig.html#task_90917D0EBAC2427487F6F51D21ABC235
+https://www.cisco.com/web/software/286287669/154313/Cisco-ASA-5500-release-notes-1-1-18.pdf
+Note:
+Running upgrade with firmware bundle asa5500-firmware-1118.SPA takes twice aslong comparing to the pre 1.1.15 firmware bundles.
+On average, the whole process will complete in about 15 minutes. Please do not power cyclethe unit during the upgrade.
+If the upgrade is not done within 30 minutes or fails, please contact your tech support and doNOT power cycle/reset the unit.
+ATTENTON: PLEASE VERIFY AFTER UPGRADE IS COMPLETED!!!
+To verify if your ROMMON upgrade is complete, boot into ROMMON prompt and type
+‘showmon -v’, make sure it shows running *** Golden FPGA, and Golden CPLD Ext Version : 0x00030000 (3.0.0). ROMMON version 1.1.18.***
+Below is the output for your reference:
+rommon 1 > showmon -v
+Current image running (0/1): Boot ROM1 Golden FPGA
+Cisco Systems ROMMON, Version 1.1.18, RELEASE SOFTWARE
+Copyright (c) 1994-2020 by Cisco Systems, Inc.
+Compiled Tue 09/15/2020 20:35:13.52 by wchen64
+DIMM Slot 0 : Present
+Product Identifier : ASA5506W
+Serial Number - PCA : JAD21070C5B
+Serial Number - Chassis : JMX2112Y17K
+Version Identifier : V04
+CPLD Version : 48 (MM/DD/YY): 03/07/19 (3.0)
+CPLD Ext Version : 0x00030000 (3.0.0)
+*** Golden CPLD Ext Version : 0x00030000 (3.0.0) ***
+Board Version : 3 (P2)
+PCH Version : 02 (A2)
+CPLD-ENV Version : 0000
+Hardware Anchor : F01025R16.20ba9e4792017-02-01
+Certificate : 9430BAB033968E80
+Microloader : MA0008R06.1308052016
+</code>
+===== ASA respond to traceroute =====
+<code>
+access-list OUTSIDE_IN extended permit icmp any any time-exceeded
+access-list OUTSIDE_IN extended permit icmp any any unreachable
+policy-map global_policy
+ class inspection_default
+  inspect icmp
+ class class-default
+  set connection decrement-ttl
+</code>
+===== ASA DNS Domain Filter =====
+<code>
+regex domain_logmein.com “\.logmein\.com”
+!
+class-map type regex match-any DomainBlockList
+description Blocked Domains
+match regex domain_logmein.com
+!
+policy-map type inspect dns PM-DNS-inspect
+parameters
+message-length maximum 512
+match domain-name regex class DomainBlockList
+drop-connection log
+!
+policy-map global_policy
+class inspection_default
+inspect dns PM-DNS-inspect
+!
+service-policy global_policy global
+From <https://www.booches.nl/2009/08/cisco-asa-dns-request-filtering/>
+</code>
+===== ASAv Console Configuration =====
+<code>
+Configure a Network Serial Console Port
+For a better console experience, you can configure a network serial port singly or attached to a virtual serial port concentrator (vSPC) for console access. See the VMware vSphere documentation for details about each method. On the ASAv, you must send the console output to a serial port instead of to the virtual console. This section describes how to enable the serial port console.
+Procedure
+. Configure a network serial port in VMware vSphere. See the VMware vSphere documentation.
+. On the ASAv, create a file called “use_ttyS0” in the root directory of disk0. This file does not need to have any contents; it just needs to exist at this location:
+	disk0:/use_ttyS0
+–From ASDM, you can upload an empty text file by that name using the Tools > File Managementdialog box.
+–At the vSphere console, you can copy an existing file (any file) in the file system to the new name. For example:
+ciscoasa(config)# cd coredumpinfo
+ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0
+. Reload the ASAv.
+–From ASDM, choose Tools > System Reload.
+–At the vSphere console, enter reload.
+	The ASAv stops sending to the vSphere console, and instead sends to the serial console.
+. Telnet to the vSphere host IP address and the port number you specified when you added the serial port; or Telnet to the vSPC IP address and port.
+From <http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/asav/quick-start/asav-quick/asav-vmware.html>
+</code>
+==== Private VLANs ====
+<code>
+vlan 100
+  private-vlan primary
+  private-vlan association 200,300,400,500
+!
+vlan 200
+  private-vlan isolated
+!
+vlan 300
+  private-vlan community
+!
+vlan 400
+  private-vlan community
+!
+vlan 500
+  private-vlan community
+!
+!
+!
+interface FastEthernet0/1
+ switchport private-vlan host-association 100 200
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface FastEthernet0/2
+ switchport private-vlan host-association 100 200
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface FastEthernet0/3
+ switchport private-vlan host-association 100 300
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface FastEthernet0/4
+ switchport private-vlan host-association 100 300
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface FastEthernet0/5
+ switchport private-vlan host-association 100 400
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface FastEthernet0/6
+ switchport private-vlan host-association 100 400
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface FastEthernet0/7
+ switchport private-vlan host-association 100 500
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface FastEthernet0/8
+ switchport private-vlan host-association 100 500
+ switchport mode private-vlan host
+ spanning-tree portfast
+!
+interface GigabitEthernet0/1
+ switchport private-vlan mapping 100 200,300,400,500
+ switchport mode private-vlan promiscuous
+!
+</code>