====== Cisco ======

===== BOOTROM Update =====
<code>
Cisco ASA 5500-X ROMMON 1.1.18 Firmware Release Notes

The ASA 5500-X ROMMON firmware is applicable to the following units:
ASA 5506-X/ASA 5506H-X/ASA 5506W-X/ASA 5508-X/ASA 5516-X

These are the changes based on the ASA 5500-X ROMMON firmware version 1.1.16 release: 1.1.18 Release
- CSCvu12608: ASA5506/5508/5516 devices not booting up properly / Boot loop
- CSCvv65674: ASA5506/5508/5516 ROMMON: ASAOS crashed when timebased key is added and reload

Upgrade guide

The link is the ROMMON upgrade guide:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/admin-swconfig.html#task_90917D0EBAC2427487F6F51D21ABC235

https://www.cisco.com/web/software/286287669/154313/Cisco-ASA-5500-release-notes-1-1-18.pdf

Note:
Running upgrade with firmware bundle asa5500-firmware-1118.SPA takes twice aslong comparing to the pre 1.1.15 firmware bundles.
On average, the whole process will complete in about 15 minutes. Please do not power cyclethe unit during the upgrade.
If the upgrade is not done within 30 minutes or fails, please contact your tech support and doNOT power cycle/reset the unit.

ATTENTON: PLEASE VERIFY AFTER UPGRADE IS COMPLETED!!!
To verify if your ROMMON upgrade is complete, boot into ROMMON prompt and type
‘showmon -v’, make sure it shows running *** Golden FPGA, and Golden CPLD Ext Version : 0x00030000 (3.0.0). ROMMON version 1.1.18.***

Below is the output for your reference:
rommon 1 > showmon -v
Current image running (0/1): Boot ROM1 Golden FPGA

Cisco Systems ROMMON, Version 1.1.18, RELEASE SOFTWARE
Copyright (c) 1994-2020 by Cisco Systems, Inc.
Compiled Tue 09/15/2020 20:35:13.52 by wchen64

DIMM Slot 0 : Present
Product Identifier : ASA5506W
Serial Number - PCA : JAD21070C5B
Serial Number - Chassis : JMX2112Y17K
Version Identifier : V04
CPLD Version : 48 (MM/DD/YY): 03/07/19 (3.0)
CPLD Ext Version : 0x00030000 (3.0.0)
*** Golden CPLD Ext Version : 0x00030000 (3.0.0) ***
Board Version : 3 (P2)
PCH Version : 02 (A2)
CPLD-ENV Version : 0000
Hardware Anchor : F01025R16.20ba9e4792017-02-01
Certificate : 9430BAB033968E80
Microloader : MA0008R06.1308052016 
</code>

===== ASA respond to traceroute =====

<code>
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

policy-map global_policy
 class inspection_default
  inspect icmp
 class class-default
  set connection decrement-ttl
</code>

===== ASA DNS Domain Filter =====
<code>
regex domain_logmein.com “\.logmein\.com”
!
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_logmein.com
!
policy-map type inspect dns PM-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
!
service-policy global_policy global

From <https://www.booches.nl/2009/08/cisco-asa-dns-request-filtering/> 
</code>


===== ASAv Console Configuration =====
<code>
Configure a Network Serial Console Port
For a better console experience, you can configure a network serial port singly or attached to a virtual serial port concentrator (vSPC) for console access. See the VMware vSphere documentation for details about each method. On the ASAv, you must send the console output to a serial port instead of to the virtual console. This section describes how to enable the serial port console.
Procedure
1. Configure a network serial port in VMware vSphere. See the VMware vSphere documentation.
2. On the ASAv, create a file called “use_ttyS0” in the root directory of disk0. This file does not need to have any contents; it just needs to exist at this location:
	disk0:/use_ttyS0
–From ASDM, you can upload an empty text file by that name using the Tools > File Managementdialog box.
–At the vSphere console, you can copy an existing file (any file) in the file system to the new name. For example:
ciscoasa(config)# cd coredumpinfo
ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0
3. Reload the ASAv.
–From ASDM, choose Tools > System Reload.
–At the vSphere console, enter reload.
	The ASAv stops sending to the vSphere console, and instead sends to the serial console.
4. Telnet to the vSphere host IP address and the port number you specified when you added the serial port; or Telnet to the vSPC IP address and port.

From <http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/asav/quick-start/asav-quick/asav-vmware.html> 
</code>


==== Private VLANs ====

<code>
vlan 100
  private-vlan primary
  private-vlan association 200,300,400,500
!
vlan 200
  private-vlan isolated
!
vlan 300
  private-vlan community
!
vlan 400
  private-vlan community
!
vlan 500
  private-vlan community
!
!
!
interface FastEthernet0/1
 switchport private-vlan host-association 100 200
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport private-vlan host-association 100 200
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport private-vlan host-association 100 300
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport private-vlan host-association 100 300
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport private-vlan host-association 100 400
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport private-vlan host-association 100 400
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport private-vlan host-association 100 500
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/8
 switchport private-vlan host-association 100 500
 switchport mode private-vlan host
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport private-vlan mapping 100 200,300,400,500
 switchport mode private-vlan promiscuous
!
</code>