cisco:cisco_main
Table of Contents
Cisco
BOOTROM Update
Cisco ASA 5500-X ROMMON 1.1.18 Firmware Release Notes
The ASA 5500-X ROMMON firmware is applicable to the following units:
ASA 5506-X/ASA 5506H-X/ASA 5506W-X/ASA 5508-X/ASA 5516-X
These are the changes based on the ASA 5500-X ROMMON firmware version 1.1.16 release: 1.1.18 Release
- CSCvu12608: ASA5506/5508/5516 devices not booting up properly / Boot loop
- CSCvv65674: ASA5506/5508/5516 ROMMON: ASAOS crashed when timebased key is added and reload
Upgrade guide
The link is the ROMMON upgrade guide:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/admin-swconfig.html#task_90917D0EBAC2427487F6F51D21ABC235
https://www.cisco.com/web/software/286287669/154313/Cisco-ASA-5500-release-notes-1-1-18.pdf
Note:
Running upgrade with firmware bundle asa5500-firmware-1118.SPA takes twice aslong comparing to the pre 1.1.15 firmware bundles.
On average, the whole process will complete in about 15 minutes. Please do not power cyclethe unit during the upgrade.
If the upgrade is not done within 30 minutes or fails, please contact your tech support and doNOT power cycle/reset the unit.
ATTENTON: PLEASE VERIFY AFTER UPGRADE IS COMPLETED!!!
To verify if your ROMMON upgrade is complete, boot into ROMMON prompt and type
‘showmon -v’, make sure it shows running *** Golden FPGA, and Golden CPLD Ext Version : 0x00030000 (3.0.0). ROMMON version 1.1.18.***
Below is the output for your reference:
rommon 1 > showmon -v
Current image running (0/1): Boot ROM1 Golden FPGA
Cisco Systems ROMMON, Version 1.1.18, RELEASE SOFTWARE
Copyright (c) 1994-2020 by Cisco Systems, Inc.
Compiled Tue 09/15/2020 20:35:13.52 by wchen64
DIMM Slot 0 : Present
Product Identifier : ASA5506W
Serial Number - PCA : JAD21070C5B
Serial Number - Chassis : JMX2112Y17K
Version Identifier : V04
CPLD Version : 48 (MM/DD/YY): 03/07/19 (3.0)
CPLD Ext Version : 0x00030000 (3.0.0)
*** Golden CPLD Ext Version : 0x00030000 (3.0.0) ***
Board Version : 3 (P2)
PCH Version : 02 (A2)
CPLD-ENV Version : 0000
Hardware Anchor : F01025R16.20ba9e4792017-02-01
Certificate : 9430BAB033968E80
Microloader : MA0008R06.1308052016
ASA respond to traceroute
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
policy-map global_policy
class inspection_default
inspect icmp
class class-default
set connection decrement-ttl
ASA DNS Domain Filter
regex domain_logmein.com “\.logmein\.com”
!
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_logmein.com
!
policy-map type inspect dns PM-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
!
service-policy global_policy global
From <https://www.booches.nl/2009/08/cisco-asa-dns-request-filtering/>
ASAv Console Configuration
Configure a Network Serial Console Port
For a better console experience, you can configure a network serial port singly or attached to a virtual serial port concentrator (vSPC) for console access. See the VMware vSphere documentation for details about each method. On the ASAv, you must send the console output to a serial port instead of to the virtual console. This section describes how to enable the serial port console.
Procedure
1. Configure a network serial port in VMware vSphere. See the VMware vSphere documentation.
2. On the ASAv, create a file called “use_ttyS0” in the root directory of disk0. This file does not need to have any contents; it just needs to exist at this location:
disk0:/use_ttyS0
–From ASDM, you can upload an empty text file by that name using the Tools > File Managementdialog box.
–At the vSphere console, you can copy an existing file (any file) in the file system to the new name. For example:
ciscoasa(config)# cd coredumpinfo
ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0
3. Reload the ASAv.
–From ASDM, choose Tools > System Reload.
–At the vSphere console, enter reload.
The ASAv stops sending to the vSphere console, and instead sends to the serial console.
4. Telnet to the vSphere host IP address and the port number you specified when you added the serial port; or Telnet to the vSPC IP address and port.
From <http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/asav/quick-start/asav-quick/asav-vmware.html>
Private VLANs
vlan 100
private-vlan primary
private-vlan association 200,300,400,500
!
vlan 200
private-vlan isolated
!
vlan 300
private-vlan community
!
vlan 400
private-vlan community
!
vlan 500
private-vlan community
!
!
!
interface FastEthernet0/1
switchport private-vlan host-association 100 200
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/2
switchport private-vlan host-association 100 200
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/3
switchport private-vlan host-association 100 300
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/4
switchport private-vlan host-association 100 300
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/5
switchport private-vlan host-association 100 400
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/6
switchport private-vlan host-association 100 400
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/7
switchport private-vlan host-association 100 500
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/8
switchport private-vlan host-association 100 500
switchport mode private-vlan host
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport private-vlan mapping 100 200,300,400,500
switchport mode private-vlan promiscuous
!
cisco/cisco_main.txt · Last modified: 2023/08/07 15:45 by srohr