What is Cisco ASA Firewall – All you need to

Know
Written By Harris Andrea

The ASA (Adaptive Security Appliance) is a network security product that is

a part of Cisco’s Advanced Network Firewall portfolio.

A network Firewall is a hardware or software device that sits usually at the

edge of a network and provides security by allowing or denying traffic
based upon a set of pre-configured rules.

In large corporate network environments, you can also place a network

firewall within your internal LAN in order to provide segmentation of private
LAN IP subnets (e.g you can isolate servers LAN from users LAN for
example).

The Cisco ASA was a replacement for the Cisco PIX firewall and is an
advanced firewall which is capable of carrying out more advanced services
than the older PIX firewall was capable of.

Table of Contents [show]

How Does the ASA Firewall Work

Let’s explain briefly what the core network firewall functionality is for the
Cisco ASA. A network firewall is based on Stateful packet inspection, which
I will explain below.
A stateful network firewall, such as the Cisco ASA, typically uses stateful
packet inspection to prevent unauthorised traffic from entering the network
from the outside or prevent unauthorised traffic from being passed between
security zones internally within a network.

Cisco ASA Configuration for ASDM Management Access

Play Video

A stateful firewall keeps track of all the sessions that have been initiated
from user devices inside the network and allows the responding traffic from
outside the network to pass through to the initiating device.

Stateful packet inspection checks an access control list to see if the source
or destination IP address (and/or ports) of the incoming packet is allowed
access to the network or not.

The Cisco ASA has many physical interfaces which can be further divided
into “sub-interfaces” using VLANs.

Each one of these firewall interfaces is connected to a “security zone”

which is basically a Layer 3 subnet. All hosts inside this security zone
(subnet) will have as gateway the IP address configured on the ASA
firewall interface.

This means that all traffic from the specific security zone going out to other
networks (zones) will pass through the ASA which will impose its firewall
controls to the traffic.

A Cisco ASA is able to carry out the following services in addition to the
core Stateful Packet Inspection functionality:

Cisco ASA Main Core Security Features

Packet Filtering

Packet filtering also known as Deep packet inspection goes much further
than simply matching IP addresses to an allowed list.

Packet filtering is able to determine what protocol is being used such as

TCP, UDP, RTP etc and which application is sending this traffic.

This enables much more complex rules to be created and instead of only
being able to block traffic based on source or destination IP addresses,
rules can now be created to block traffic based on the protocol being used
or to block a particular application.
NAT / PAT

Network Address Translation and Port Address Translation are used to

translate the IP address of the source device from a private IP address
range to a public IP address range.

This has a number of benefits. Firstly, the actual IP address of the sending
device is disguised because all the destination machine ever sees is the
public IP address that has been substituted at the firewall and not the
original private address.

The second benefit is that many devices can access the internet using the
single public IP address which saves on Public IP address use.

Port Address Translation (PAT) allows the firewall to assign each device
with a different port number which are mapped so that when the destination
server responds to the public IP address the firewall knows which internal
IP address originally sent the request and is able to forward on the packet.

MORE READING: Connections and Translations on Cisco ASA Firewalls

SSL / IPSec VPN

An ASA firewall is able to create an encrypted channel between the

corporate network and another device located on a different network.

The Virtual Private Network (VPN) tunnel protects all the traffic that is
flowing from external devices to the corporate network over the public
internet.

This allows remote users to securely access data from outside of the
corporate network using IPSec or SSL encryption protocols.

Moreover, a site-to-site IPSec VPN can create a secured and encrypted

connection between two distant private LAN networks over the Internet.

This allows for a cheap and secure connectivity solution between two or
more LAN networks without leasing expensive dedicated WAN links
between the two sites.

Cisco Firepower Main Security Features

Cisco Firepower is a separate product line that has been acquired by Cisco
to provide many additional cybersecurity services such as Intrusion
Prevention, DDOS prevention, Anti-malware, Anti-virus, mail scanning,
URL filtering and dynamic security intelligence through Cisco TALOS which
is a cybersecurity community that was created by Cisco.

A Firepower appliance is known as a Next Generation Security product and

can be added to a network as a dedicated Firepower appliance or as a
hardware module installed within a Cisco ASA.

An ASA with Firepower is able to provide the standard firewall services and
also the enhanced security services of a Firepower device which makes
these ASA’s Next Generation Firewalls.

Many of the security features offered by the Firepower module are

activated by purchasing different levels of licensing which are available as
a subscription service that is renewed on a yearly basis.

Subscription You Purchase Smart Licenses You Assign in Firepower System

T Threat

TC Threat + URL Filtering

TM Threat + Malware

TMC Threat + URL Filtering + Malware

URL URL Filtering (can be added to Threat or used without Threat)

AMP Malware (can be added to Threat or used without Threat)

An ASA device that is running Firepower services is not managed by

ASDM software. A Firepower device or cluster of Firepower devices is
managed by another piece of software which is called the Cisco Secure
Firewall Management Centre or SFMC (Formerly Firepower Management
Centre or FMC).

The SFMC is a web-based security administration centre that is used for

applying network security policies and configuration of the Firepower
Threat Device (FTD) sensors or Firepower modules that are spread
throughout a network.
Unlike ASDM, the FMC is not installed on a standard Windows or Mac OSX
computer but is added to the network as a dedicated appliance or as a
Virtual machine on a Hypervisor such as VMware ESXi.

The software can then be accessed from any device which has a web
browser by navigating to the URL of the SFMC.

The following additional services are provided by the Firepower Module

installed in a Cisco ASA or as a dedicated device:

Intrusion Prevention

An Intrusion Prevention System (IPS) works by scanning the incoming and

outgoing traffic and comparing the traffic patterns to a baseline or against a
signature database of known attack vectors.

A baseline is the normal amount of traffic that flows in and out of the
network from all the different network sources.

When there is a deviation from this normal baseline such as an unusually

large amount of data being uploaded from an internal system then an alert
can be activated in SFMC to make the security team aware of a potential
network breach. Automatic action can also be taken by the ASA to block
this traffic.

Content Filtering

Content filtering or URL filtering is performed by the ASA to block web

content that is deemed inappropriate by the company’s security policy.

This web filtering is very CPU intensive so its important to ensure an ASA
model with the correct hardware specifications are chosen for filtering traffic
on a large network.

Application Filtering

Many applications produce traffic signatures that can be recognized by the

Firepower ASA and filtered as required.

MORE READING: Cisco ASA Multiple Context Mode – Configuring Virtual

Firewalls on Same Chassis
It is even possible for the ASA to block specific parts of an application but
not the entire application. For example, it is possible to block Facebook
games but not the entire Facebook application.

Anti-Malware (AMP)

The ASA filters the incoming traffic and checks for a match to known
malware signatures. If a match is found the traffic flow can be blocked
preventing the malware from spreading throughout the network. Anti-
malware filtering can be crucial in preventing the spread of ransomware.

Anti-Virus

An anti-virus mechanism is another service that the Firepower ASA

employs to prevent malicious traffic from reaching internal users.

Like the anti-malware process the traffic is filtered and matched against
known virus signatures and blocked before the virus is able to spread.

Security Intelligence

The Cisco ASA is able to use the power of the cybersecurity community to
better protect enterprise networks. The ASA is able to prevent outgoing
connections to a blacklist of known malicious domains that is constantly
updated from the intelligence gathered by Cisco Talos.

As soon as a new malicious domain is confirmed the ASA blacklist is

updated which helps to prevent Zero-day attacks.

What is Adaptive Security Device Manager (ASDM)

Traditional PIX firewalls only had the ability to be configured via the
command line which meant that only Engineers experienced with command
line configuration could setup or make changes to the firewall.

The Cisco ASA can be configured by the command line or through a

graphical user interface called the Adaptive Security Device Manager or
ASDM.

The ASDM software is a Java based application which needs to be

installed on a Windows or Mac OSX computer which can then be used to
remotely manage multiple ASA devices. The ASDM software image is
placed also on the Cisco ASA flash drive.
ASDM make the day-to-day maintenance of the firewall easier as you are
able to make configuration changes, view and filter connections, view
charts and statistics or perform upgrades of the operating system remotely
with the click of a mouse rather than by connecting through the CLI.

Current Cisco ASA models

 ASA-5505- End of sale
 ASA-5510 – End of Sale
 ASA-5506-X – Desktop / Rack Mountable Unit
 ASA-5506H-X – Desktop / Rack Mountable Unit
 ASA-5508-X– 1 RU Rack Mountable Unit
 ASA-5516-X– 1 RU Rack Mountable Unit
 ASA-5525-X– 1 RU Rack Mountable Unit
 ASA-5545-X– 1 RU Rack Mountable Unit
 ASA-5555-X– 1 RU Rack Mountable Unit
 ASA-5585-X– 2 RU Rack Mountable Unit
 ASAv – Virtual machine software which is installed on a VMware
server.

The standard ASA without Firepower services has now become end of sale
and the ASA is now sold with Firepower installed as standard. The X in the
model’s name denotes that this model has a Firepower Module installed.

Competitors to Cisco ASA

Cisco ASA with Firepower services is a premium security product for
Enterprise Networks and according to gartner.com there are only three
direct competitors to these Cisco products. They are Palo Alto, Fortinet and
Checkpoint.

Palo Alto

Palo Alto next generation firewalls provide similar features to Cisco ASA
firewalls through their PAN-OS operating system.

The Palo Alto firewalls, and firewall clusters can be managed by their
Firewall management system known as Panorama.

Fortinet

Fortinet has a very large range of firewall models aimed at every size
network from entry level to cloud datacentres. These firewalls run the
Fortigate operating system.
Fortinet is one of the fast-growing security firms worldwide and they
manufacture all kinds of security products, such as firewalls, antivirus,
email security, SIEM, WiFi etc.

Checkpoint

Checkpoint have taken a unified approach to network security through a

suite of products that include Next Generation Firewalls known as the
Infinity architecture.

This architecture is made up of five sections which are Quantum,

Cloudguard, Harmony and Infinity Vision which surrounds their Security
Intelligence center known as Infinity Threat Cloud. Checkpoint has a large
offering of 15 different Firewall models.

Initial Configuration of Cisco ASA For ASDM

Access
Written By Harris Andrea

In this Video Tutorial I will show you how to enable initial access to the ASA
device in order to connect with ASDM graphical interface or with SSH.

An out-of-the-box Cisco ASA device is not fully ready to be managed by the

GUI interface (Adaptive Security Device Manager – ASDM). There is an
initial configuration required to enable ASDM access to the firewall.

I know the above task in pretty basic but I hope it will help a few people that
are just starting out with ASA firewalls.

The network topology is shown below:

First we need to have console access (with a serial console cable) to the
device in order to configure some initial settings to allow user access with
ASDM or with SSH.

We will configure Interface GigabitEthernet 5 as a management interface

with IP address 10.10.10.1/24.

Also, on the same subnet we have our management PC with IP address

10.10.10.10/24. The management PC is running also a TFTP server
software (tftp32) which will be used to transfer the ASDM image to the
ASA.

Below is the CLI configuration used in this initial setup (see video
below also for more information):
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
! Configure an “enable password” which is the administrator password of
the device
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
! Configure IP address to Interface GigEth5 and put a high security level
(90 is good).
! name also the interface as “management”
interface GigabitEthernet5
nameif management
security-level 90
ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1

Cisco ASA Configuration for ASDM Management Access

Play Video

MORE READING: How to Configure a Cisco ASA 5510 Firewall - Basic

Configuration Tutorial

! Tell the appliance where the asdm image is located.

asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

! SSH access will use the LOCAL username/password for authentication

aaa authentication ssh console LOCAL
! enable the HTTP service on the device so that you can connect to it for
ASDM access
http server enable
! Tell the device which IP addresses are allowed to connect for HTTP
(ASDM) access and from which interface
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
warmstart
telnet timeout 5
! Tell the device which IP addresses are allowed to connect for SSH
access and from which interface.
ssh 10.10.10.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
! Configure a LOCAL username/password to be used for authentication.
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:0760c72b39dd8d7a479d517a65758f33
: end
ciscoasa#

MORE READING: Configuring Object Groups on Cisco ASA (Network, Service

Objects etc)

NOTE:

To enable SSH access, we need to generate also SSH keys as following:

ciscoasa(config)# crypto key generate rsa modulus 1024

Keypair generation process begin. Please wait…
ciscoasa(config)#
I have created the following video on youtube and thought about
embedding the video here as well. It is about configuring the Cisco ASA in
order to install the ASDM image (Adaptive Security Device Manager) and
hence be able to manage the device with the graphical ASDM GUI.

The video shows also how to enable SSH access to the device, how to
restrict access to a management network etc.

An out-of-the-box Cisco ASA device is not fully ready to be managed by the

GUI interface (ASDM). There is an initial configuration required to enable
ASDM access to the firewall.

I know the above task in pretty basic but I hope it will help a few people that
are just starting out with ASA firewalls.

Configuring site-to-site IPSEC VPN on ASA

using IKEv2
Written By Harris Andrea

The scenario of configuring site-to-site VPN between two Cisco Adaptive

Security Appliances is often used by companies that have more than one
geographical location sharing the same resources, documents, servers,
etc. The Cisco ASA is often used as VPN terminator, supporting a variety
of VPN types and protocols.

In this tutorial, we are going to configure a site-to-site VPN using IKEv2.

IKEv2 is the new standard for configuring IPSEC VPNs. Although
the legacy IKEv1 is widely used in real world networks, it’s good to know
how to configure IKEv2 as well since this is usually required in high-security
VPN networks (for compliance purposes).

As described in the topology scenario below, a VPN tunnel will be created

between ASA1 and ASA2, connecting the two company sites, HQ and
Branch1.

Behind each security appliance there is a private LAN network. After

configuring the VPN tunnel, the private LAN networks in HQ and Branch1
(two geographically dispersed locations) will be able to communicate over
the internet and share resources.

We will refer to the diagram below for this configuration tutorial.

We will start by configuring IP addressing. On ASA1 and ASA2, we will
configure the inside interfaces as connected to LAN and the outside
interfaces facing the VPN tunnel. In real world networks, the outside
interfaces will be on a different subnet and use public IP addressing. Here
we will use 10.10.10.0/24 for the outside network just for making things
easier.

ASA1

ASA1(config)# interface GigabitEthernet0

ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config-if)# interface GigabitEthernet1

ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ip address 10.10.10.1 255.255.255.0
ASA1(config-if)# no shutdown

ASA1# show interfaces ip brief

Cisco ASA Configuration for ASDM Management Access

Play Video

Interface IP-Address OK? Method Status

Protocol
GigabitEthernet0 192.168.1.2 YES manual up up
GigabitEthernet1 10.10.10.1 YES manual up up

ASA2

ASA2(config)# interface GigabitEthernet0

ASA2(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA2(config-if)# ip address 192.168.2.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2(config-if)# interface GigabitEthernet1

ASA2(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA2(config-if)# ip address 10.10.10.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2# show interfaces ip brief

Interface IP-Address OK? Method Status

Protocol
GigabitEthernet0 192.168.2.2 YES manual up up
GigabitEthernet1 10.10.10.2 YES manual up up

MORE READING: Cisco ASA 5505 Basic Configuration Tutorial Step by Step

Next, we will configure the ISAKMP policies with IKEv2. We will first use
the crypto ikev2 policy command to enter IKEv2 policy configuration mode,
where we will configure the IKEv2 parameters.

In this scenario, we used 3DES encryption with Diffie-Hellman group 2,

hash function SHA-1 and an encryption key lifetime of 43200 seconds (12
hours).

ASA1

ASA1(config)# crypto ikev2 policy 1

ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# encryption 3des
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 43200
Finally, after the parameters have been set, we will enable IKEv2 on the
outside interface

ASA1(config-ikev2-policy)# crypto ikev2 enable outside

ASA2

ASA2(config)# crypto ikev2 policy 1

ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# encryption 3des
ASA2(config-ikev2-policy)# prf sha
ASA2(config-ikev2-policy)# lifetime seconds 43200
ASA2(config-ikev2-policy)# crypto ikev2 enable outside

Next, we will configure IKEv2 proposal. As opposed to IKEv1, where we

configured a transform set that combines the encryption and authentication
method, with IKEv2 we can configure multiple encryption and
authentication types, and multiple integrity algorithms for a single policy.

For this scenario, we will first enter ipsec proposal configuration mode and
there set the parameters.

ASA1

ASA1(config)#crypto ipsec ikev2 ipsec-proposal P1

ASA1(config-ipsec-proposal)#protocol esp encryption 3des aes des
ASA1(config-ipsec-proposal)#protocol esp integrity sha-1

ASA2

The same configuration is applied to ASA2.

ASA2(config)# crypto ipsec ikev2 ipsec-proposal P1

ASA2(config-ipsec-proposal)# protocol esp encryption 3des aes des
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1

Next we need to identify the VPN interesting traffic with an access list.

ASA1(config)# access-list ACL1 extended permit ip 192.168.1.0

255.255.255.0 192.168.2.0 255.255.255.0

The mirror ACL should be configured on ASA2.

ASA2(config)# access-list ACL2 extended permit ip 192.168.2.0

255.255.255.0 192.168.1.0 255.255.255.0
The next step is to define a tunnel group. There are two default tunnel
groups in the ASA: DefaultRAGroup is the default IPsec remote-access
tunnel group and DefaultL2Lgroup is the default IPsec LAN-to-LAN tunnel
group.

To establish a LAN-to-LAN connection, two attributes must be set:

– Connection type – IPsec LAN-to-LAN.

– Authentication method for the IP – in this scenario we will use preshared

key for IKEv2.

The name of the tunnel is the IP address of the peer. IKEv2 preshared key
is configured as 32fjsk0392fg.

NOTE: For ikev2 you can have asymmetric pre-shared keys. You can
configure a different local and different remote pre-shared key. If you want
to have a configuration similar with the legacy ikev1 technology, you need
to have the same local and remote pre-shared keys (as we do in our
example below)

MORE READING: Ping TCP Command on Cisco ASA - Great Troubleshooting

Tool

ASA1

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l

ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key
32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-
key 32fjsk0392fg

ASA2

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l

ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key
32fjsk0392fg
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-
key 32fjsk0392fg
Finally, we will create a crypto map linking the access list, the peer and the
IKEv2 proposal. We will apply this crypto map to the ASA outside interface.

ASA1

ASA1(config)# crypto map cmap 1 match address ACL1

ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside

ASA2

Similar configuration will be applied to ASA2:

ASA2(config)# crypto map cmap 1 match address ACL2

ASA2(config)# crypto map cmap 1 set peer 10.10.10.1
ASA2(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA2(config)# crypto map cmap interface outside

The above concludes the actual IPSEC lan-to-lan configuration. In real

world scenarios, the two ASA devices would be connected to the Internet
and access from internal users towards the Internet must be provided as
well (in addition to the lan-to-lan traffic).

This requirement (i.e internet access for users in each site) necessitates
the configuration of NAT rules in order to translate the internal private IP
addresses to a public IP. Let’s configure this new requirement below:

Internet Access and NAT Exclusion for VPN traffic

IPSEC VPN traffic does not work with NAT. You must not perform NAT on
VPN packets. Therefore, in addition to configuring Internet access (with
using NAT overload in our example here), we must also configure NAT
exclusion for VPN traffic:

1) Configure NAT Overload (PAT) for Internet Access

ASA1

object network HQ
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
object network Branch1
subnet 192.168.2.0 255.255.255.0

ASA2

object network Branch1

subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface

object network HQ
subnet 192.168.1.0 255.255.255.0

2) Configure NAT Exclusion for VPN Traffic

ASA1

nat (inside,outside) source static HQ HQ destination static Branch1

Branch1 no-proxy-arp route-lookup

ASA2

nat (inside,outside) source static Branch1 Branch1 destination static HQ

HQ no-proxy-arp route-looku

Cisco ASA IKEv1 and IKEv2 Support for

IPSEC
Written By Harris Andrea

IETF proposed an updated Internet Key Exchange (IKE) protocol, called

IKEv2, which is used to simplify and improve the legacy IKE protocol
(IKEv1).

Cisco ASA introduced support for IPSEC IKEv2 in software

version 8.4(1) and later. In this ASA version, IKEv2 was added to support
IPsec IKEv2 connections for AnyConnect and LAN-to-LAN VPN
implementations.

Of course, legacy IKEv1 is still supported and is widely used in almost all
VPN configurations up to now.
In this article I will show the differences between the commands used in
ASA versions prior to 8.4(1) with commands used in versions 8.4(1) and
later.

ASA version prior to 8.4(1)

Let’s start with a basic IPSEC Lan-to-Lan VPN configuration for ASA
versions prior to 8.4(1). Note that the following are just a part of the
commands required for successful Lan-to-Lan VPN.

The following are the commands which have some differences with the
commands used in version 8.4(1) and later.

crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac

crypto map IPSEC 10 match address VPN-TO-REMOTE

crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set transform-set espSHA3DESproto
crypto map IPSEC interface outside

crypto isakmp identity address

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.100.100.2 type ipsec-l2l

tunnel-group 100.100.100.2 ipsec-attributes
pre-shared-key *****

ASA version 8.4(1) and later

MORE READING: Cisco ASA Active/Active Failover Configuration Example

Now let’s see how the IPSEC Lan-to-Lan VPN commands are changed in
ASA version 8.4(1) and later. In red color you see the commands which are
changed:
 Cisco ASA Configuration for ASDM Management Access
Play Video

crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-

hmac

crypto map IPSEC 10 match address VPN-TO-REMOTE

crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside

crypto isakmp identity address

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.100.100.2 type ipsec-l2l

tunnel-group 100.100.100.2 ipsec-attributes
ikev1 pre-shared-key *****

The Table below shows a site by site comparison of commands for even
older ASA versions. The leftmost column shows commands for ASA
versions lower than 7.2(1). The middle column shows the commands in
versions higher than 7.2(1) and lower than 8.4(1). The right column shows
the commands from 8.4(1) and higher.

Table with Cisco ASA versions and command differences regarding Site-to-
Site IPSEC VPN commands:

ASA version < 7.2(1) 7.2(1)<ASA version<8.4(1) ASA version > 8.4(1)

isakmp policy [policy #] crypto isakmp policy [policy crypto ikev1 policy

#] [policy #]
 isakmp enable crypto isakmp enable crypto ikev1 enable

[interface-name] [interface-name] [interface-name]

isakmp identity crypto isakmp identity crypto isakmp identity

address address address

crypto ipsec transform- crypto ipsec transform-set crypto ipsec ikev1

set transform-set

tunnel-group name ipse tunnel-group name ipsec- tunnel-group name ipsec-

c-attributes attributes attributes

pre-shared-key pre-shared-key xxxxxxx ikev1 pre-shared-key

xxxxxxx xxxxxxx

Traffic Rate and Bandwidth Limiting on Cisco

ASA Firewall
Written By Harris Andrea

With the new modular policy framework (MPF) introduced in ASA versions
7.x and 8.x, the firewall administrator is now able to apply policing and rate
limiting to traffic passing through the ASA appliance.

I got a few questions from people how this functionality works and decided
to throw in a quick example below which you can easily modify accordingly
to match your needs.

Scenario 1:

We want to rate limit a local internal host when accessing a specific

external public server. The local host is 192.168.1.10 and the external
public server is 100.100.100.1. We need to limit the traffic to 100kbps and
burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host

192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

Scenario 2:

We need to apply a rate bandwidth limit to an internal LAN computer so

that it will use a maximum of 5Mbps from our Internet line.

MORE READING: No switch option on Cisco ASA 5506-X

Assume the internal LAN host is 192.168.1.1

Configuration Snippet:

ASA(config)#access-list rate-limit-host extended permit ip host

192.168.1.1 any
ASA(config)#access-list rate-limit-host extended permit ip any host
192.168.1.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-host

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 5000000 8000
ASA(config-pmap-c)#police input 5000000 8000

ASA(config)#service-policy limit-policy interface inside

How to Block Access to Websites with a Cisco
ASA Firewall (with FQDN)
Written By Harris Andrea

In this article I will show you how to deny access to specific websites
(domain names) with a normal Cisco ASA firewall.

This works on either the older 5500 models or the new 5500-X series
devices. The only pre-requisite for the firewall is to run software version
8.4.2 and later. Also, you don’t need to have any next generation firewall
features or special licenses installed.

Although the ASA can provide a simple solution for restricting web access
to specific websites, you should know that it is NOT a replacement for a
full-featured URL filtering solution.

There are a few methods to block access to websites. These methods

include regular expressions (regex) together with Modular Policy
Framework (MPF), finding the IP address of the website and blocking with
ACL, and using FQDN in an ACL.

The first method (regex with MPF) works well with HTTP websites but it will
not work at all if the website uses HTTPs.

The second method (blocking the IP with ACL) will work only for simple
websites which have a static IP but it will be difficult to work for dynamic
websites (such as Facebook, Twitter etc) which have many different IP
addresses which change all the time.

MORE READING: DNS Doctoring - Access Internal WebSite using its public
URL

The third method (using FQDN in an ACL) is the one which we will describe
here.

From ASA version 8.4(2) and later, Access Control Lists (ACL) can contain
an object which represents a Fully Qualified Domain Name (FQDN).

So, inside an ACL you can allow or deny access to hosts using their FQDN
name instead of their IP address. You can therefore deny access to
website www.facebook.com by denying access to FQDN object
“www.facebook.com” inside the ACL.

The ASA will need to resolve all possible IP addresses of the FQDN and
will dynamically insert several “deny IP” entries for these IP addresses in
the ACL. Therefore you must specify what DNS server the ASA can use in
order to resolve IP addresses for the FQDNs.

The method above does not slow down the firewall since the device will do
the DNS lookup for the website you want to block beforehand and store all
resolved IP addresses of the website in memory.

Depending on the TTL of the DNS lookup, the firewall will keep doing DNS
requests for the specific domain name (every few hours for example) and
update the resolved IPs in memory.

MORE READING: ExtraBacon Cisco ASA Vulnerability

In our example network below, we want to restrict access

to www.website.com which resolves to IP address 2.2.2.2. The ASA will
use the internal DNS server (or any other DNS) to resolve the IP and put a
“deny IP” entry in the inbound ACL applied on the “inside” interface.

Let’s now see the required configuration on the ASA to achieve the above
scenario:
 Cisco ASA Configuration for ASDM Management Access
Play Video

domain-name mycompany.com

interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.2 255.255.255.0

interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1

![other interface commands omitted]

!Specify which DNS server to use for resolving FQDN domains.

dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.20
domain-name mycompany.com

!Create FQDN objects for website we want to block. Block both the
www and non-www domains
object network obj-www.website.com
fqdn www.website.com

object network obj-website.com

fqdn website.com

!Add the FQDN objects above to an ACL applied inbound to the inside
interface
access-list INSIDE-IN extended deny ip any object obj-
www.website.com
access-list INSIDE-IN extended deny ip any object obj-website.com
access-list INSIDE-IN extended permit ip any any

!Apply the ACL above to the inside interface

access-group INSIDE-IN in interface inside

![other commands omitted]

DNS Doctoring – Access Internal WebSite
using its public URL
Written By Harris Andrea

In this post we will discuss DNS Doctoring on Cisco ASA firewalls. This is a
useful feature and although it’s very simple to configure, not many people
know about it.

DNS Doctoring is helpful in the following situation: Assume you have a

Web Server connected to a DMZ zone on a Cisco ASA firewall and hosts
the Website of your company. Suppose that the public URL of this Website
is www.mywebsite.com which is used by external Internet users to access
the website. However, when internal company users (located on the
“inside” network of the ASA firewall) try to access this website using its
public URL domain, the ASA blocks the connection.

Let’s discuss the scenario above in more detail and explain how DNS
Doctoring can help internal users to access the DMZ website using its
public URL domain.

Scenario without DNS Doctoring

The network diagram above shows a simple network protected by a Cisco
ASA firewall, with 3 security zones (Inside Zone, DMZ Zone and Outside
Zone).

The website www.mywebsite.com is hosted on a webserver connected to

DMZ zone and has private IP address 10.1.1.10.

In order to expose this webserver to the public Internet, we must configure

a static NAT entry on Cisco ASA which will map the private IP of the
webserver (10.1.1.10) to a public IP address (50.1.1.10).

So we have: Static NAT on ASA maps 10.1.1.10 to 50.1.1.10

Cisco ASA Configuration for ASDM Management Access

Play Video

Therefore, the webserver (and hence the Website) is visible on the Internet
as 50.1.1.10.
This means that the public DNS server (usually the DNS of your ISP) will
have an entry for domain www.mywebsite.com pointing to its public
IP 50.1.1.10

Accessing the website from Internal LAN

Now, what happens when a user connected to the Internal LAN tries to
access the company’s website using its official domain name URL?

As shown on the diagram above, at Step 1 the client will perform a DNS
Request to the public DNS server in order to resolve the IP address of
domain www.mycompany.com.

MORE READING: Cisco Firewall Service Module - FWSM

At Step 2, the DNS Server will respond with the public IP of the website
(50.1.1.10).

At Step 3, the client will send an HTTP GET request to IP 50.1.1.10 trying
to access the website. However, the ASA will block this network connection
because the client is connected to the Internal LAN and can only access
the private IP of the webserver (10.1.1.10) and not the public (the ASA
does not allow packet redirection on the same interface).

A possible solution to this would be to configure an internal DNS server and

create a zone entry which will resolve the website URL to its private IP
instead of its public IP. This is not an efficient solution though and requires
to install and configure an internal DNS server.

A better solution is offered by DNS Doctoring on the ASA firewall.

Scenario with DNS Doctoring on ASA

With DNS Doctoring, the ASA firewall intercepts the DNS Response from
the public DNS server and changes the IP address of the DNS response to
be the “Real” (private) IP of the webserver instead of the public IP, and
then forwards this to the client. Therefore, the client now trying to
access www.mycompany.com will receive a DNS response of
IP 10.1.1.10 and not 50.1.1.10 for the URL (which was the case without
DNS Doctoring). The ASA performs the DNS Doctoring interception only if
it has a static NAT translation entry in its NAT table.

The diagram below shows the behavior of DNS Doctoring on ASA.

At Step 1 the client will perform a DNS Request to the public DNS server
for the website www.mycompany.com.

At Step 2, the DNS Server will respond with the public IP of the website
(50.1.1.10). However, the ASA will inspect the DNS Response and check
it’s NAT table to see if it has an entry for this specific IP address. If it does,
it will re-write the response with the “real” (private) IP address (10.1.1.10)
before sending to the client.

MORE READING: How to upgrade the Cisco ASA 5505 software

At Step 3, the client will receive a DNS Response of 10.1.1.10 and

therefore will send an HTTP GET request to IP 10.1.1.10 trying to access
the website. This communication will work fine and the client will be able to
access the DMZ webserver.

Configuration of DNS Doctoring on ASA

Let’s now see how to configure DNS Doctoring on Cisco ASA Firewall.
Only the relevant configuration of static NAT, ACL, and DNS Doctoring
specific to our scenario above is shown:

! ACL to allow access to webserver from Internet

access-list OUTSIDE extended permit tcp any host 10.1.1.10 eq www

access-group OUTSIDE in interface outside

! Dynamic NAT (PAT) to allow access of Internal LAN to Internet

object network obj-192.168.1.0

network 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

! Static NAT to map webserver’s private IP to public IP

object network webserver

host 10.1.1.10 <–Private IP of webserver
nat (dmz,outside) static 50.1.1.10 dns <–the “dns” keyword enables
DNS Doctoring on this NAT entry

! The following DNS inspection configuration is usually enabled by

default

policy-map type inspect dns preset_dns_map

parameters
message-length maximum client auto
message-length maximum 512

policy-map global_policy
class inspection_default
inspect dns preset_dns_map

Basically, the whole DNS Doctoring functionality is enabled with just a

single keyword. The keyword “dns” on the Static NAT entry (which maps
the private IP of the webserver to its public IP) enables DNS Doctoring on
the specific NAT entry.
How to Block HTTP DDoS Attack with Cisco
ASA Firewall
Written By Harris Andrea

Denial of Service attacks (DoS) are very common these days. Especially
Distributed DoS attacks (called also DDoS) can be executed quite easily by
attackers who own large networks of BotNets.

Thousands of malware-infected computers (which comprise the so called

“BotNets”) are controlled by attackers and can be instructed to start attacks
at any target.

Usually WebSites are targeted more frequently. Bringing down a website

can have a negative effect to the image (in addition to any financial loss) of
the company owing the site.

A DDoS attack can be purely “volumetric”, which means that the attacker
just sends high volume of packets as quickly as possible to flood the
bandwidth of the “pipe” connecting the website to the Internet.

Also, DDoS attacks can be “Application Resource Exhaustion” which

means that the attacking computers create thousands of application
requests (e.g HTTP Requests) to a server, thus consuming the application
resources.

A Cisco ASA Firewall can not help much in a “volumetric” DDoS attack. In
such an attack, a dedicated DDoS device is needed or your ISP must do
some kind of rate limiting to mitigate the attack.

MORE READING: Adding more Interfaces to Cisco ASA Firewalls with 4GE
SSM

However, for “Application Exhaustion” attacks a Cisco ASA can help to

some extend with HTTP inspection using the Modular Policy Framework
mechanism of ASA. This is what we are going to describe in this article.

Usually, HTTP Application DDoS attacks have a pattern or string which

helps you distinguish the attacking HTTP requests from other legitimate
requests.
For example, HTTP attacking packets might have a common parameter or
string, which can be for example the same “User-Agent” used by the
attacking script, a common POST or GET URI request, some other HTTP
header parameters etc.

With the ASA HTTP inspection feature you can match on this common
pattern in the HTTP packet thus filter-out the attacking packets and drop
them.

Recently I was engaged to help mitigate a DDoS attack on a webserver. I

observed from the Apache logs that the attacking HTTP requests were all
targeting the website on the same URL string, such
as http://www.website.com/xyz123.

The string “xyz123” was the common pattern for all malicious HTTP
requests. Thus with a policy on ASA you can match on the unique string
above and drop the packets that have this string in the HTTP URI.

MORE READING: How to Recover a preshared key of IPSEC VPN on Cisco

ASA

Lets see a diagram and configuration below:

Cisco ASA Configuration for ASDM Management Access

Play Video
ASA Configuration:

!First create a regular expression with the unique attack string

regex attackstring xyz123

!Create an ACL to match the HTTP traffic towards the target server
access-list HTTPTRAFFIC extended permit tcp any host 1.1.1.1 eq
www

!Create a regular L3/L4 class to match the traffic above

class-map attackingtraffic
match access-list HTTPTRAFFIC

!Now create an HTTP inspection policy to match on the unique attacking

string
policy-map type inspect http HTTPDOS
parameters
match request uri regex attackstring
drop-connection
match request args regex attackstring
drop-connection

!The following policy-map will include the L3/L4 class which will include the
HTTP inspection policy
policy-map BLOCKDOS
class attackingtraffic
inspect http HTTPDOS

!Now attach the policy-map to the ASA outside interface to inspect Inbound
traffic.
service-policy BLOCKDOS interface outside

If you enable logging on the drop-connection command (use “drop-

connection log“), then you will start seeing logs that the ASA is dropping
packets with the matched attacking HTTP string.

Password Recovery for the Cisco ASA 5500

Firewall (5505,5510,5520 etc)
Written By Harris Andrea

If you have lost the administrator password to access the security

appliance you can recover the ASA password with the following steps:

Recovering your Password on Cisco ASA

Step1: Connect to the firewall using a console cable

Step2: Power cycle the appliance (power off and then on)

Step3: Press the Escape key to enter ROMMON mode

Step4: Use confreg command to change the configuration register to 0x41

rommon #1> confreg 0x41

Step5: Configure the security appliance to ignore the startup configuration.

rommon #2> confreg

The ASA firewall will display the current configuration register value and
boot parameters and ask you if you want to change them

Current Configuration Register: 0x00000041

Configuration Summary:

boot default image from Flash

ignore system configuration

Do you wish to change this configuration? y/n [n]: y

Step6: At the prompt enter Y to change the parameters.

Step7: Accept the default values for all settings (at the prompt enter Y)

MORE READING: How to Recover a preshared key of IPSEC VPN on Cisco

ASA

Step8: Reload the ASA appliance by entering the following command

rommon #3> boot

The firewall will reboot and load the default configuration instead of the
startup configuration.

Step9: Enter into EXEC mode

Cisco ASA Configuration for ASDM Management Access

Play Video

hostname> enable
When prompted for the password, press Enter (the password in blank
now)

Step 10: Access the global configuration mode and change the passwords
as required:

hostname# configure terminal

hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password

Step 11: Load the default configuration register value (0x1) by entering the
following command:

hostname(config)# no config-register

Step 12: Save the new passwords to the startup configuration by entering
the following command:

hostname(config)# copy running-config startup-config

The above works for all ASA models such as 5505, 5510, 5520 etc

Cisco ASA 5505, 5510 Base Vs Security Plus

License Explained
Written By Harris Andrea

CISCO ASA 5505 CISCO ASA 5510

 The two smallest ASA Firewall models, the 5505 and the 5510, are the only
ones that have two types of licenses.

They can be ordered either with a Base License or a Security Plus

License. Many customers of mine are always asking me what the
difference is between the two licenses (except from the price of course), so
I thought it would be useful to summarize below the differences between
the two license types:

Quick Comparison Table (Base Vs Security Plus)

Cisco ASA 5505

Base License Security Plus License

10,000 Maximum Firewall Connections 25,000 Maximum Firewall Connections

10 Maximum VPN Sessions (site-to-site and remote 25 Maximum VPN Sessions (site-to-site and remote

access) access)

10 or 50 Maximum Internal Hosts Unlimited Maximum Internal Hosts

3 Maximum VLANs (Trunking Disabled)(2 regular zones 20 Maximum VLANs (Trunking enabled)(No restrictions

and 1 restricted zone that can only communicate with 1 of traffic flow between zones)

other zone)

No High Availability (failover) supported Supports Stateless Active/Standby failover

Cisco ASA 5510

Base License Security Plus License

50,000 Maximum Firewall Connections 130,000 Maximum Firewall Connections

5×10/100Integrated Network Interfaces 2×10/100/1000 and 3×10/100

Integrated Network Interfaces

50 Maximum VLANs 100 Maximum VLANs

No High Availability (failover) supported Supports Active/Active andActive/Standby failover

No Security Contexts (Virtual Firewalls) Supports 2 Virtual Firewalls (included) and 5 maximum.
No Support for VPN Clustering and VPN Supports VPN Clustering and VPN Load Balancing

Load Balancing

Cisco ASA 5505 User License Explained

I get a lot of questions regarding the meaning of user license numbers for
the Cisco ASA 5505. This model is offered in three User License options.

 10 users,
 50 users and
 UL (unrestricted license).

Cisco ASA Configuration for ASDM Management Access

Play Video

The meaning of user license basically refers to concurrent IP addresses

that can communicate between Internal (inside) network and Internet
(outside) interface.

So, for 10 user license, only 10 concurrent internal hosts (IP addresses)
can access the internet. The same applies for 50 users (only 50 concurrent
IP addresses can access the Internet).

For UL license, there is no such restriction (the security plus is unrestricted

in terms of internal hosts).

The user licensing has also an effect on the maximum number of IP

addresses that can be assigned by the DHCP server of the ASA5505 to the
internal hosts.

For a 10-user license, the max number of DHCP clients on the internal
network is 32. For 50-user license, the max number of DHCP clients is 128.

The official explanation from Cisco regarding the Cisco ASA5505 user
licensing is as follows:
“In routed mode, hosts on the inside (Business and Home VLANs) count
towards the limit only when they communicate with the outside (Internet
VLAN).
Internet hosts are not counted towards the limit. Hosts that initiate traffic
between Business and Home are also not counted towards the limit.

The interface associated with the default route is considered to be the

Internet interface. If there is no default route, hosts on all interfaces are
counted toward the limit.

In transparent mode, the interface with the lowest number of hosts is

counted towards the host limit. See the show local-host command to view
host limits. ”

The terms “Business” and “Home” VLANs above refer to the Internal and
DMZ network zones.

Cisco ASA 5505 Firewall License Restriction for DMZ

The Cisco ASA 5505 is a great product for small businesses (5-10
employees) or even for home network use.

However, if you need to create a DMZ zone (in addition to your Inside and
Outside zones) in order to install a publicly accessible server (e.g WEB
server, MAIL server etc), then the default basic license won’t work for you.

The basic license does not allow more than 2 security zones. You will need
to upgrade to “Security Plus” license which also enhances some other
firewall parameters (more firewall connections, more remote access VPN
sessions, trunking with 20 VLANs).

The Licensing for the ASA 5505 is as following:

Cisco ASA 5505 10 User Firewall Edition Bundle

Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet
ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data Encryption
Standard/Advanced Encryption Standard (3DES/AES) license.

Cisco ASA 5505 50 User Firewall Edition Bundle

Includes: 50 users, 8-port Fast Ethernet switch with 2 Power over Ethernet
ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.

Cisco ASA 5505 Unlimited User Firewall Edition Bundle

Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over
Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.
Cisco ASA 5505 Security Plus Firewall Edition Bundle

Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over
Ethernet ports, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support,
Stateless Active/Standby high availability, Dual ISP support, 3DES/AES
license.

Cisco ASA 5505 Vlans and Licensing

The eight physical network interfaces of the Cisco ASA 5505 firewall
appliance can be divided into groups that function as separate security
zone networks.

Each group is a Layer 2 Vlan. Devices in the same group (Vlan) can
communicate directly between them without passing through the security
control of the firewall.

On the other hand, devices between different Vlans can only communicate
with each other by passing the traffic through the adaptive security
appliance where relevant security policies are applied.

By default, there are two Vlans (VLAN1 and VLAN2) preconfigured on the
firewall by default. Port Ethernet0/0 belongs to VLAN2 and ports
Ethernet0/1 to 0/7 belong to VLAN1.

For example, when a switch port on VLAN1 is communicating with a switch

port on VLAN2, the adaptive security appliance applies configured security
policies to the traffic and routes or bridges the traffic between the two
VLANs.

Usually Port Ethernet0/0 connects to the outside untrusted interface

(Internet), and ports Ethernet0/1 to 0/7 connect to the inside trusted
network zone.

The license installed on the 5505 firewall determines the number of active
VLANs allowed on the appliance as described below:

Basic ASA 5505 License VLANs:

The basic license allows only 3 active VLANs which you can use as
Inside, Outside and DMZ. However, there is a restriction here that many
people do not know about: The DMZ VLAN can access ONLY the Outside
VLAN but can not access the Inside VLAN. The other two VLANs (Inside
and Outside) can access all the other VLANs with no problems.

Security Plus ASA 5505 License VLANs:

The Security Plus license, removes all limitations and allows up to 20

active VLANs to be configured. Since there are only 8 physical ports, you
can create several vlan subinterfaces on each physical port to segment
your network into different security zones (e.g Inside, Outside, DMZ1,
DMZ2, Sales, Engineering etc).

How to upgrade Cisco ASA 5500 Firewall License

To upgrade the current license of your cisco ASA firewall, you need to
order a new license key from Cisco at www.cisco.com/go/license. You will
receive a new license key in your email after a couple of hours. This license
key is a five element hexadecimal string in the form 0xffd8624e (as an
example).

To apply this new license key in your security appliance, configure the
following:

ASA5500(config)# activation-key 0xffd8624e

ASA5500(config)#exit
ASA5500#copy running startup
ASA5500#reload