Cisco ASA General Archives

If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP. Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:

Step1: Connect to the ASA firewall using a console cable.

Step2: Power off the appliance and then power it on.

Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.

Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.

rommon #1> ADDRESS=
rommon #2> SERVER=
rommon #3> GATEWAY=
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0

The above configuration will assign an IP address of to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address and the image to load is asa800-232-k8.bin

Step5: Execute the TFTP upload from the ASA using:

rommon #6> tftp

The above instructs the firewall to start uploading the image file from TFTP.

After the firewall reboots, login and check that the new image has been installed (show version)

An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack. This is depicted in the diagram below.

The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address is sending malicious traffic to Victim address, the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:

The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:

ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:


The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.

ASA 5505,5510 Base Vs Security Plus License

Cisco ASA 5505 Image Cisco ASA 5510 Image

The two smallest ASA Firewall models, the 5505 and the 5510, are the only ones that have two types of licenses. They can be ordered either with a Base License or a Security Plus License. Many customers of mine are always asking me what the difference is between the two licenses (except from the price of course), so I thought it would be useful to summarize below the differences between the two license types:

Cisco ASA 5505

Base License

Security Plus License

10,000 Maximum Firewall Connections 25,000 Maximum Firewall Connections
10 Maximum VPN Sessions (site-to-site and remote access) 25 Maximum VPN Sessions (site-to-site and remote access)
3 Maximum VLANs (Trunking Disabled)(2 regular zones and 1 restricted zone that can only communicate with 1 other zone) 20 Maximum VLANs (Trunking enabled)(No restrictions of traffic flow between zones)
No High Availability (failover) supported Supports Stateless Active/Standby failover

Cisco ASA 5510

Base License

Security Plus License

50,000 Maximum Firewall Connections 130,000 Maximum Firewall Connections
5×10/100Integrated Network Interfaces 2×10/100/1000 and3×10/100

Integrated Network Interfaces

50 Maximum VLANs 100 Maximum VLANs
No High Availability (failover) supported Supports Active/Active andActive/Standby failover
No Security Contexts (Virtual Firewalls) Supports 2 Virtual Firewalls (included) and 5 maximum.
No Support for VPN Clustering and VPN Load Balancing Supports VPN Clustering and VPN Load Balancing

License Upgrade on Cisco ASA 5505 (or 5500)

There are several license options for the Cisco ASA 5505 firewall as shown below:

Description Performance Part Number
Cisco ASA 5505 10 User Firewall Edition Bundle
Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
Cisco ASA 5505 10 User Firewall Edition Bundle
Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Data Encryption Standard (DES) license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
Cisco ASA 5505 50 User Firewall Edition Bundle
Includes: 50 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
Cisco ASA 5505 Unlimited User Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
Cisco ASA 5505 Security Plus Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support, Stateless Active/Standby high availability, Dual ISP support, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN

A very common scenario for a small business is to initially order a 10 user license and then upgrade to 50 users as the company expands. You need to order via your local Cisco representative a 10-to-50 user license upgrade. The Cisco reseller will request to have the ASA 5505 serial number of your firewall which you can find by executing the “show version” command. After that, the Cisco reseller will provide you with a license key which is a long hexadecimal string (e.g e02888da 4ba7bed6 f1c123ae ffd8624e). To configure the new license key use the following command:

Cisco-ASA(config)# activation-key Hex-activation-key
Cisco-ASA(config)# exit
Cisco-ASA# wr mem
Cisco-ASA# reload

After the firewall reboots, run the “show version” command to verify that the license features have been upgraded. The same procedure works also for the other Cisco ASA models.

How to upgrade the Cisco ASA 5505 software

The newest Cisco ASA firewall 5500 series came out with software version 7.0, following the successful software version 6.x of the older PIX firewall models. The latest ASA software version is 8.x with intermediary versions of 7.1 and 7.2. In this post I will show you how to upgrade a Cisco ASA 5505 firewall from version 7.2(3) to version 8.0(2). The same approach can be used for any 5500 appliance series. To get the latest ASA software version, you must have a valid SMARTnet agreement which is basically a maintenance contract for your Cisco product.

cisco asa 5505 firewall image


Connect to the appliance (console or SSH) and verify the current running software version by using the show ver command:

ASA5505# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders
System image file is “disk0:/asa723-k8.bin
Config file at boot was “startup-config”

ASA5505 up 34 mins 42 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0×0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001e.7a86.1ea8, irq 11
1: Ext: Ethernet0/0 : address is 001e.7a86.1ea0, irq 255
2: Ext: Ethernet0/1 : address is 001e.7a86.1ea1, irq 255
3: Ext: Ethernet0/2 : address is 001e.7a86.1ea2, irq 255
4: Ext: Ethernet0/3 : address is 001e.7a86.1ea3, irq 255
5: Ext: Ethernet0/4 : address is 001e.7a86.1ea4, irq 255
6: Ext: Ethernet0/5 : address is 001e.7a86.1ea5, irq 255
7: Ext: Ethernet0/6 : address is 001e.7a86.1ea6, irq 255
8: Ext: Ethernet0/7 : address is 001e.7a86.1ea7, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

From the above output you can see that we are running Version 7.2(3) which is located in disk0 (disk0:/asa723-k8.bin). Also, the GUI device manager version (ASDM) is 5.2(3). Now, lets upgrade to version 8.0(2).

Step 2:

Assume that our internal network range is Configure a TFTP server (you can use the free tftpd32) on an internal PC (e.g and backup the current running software image from the firewall to your TFTP PC.

ASA5505# copy disk0 tftp

Source filename []?asa723-k8.bin
Address or name of remote host []?

Also, save the current running configuration. Just issue the show run command and copy all configuration output from your terminal window into a text file.

Step 3:

Now it’s the time to upload the new software image file to the disk system of the firewall. Assume that we have already downloaded the software file asa802-k8.bin and placed that on our TFTP PC.

ASA5505# copy tftp disk0

Address or name of remote host []?
Source filename []? asa802-k8.bin
Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://…!!!!!! (truncated)
Writing file disk0:/asa802-k8.bin… !!!!! (truncated)
14524416 bytes copied in 118.210 secs (123088 bytes/sec)

Step 4:

Since now we will have two image files on the firewall disk (old 7.2 and new 8.0 image files), we need to tell the firewall explicitly which image file to use when booting.

ASA5505# conf t
ASA5505(config)# boot system disk0:/asa802-k8.bin
ASA5505(config)# wr mem

Step 5:

Reboot the firewall in order to load the new software image file. (use the reload command). If everything works ok with the new image, you can delete the old one from disk0. (delete disk0:/asa723-k8.bin)

Step6 (Optional):

The new ASA version 8.x uses the newest Device Manager (ASDM) version 6.x. You can download the new ASDM software from Cisco and upgrade that as well (using the same steps as above).

The Cisco Adaptive Security Appliance (ASA) device is not just a hardware Firewall as many people think. Of course the Firewall mechanism is the main functionality of the device, but the extension hardware modules that you can add on, can transform the appliance into content security, intrusion prevention, ssl/ipsec device etc.


 This is the main functionality, which is based on the proven PIX appliance technology. Cisco ASA 5500 provides advanced application-aware firewall services with identity-based access control, denial of service (DoS) attack protection, and much more.

 Unified Communications Security

 The Cisco ASA 5500 delivers unified communication security services with intelligent application inspection for voice/video over IP and IP Telephony traffic protecting against denial of service (DoS), rogue phone callers, and much more.


 This is a built in functionality of the appliance without extra hardware modules. Cisco VPN solution on the ASA appliance offers clientless SSL VPN or IPSEC VPN (lan-to-lan and remote access)

 Intrusion Prevention

 This is a signature based full-featured Intrusion Prevention module that can be added in one of the device’s SSM slots (AIP-SSM = Advanced Inspection and Prevention – Security Services Module), thus transforming the device into an integrated firewall and IPS appliance. The IPS module incorporates powerful, high-performance zero-day protection against threats including application and operating system vulnerabilities, directed attacks, worms, and other forms of malware.

 Content Security

 Again this is an add-on module (CSC-SSM = Content Security and Control – Security Services Module) which delivers powerful content security services including URL filtering, anti-phishing, anti-spam, antivirus, anti-spyware, and content filtering.

 Page 3 of 3 « 1  2  3