Archive

Archive for the ‘Cisco Networking’ Category

Boot Image Recovery on a Cisco ASA Firewall

August 27, 2010 8 comments

I was performing some basic maintenance on a Cisco ASA5510 firewall. When I was finished performing the maintenance I proceeded to reload the device. Next thing you know the firewall went into a boot loop, not good! So I hooked up a console cable to figure out what was going on. It appears that somehow my software image had become corrupted and the ASA would not boot.

I was getting the following error message:

Error 15: File not found

Unable to boot an image

So I fired up the WiFi hotspot on my Motorola Droid and proceeded to download the appropriate software image from the Cisco Support website.

Here are the required steps to recover from a missing or corrupt boot image:

  • Connect a console cable from the ASA to your computer and open up a serial connection using Putty
  • Disable any software firewall on your computer
  • Install TFTP server software on your computer – I used Solarwinds TFTP server
  • Place the Cisco software image in the TFTP-Root folder (asa821-k8.bin) and start the TFTP service
  • Assign a static IP address to your computer – I used 192.168.20.1 (an address outside of my existing subnet)
  • Connect an Ethernet cable between your computer and port 0/0 on the ASA
  • Power off the ASA then power it back on
  • Press the escape key to boot into ROMMON mode
  • Enter the following commands in the ASA (the first part of these commands must be in caps)

    rommon #1> ADDRESS=192.168.20.10
    rommon #2> SERVER=192.168.20.1
    rommon #3> GATEWAY=192.168.20.1
    rommon #4> IMAGE=asa821-k8.bin
    rommon #5> PORT=Ethernet0/0

  • These commands assign an IP address of 192.168.20.10 to port 0/0 on the ASA and tell it to look at your TFTP server 192.168.20.1 and to select the ASA software image.
  • Next, execute the command to transfer the image from the TFTP server to the ASA

    rommon #6> tftp

Once the file transfer completes reboot the ASA and cross your fingers. If everything works the device should successfully reload and your existing configuration should remain intact.

Advertisements

Guest Wireless Access Using a Cisco ASA 5505 with VLAN Configuration

July 22, 2010 3 comments

In my last post here I showed the procedure on how to enable guest internet access by creating a vlan with a Cisco ASA 5510 firewall. To accomplish the same setup using a Cisco ASA 5505 there are some differences in how the guest interface and vlan are created within the Cisco firewall. Also, there is a very important prerequisite; you must have the Security Plus License for the ASA 5505 to enable vlan trunking. All other aspects of the procedure are the same.

To create the Guest-VLAN interface in the ASA 5505 you need to use the command line interface (CLI). The first step is to establish a connection to the ASA 5505 using a Cisco RJ-45 to DB9 console cable or IP telnet session. Using a program such as PUTTY, open a serial or telnet connection to the ASA 5505. Enter enable mode by typing “en”, you will be prompted for the enable password.

Here are the necessary commands with comments:

# enter configuration mode

conf t

#create the new vlan

int vlan3

#give the interface a name

nameif Guest-VLAN

#assign a security level lower than that of your internal LAN

security-level 10

#assign the interface an ip address

ip address 10.0.1.0 255.255.255.0

#enable the interface

no shutdown

#exit interface configuration

exit

#access the physical interface that your LAN is connected

int Ethernet0/1

#define the vlans that the interface will allow (vlans 1 & 3 in this case)

switchport trunk allowed vlan 1 3

#define the native vlan

switchport trunk native vlan 1

#change the interface from access mode to trunk mode (this allows multiple vlans (security plus license required))

switchport mode trunk

#enable the interface

no shutdown

 

That’s it for the configuration on the ASA 5505! The rest of the procedure is the same as this post Guest Wireless Access Using a Cisco ASA 5510 with VLAN Configuration

 

Guest Wireless Access Using a Cisco ASA 5510 with VLAN Configuration

July 21, 2010 6 comments

I wanted to setup a guest wireless network at my work so that guests had internet access, but no access to our internal LAN. This was accomplished using our Cisco ASA 5510 firewall, HP Procurve switch, Netgear wireless access points, and the creation of a vlan.

 

Here are the steps that I took to make this work:

First, login to the Cisco ASA firewall using ASDM. Go into the configuration, under device setup drill down to Interfaces. Add a new interface, give it a name, assign it a VLAN ID, security level lower than that of our internal LAN, and assign an ip address. Setting the VLAN ID to 3, identifies or “tags” the vlan using the 802.1Q protocol.

 

Next, go to Firewall configuration and drill down to NAT Rules. Create a dynamic NAT rule for the Guest-VLAN interface to use the ip address of the outside interface. Without this dynamic NAT rule, users will not be able to get to the internet.

 

Next, go to Device Management and drill down to DHCP Server. I enabled the DHCP server on the Guest-VLAN interface and created an ip address pool, assigned Google Public DNS servers for DNS Servers 1 and 2. Then I setup the lease length for 1 day (86400 seconds).

 

That is it for the configuration on the Cisco ASA. Next, I logged into our Layer 3 HP switch and created the Guest VLAN, assigned it with VLAN ID 3 to match the VLAN ID of the Cisco ASA. I tagged all ports with the newly created Guest VLAN.

 

Next you have to assign the HP Switch an ip address to match the subnet of the newly created VLAN.

 

Finally, I logged into our Netgear wireless access points, created a Guest wireless SSID, applied WPA2 security and configured the VLAN ID to 3

 

Now when guests logon to the RES-GUEST SSID they receive an ip address from the Cisco ASA DHCP server on the Guest-VLAN interface and can browse the internet, but can’t access our internal LAN.


Mission accomplished!

%d bloggers like this: