Archive

Posts Tagged ‘Cisco ASA 5510’

Boot Image Recovery on a Cisco ASA Firewall

August 27, 2010 8 comments

I was performing some basic maintenance on a Cisco ASA5510 firewall. When I was finished performing the maintenance I proceeded to reload the device. Next thing you know the firewall went into a boot loop, not good! So I hooked up a console cable to figure out what was going on. It appears that somehow my software image had become corrupted and the ASA would not boot.

I was getting the following error message:

Error 15: File not found

Unable to boot an image

So I fired up the WiFi hotspot on my Motorola Droid and proceeded to download the appropriate software image from the Cisco Support website.

Here are the required steps to recover from a missing or corrupt boot image:

  • Connect a console cable from the ASA to your computer and open up a serial connection using Putty
  • Disable any software firewall on your computer
  • Install TFTP server software on your computer – I used Solarwinds TFTP server
  • Place the Cisco software image in the TFTP-Root folder (asa821-k8.bin) and start the TFTP service
  • Assign a static IP address to your computer – I used 192.168.20.1 (an address outside of my existing subnet)
  • Connect an Ethernet cable between your computer and port 0/0 on the ASA
  • Power off the ASA then power it back on
  • Press the escape key to boot into ROMMON mode
  • Enter the following commands in the ASA (the first part of these commands must be in caps)

    rommon #1> ADDRESS=192.168.20.10
    rommon #2> SERVER=192.168.20.1
    rommon #3> GATEWAY=192.168.20.1
    rommon #4> IMAGE=asa821-k8.bin
    rommon #5> PORT=Ethernet0/0

  • These commands assign an IP address of 192.168.20.10 to port 0/0 on the ASA and tell it to look at your TFTP server 192.168.20.1 and to select the ASA software image.
  • Next, execute the command to transfer the image from the TFTP server to the ASA

    rommon #6> tftp

Once the file transfer completes reboot the ASA and cross your fingers. If everything works the device should successfully reload and your existing configuration should remain intact.

Guest Wireless Access Using a Cisco ASA 5510 with VLAN Configuration

July 21, 2010 6 comments

I wanted to setup a guest wireless network at my work so that guests had internet access, but no access to our internal LAN. This was accomplished using our Cisco ASA 5510 firewall, HP Procurve switch, Netgear wireless access points, and the creation of a vlan.

 

Here are the steps that I took to make this work:

First, login to the Cisco ASA firewall using ASDM. Go into the configuration, under device setup drill down to Interfaces. Add a new interface, give it a name, assign it a VLAN ID, security level lower than that of our internal LAN, and assign an ip address. Setting the VLAN ID to 3, identifies or “tags” the vlan using the 802.1Q protocol.

 

Next, go to Firewall configuration and drill down to NAT Rules. Create a dynamic NAT rule for the Guest-VLAN interface to use the ip address of the outside interface. Without this dynamic NAT rule, users will not be able to get to the internet.

 

Next, go to Device Management and drill down to DHCP Server. I enabled the DHCP server on the Guest-VLAN interface and created an ip address pool, assigned Google Public DNS servers for DNS Servers 1 and 2. Then I setup the lease length for 1 day (86400 seconds).

 

That is it for the configuration on the Cisco ASA. Next, I logged into our Layer 3 HP switch and created the Guest VLAN, assigned it with VLAN ID 3 to match the VLAN ID of the Cisco ASA. I tagged all ports with the newly created Guest VLAN.

 

Next you have to assign the HP Switch an ip address to match the subnet of the newly created VLAN.

 

Finally, I logged into our Netgear wireless access points, created a Guest wireless SSID, applied WPA2 security and configured the VLAN ID to 3

 

Now when guests logon to the RES-GUEST SSID they receive an ip address from the Cisco ASA DHCP server on the Guest-VLAN interface and can browse the internet, but can’t access our internal LAN.


Mission accomplished!

%d bloggers like this: