SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005 Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)īIOS Flash MX25L6445E 0xffbb0000, 8192KBĮncryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1) System image file is "disk0:/asa942-11-smp-k8.bin" WARNING: Failover is enabled but standby IP address is not configured for this interface.Ĭisco Adaptive Security Appliance Software Version 9.4(2)11Ĭompiled on Mon 22-Feb-16 22:54 PST by builders I explictily configure the standby IP address on the 'inside' interface since we're doing HSRP and allocate a /29 subnet.ĪSA01/pri/act(config-if)# ip address 202.78.4.6 255.255.255.128 The standby keyword is normally used in Active-Active failover where each context monitors its interface and activates failover if it multiple failed interfaces were detected. For example, if you've got limited public IP address range, you can just configure the 'outside' interface with a single public IP address. You can optionally skip the standby IP address under the context configuration and failover (and routing) would still work. I also confirmed with Cisco TAC that a 20-Security Context license ASA5500-SC-20 (vs L-ASA-SC-20) will work on a Cisco ASA 5500-X platform. The Secondary/Standby unit will inherit the Primary license when it becomes Active. You just buy and only install the license for the Primary/Active firewall unit. Before its deployment, I've upgraded both ASA to the latest code 9.4(2)11, applied and configured the 10-security context license (multiple mode).Īccording to Cisco ASA 5500-X Configuration Guide starting ASA 8.3(1), you don't need to install identical licenses (with some exceptions) on both firewall units. I've posted a blog a couple years back regarding this setup in a GNS3 environment but now I'm deploying it in the real world. Here is a reference table.I had a remote site with two Cisco ASA 5525-X firewalls deployed as an Active-Standby failover pair. I have personally had issues trying to run these code versions on ASA5505s with 256M of RAM. However, all of the versions listed are FIPS compliant in that they are built to meet the requirements of FIPS.” Memory RequirementsĪll code from 8.3 onward (8.3, 8.4, 9.0, 9.1, 9.2 and 9.5) carries a RAM requirement of 512M. FIPS validation is a lengthy process as the code is handed off to the government for elaborate testing. None of them have been officially submitted for FIPS validation yet (most versions are not tested for full validation). Validated CertifiedĪccording to Cisco, “the fixed builds are extremely recent. You can technically move any ASA5505s to 9.1(7) if you prefer the code release to be consistent across your network. Because of the number of ASA5505s in production, Cisco development made an exception and created a special version of the 9.2 image for it.īoth 9.1(7) and 9.2(4.5) contain the fixes from the Cisco Security Advisory. Why the smallest ASA5505 can run 9.2(4.5) code while other beefier models 5510, 5520, 55 cannot? The ASA5505 has massive distribution – it is in many homes, small businesses, etc. From 9.2 onward, the ASA code was created to be primarily multi-core threaded which is why support was dropped on the single-core platforms. The ASA’s are single-core devices while the ASA-X’s are multi-core devices. Here is the excerpt from the page where listed the code with “high” and “critical” vulnerability fixes. Per platform recommendationsĪSA5505: 9.2(4.5) ASA 5505 cannot go beyond 9.2(4.5)ĪSA non-X models: 9.1(7) These ASAs cannot go beyond 9.1(7)ĪSA X models: These models should move to a new version depending on their current version. “High” security advisory released “ Multiple Vulnerabilities in OpenSSL” on January 29 th 2016. You are encouraged to confirm with Cisco TAC and evaluate based on your specific situation.Ĭisco ASA Code Upgrade and Recommended VersionsĬritical” security advisory released “ Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability” on February 10 h 2016. Please note that the recommendations made here are solely from my experience working with Cisco products and best judgement. The recommendation also takes consideration of the Cisco Security Advisory, any “high” and “critical” bugs and vulnerabilities shall be patched in the code versions recommended. I created this document to track the latest, Cisco ASA code upgrade and recommended versions that are feasible for most environment. The answer varies based on your specific environment, ASA models and license level. People often ask what Cisco ASA code version one should be running on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |