Category Archives: Security

ASA License Upgrade

There maybe a time when you need to upgrade your license on a Cisco Adaptive Security Appliance (ASA).  The license is responsible for what feature set you have on the firewall and a comparison of licenses can be found here (v9.1).

The first step is to register your PAK key on the Cisco website.  The PAK key can be activated here and will require the device’s serial number to complete.  Follow the activation wizard and you will receive an email from Cisco with the activation key. https://www.cisco.com/go/license

The process itself is quite straightforward. But, before we get started it’s highly recommended to take a copy of the current activation key the ASA is running with, take a running configuration backup and take a copy of the version properties.  

To view this the current activation key and version properties, use the following commands:

giantsandrunts#show activation-key
giantsandrunts#show version

Great, we’ve now got everything backed up, we now need to go into configuration mode and issue the below command:

giantsandrunts(config)#activation-key xxxxxxxx yyyyyyyy zzzzzzzz xxxxxxxx yyyyyyyy

At this point, there is no verification that we can do as this will not show in the version properties or the activation key properties until the firewall has been reloaded.  Proceed to reload the firewall, which should take anywhere between 5 and 20 minutes. It’s good practice to provide a reason for the reload.

giantsandrunts#reload reason license upgrade

The final steps are to verify the activation key and the features which are available in the version properties.  

To conclude, this article has walked you through a license upgrade to an Adaptive Security Device and it has provided you ways of verifying after the upgrade process.  

ASA – Dynamic FQDN Filtering

In today’s IT world, we are relying more and more on public cloud services such as Amazon Web Services (AWS), Azure and Google Cloud which typically have large IP address allocations. These cloud providers have the right to change the IP address of your hosted environment at any point in time and it is important that as network engineers, we can configure our equipment to dynamically adapt to applications changing IP addresses.  

Although in some environments use proxy servers for web traffic, there are some applications and websites which simply don’t work via a proxy, meaning traffic must bypass a firewall, typically at your internet edge.

Cisco Adaptive Security Appliance (ASA) Continue reading