Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Updates to Cisco ASA

What are the steps to allow Qualys to do an IDS/IPS scan of a ASA5505?

What are the steps to apply the update to an ASA5505 for the "Cisco PIX Invalid TCP Checksum DoS Vulnerability"?

What about the patch for CVE-2014-8730?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

You ASA has no IPS module so

You ASA has no IPS module so there's no need to do anything special to allow a Qualys IDS/IPS scan.

Your ASA software is very old - like 8-1/2 years old. The currently recommended version for that model is 9.1(7).

You would first need to upgrade to 8.4(6) and then to 9.1(7). This is outlined in the Release Notes which have a further link to a detailed guide.

Smartnet support for a single ASA 5505 is only US$71 for a year. That inlcudes hardware, software and TAC support. Part number "CON-SNT-AS5K8" applies and can be purchased via any authorized Cisco distributor or partner.

5 REPLIES
Hall of Fame Super Silver

1. Do you have the IPS module

1. Do you have the IPS module on your ASA? If not then the question is moot. If so, the exepmt the Qualys scanner from the class-map that's associated with the IPS policy-map.

2. The first vulnerability you asked about is like 11 years old and any recent software will have it fixed.

3. The second one is POODLE so go with 9.1(6) or later.

New Member

1) Not sure.  I took over

1) Not sure.  I took over this LAN and know little about Cisco ASA's.  

2) & 3) -  Any insights on possible gotchas for updating the software.  Never done updates on an ASA.

Hall of Fame Super Silver

1. Log into the ASA via ssh,

1. Log into the ASA via ssh, switch to enable mode and share the output of the command "show module"

2&3. Please also run "show version".

How easy it is to upgrade depends on where you are now. You generally need a current Smartnet support contract to be entitled to download the new software image needed to upgrade.

New Member

1)

No support owned.  I suppose I can get ahold of Cisco.

1)

Result of the command: "show module"

Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5505 Adaptive Security Appliance ASA5505 <serial-redacted>

Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 001e.4a81.4459 to 001e.4a81.4463 1.0 1.0(12)6 8.0(3)

Mod SSC Application Name Status SSC Application Version
--- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable

======================================================

2) 

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 316 days 1 hour

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is <address>
1: Ext: Ethernet0/0 : address is <address>
.

.

.
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled

This platform has a Base license.

.

.

Hall of Fame Super Silver

You ASA has no IPS module so

You ASA has no IPS module so there's no need to do anything special to allow a Qualys IDS/IPS scan.

Your ASA software is very old - like 8-1/2 years old. The currently recommended version for that model is 9.1(7).

You would first need to upgrade to 8.4(6) and then to 9.1(7). This is outlined in the Release Notes which have a further link to a detailed guide.

Smartnet support for a single ASA 5505 is only US$71 for a year. That inlcudes hardware, software and TAC support. Part number "CON-SNT-AS5K8" applies and can be purchased via any authorized Cisco distributor or partner.

81
Views
0
Helpful
5
Replies