Cisco Security Appliance Command Line Configuration Guide, Version 7.0
Managing Software, Licenses, and Configurations
Downloads: This chapterpdf (PDF - 261.0KB) The complete bookPDF (PDF - 15.34MB) | Feedback

Managing Software, Licenses, and Configurations

Table Of Contents

Managing Software, Licenses, and Configurations

Managing Licenses

Obtaining an Activation Key

Entering a New Activation Key

Viewing Files in Flash Memory

Retrieving Files from Flash Memory

Downloading Files to Flash Memory from a Server

Ensure Network Access to the Server

Downloading Files

Configuring the Application Image and ASDM Image to Boot

Performing Zero Downtime Upgrades for Failover Pairs

Upgrading an Active/Standby Failover Configuration

Upgrading and Active/Active Failover Configuration

Downloading and Backing Up Configuration Files

Downloading a Text File to the Startup or Running Configuration

Configuring the File to Boot as the Startup Configuration

Copying the Startup Configuration to the Running Configuration

Backing Up the Configuration

Backing up the Single Mode or Multiple Mode System Configuration

Backing up a Context Configuration within the Context

Copying the Configuration from the Terminal Display

Configuring Auto Update Support

Configuring Communication with an Auto Update Server

Viewing Auto Update Status


Managing Software, Licenses, and Configurations


This chapter contains information about managing the security appliance software, licenses, and configurations, and includes the following sections:

Managing Licenses

Viewing Files in Flash Memory

Retrieving Files from Flash Memory

Downloading Files to Flash Memory from a Server

Configuring the Application Image and ASDM Image to Boot

Performing Zero Downtime Upgrades for Failover Pairs

Downloading and Backing Up Configuration Files

Configuring Auto Update Support

Managing Licenses

When you install the software, the existing activation key is extracted from the original image and stored in a file in the security appliance file system.

Obtaining an Activation Key

To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps:


Step 1 Obtain the serial number for your security appliance by entering the following command:

hostname> show version | include Number

Enter the pipe character (|) as part of the command.


Step 2 Connect a web browser to one of the following websites (the URLs are case-sensitive):

Use the following website if you are a registered user of Cisco.com:

http://www.cisco.com/go/license

Use the following website if you are not a registered user of Cisco.com:

http://www.cisco.com/go/license/public

Step 3 Enter the following information, when prompted:

Your Product Authorization Key.

The serial number of your security appliance.

Your email address.

The activation key will be automatically generated and sent to the email address that you provide.


Entering a New Activation Key

To enter the activation key, enter the following command:

hostname(config)# activation-key key

The key is a four or five-element hexadecimal string with one space between each element. For example, a key in the correct form might look like the following key:

0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

The leading 0x specifier is optional; all values are assumed to be hexadecimal.

If you are already in multiple context mode, enter this command in the system execution space.

Before entering the activation key, ensure that the image in Flash memory and the running image are the same. You can do this by rebooting the security appliance before entering the new activation key.


Note The activation key is not stored in your configuration file. The key is tied to the serial number of the device.

You must reboot the security appliance after entering the new activation key for the change to take effect in the running image.


This example shows how to change the activation key on the security appliance:

hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

Viewing Files in Flash Memory

You can view files in Flash memory and see information about the files.

To view the files in Flash memory, enter the following command:

hostname# dir [flash: | disk0: | disk1:]

The flash: keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash: or disk0: for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1: keyword represents the external Flash memory on the ASA. The internal Flash memory is the default.

For example:

hostname# dir

Directory of disk0:/
500    -rw-  4958208     22:56:20 Nov 29 2004  cdisk.bin
2513   -rw-  4634        19:32:48 Sep 17 2004  first-backup
2788   -rw-  21601       20:51:46 Nov 23 2004  backup.cfg
2927   -rw-  8670632     20:42:48 Dec 08 2004  asdmfile.bin

To view extended information about a specific file, enter the following command:

hostname# show file information [path:/]filename

The default path is the root directory of the internal Flash memory (flash:/ or disk0:/).

For example:

hostname# show file information cdisk.bin

disk0:/cdisk.bin:
  type is image (XXX) []
  file size is 4976640 bytes version 7.0(1)

The file size listed is for example only.

Retrieving Files from Flash Memory

You can retrieve files directly from the Flash disk by using an HTTPS connection with the following URL, in which you supply values for the ASA IP address and the filename:

https://ASA_IP/disk0/filename

This option is useful for customers who wish to do the following:

Copyfrom the ASA binary image (as a backup).

Copy from WebVPN capture files.

Copy any other Flash files to a secure desktop.

Downloading Files to Flash Memory from a Server

You can download application images, ASDM images, and configuration files to the internal Flash memory or, for the ASA 5500 series adaptive security appliance, to the external Flash memory from a TFTP, FTP, HTTP, or HTTPS server.

To copy configuration files to the startup or running configuration, see the "Downloading and Backing Up Configuration Files" section.

To configure the security appliance to use a specific application image or ASDM image if you have more than one installed, or have installed them in external Flash memory see the "Configuring the Application Image and ASDM Image to Boot" section.

This section includes the following topics:

"Ensure Network Access to the Server" section

"Downloading Files" section

Ensure Network Access to the Server

Make sure you have network access to the server:

For single context mode, configure any interface, its IP address, and any static routes required to reach the server. See the "Configuring Interfaces" section on page 28-2 and then Chapter 8, "Configuring IP Routing and DHCP Services."

For multiple context mode, you must first add the admin context and configure interfaces, IP addresses, and routing to provide network access. See the "Configuring a Security Context" section on page 5-1, and then the "Configuring Interfaces" section on page 28-2 and Chapter 8, "Configuring IP Routing and DHCP Services."

To check connectivity, use the ping command.

Downloading Files

For multiple context mode, you must be in the system execution space.

To download a file to Flash memory, see the following commands for each download server type:

To copy from a TFTP server, enter the following command:

hostname# copy tftp://server[/path]/filename {flash:/ | disk0:/ | 
disk1:/}[path/]filename

The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1:/ keyword represents the external Flash memory on the ASA.

To copy from an FTP server, enter the following command:

hostname# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] {flash:/ | 
disk0:/ | disk1:/}[path/]filename

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

Use binary for image files.

To copy from an HTTP or HTTPS server, enter the following command:

hostname# copy http[s]:// 
[user[:password]@]server[:port][/path]/filename {flash:/ | disk0:/ | 
disk1:/}[path/]filename

To use secure copy, first enable SSH, then enter the following command:

hostname# ssh scopy enable

Then from a Linux client enter the following command:

scp -v -pw password filename username@asa_address

The -v is for verbose, and if -pw is not specified you will be prompted for a password.

Configuring the Application Image and ASDM Image to Boot

By default, the security appliance boots the first application image it finds in internal Flash memory. It also boots the first ASDM image it finds in internal Flash memory, or of none exists there, then in external Flash memory. If you have more than one image, you should specify the image you want to boot. In the case of the ASDM image, if you do not specify the image to boot, even if you have only one image installed, then the security appliance inserts the asdm image command into the running configuration. To avoid problems with Auto Update (if configured), and to avoid the image search at each startup, you should specify the ASDM image you want to boot in the startup configuration.

To configure the application image to boot, enter the following command:

hostname(config)# boot system url

where url is one of the following:

{flash:/ | disk0:/ | disk1:/}[path/]filename

The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1:/ keyword represents the external Flash memory on the ASA.

tftp://[user[:password]@]server[:port]/[path/]filename

This option is only supported for the ASA 5500 series adaptive security appliance.

You can enter up to four boot system command entries, to specify different images to boot from in order; the security appliance boots the first image it finds. Only one boot system tftp: command can be configured, and it must be the first one configured.

To configure the ASDM image to boot, enter the following command:

hostname(config)# asdm image {flash:/ | disk0:/ | disk1:/}[path/]filename

Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading both units to the same version as soon as possible.

Table 32-1 shows the supported scenarios for performing zero-downtime upgrades on a failover pair.

Table 32-1 Zero-Downtime Upgrade Support

Type of Upgrade
Support

Maintenance Release

You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.

Minor Release

You can upgrade from a minor release to the next minor release. You cannot skip a minor release.

For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2 is not supported for zero-downtime upgrades; you must first upgrade to 7.1.

Major Release

You can upgrade from the last minor release of the previous version to the next major release.

For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.


For more details about upgrading the software on a failover pair, refer to the following topics:

Upgrading an Active/Standby Failover Configuration

Upgrading and Active/Active Failover Configuration

Upgrading an Active/Standby Failover Configuration

To upgrade two units in an Active/Standby failover configuration, perform the following steps:


Step 1 Download the new software to both units, and specify the new image to load with the boot system command (see the "Configuring the Application Image and ASDM Image to Boot" section).

Step 2 Reload the standby unit to boot the new image by entering the following command on the active unit:

active# failover reload-standby

Step 3 When the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the following command on the active unit.


Note Use the show failover command to verify that the standby unit is in the Standby Ready state.


active# no failover active

Step 4 Reload the former active unit (now the new standby unit) by entering the following command:

newstandby# reload

Step 5 When the new standby unit has finished reloading, and is in the Standby Ready state, return the original active unit to active status by entering the following command:

newstandby# failover active


Upgrading and Active/Active Failover Configuration

To upgrade two units in an Active/Active failover configuration, perform the following steps:


Step 1 Download the new software to both units, and specify the new image to load with the boot system command (see the "Configuring the Application Image and ASDM Image to Boot" section).

Step 2 Make both failover groups active on the primary unit by entering the following command in the system execution space of the primary unit:

primary# failover active

Step 3 Reload the secondary unit to boot the new image by entering the following command in the system execution space of the primary unit:

primary# failover reload-standby

Step 4 When the secondary unit has finished reloading, and both failover groups are in the Standby Ready state on that unit, make both failover groups active on the secondary unit using the following command in the system execution space of the primary unit:


Note Use the show failover command to verify that both failover groups are in the Standby Ready state on the secondary unit.


primary# no failover active

Step 5 Make sure both failover groups are in the Standby Ready state on the primary unit, and then reload the primary unit using the following command:

primary# reload

Step 6 If the failover groups are configured with the preempt command, they will automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on their designated units using the failover active group command.


Downloading and Backing Up Configuration Files

This section describes how to download and back up the startup and running configuration files, and also how to back up context configuration files. This section includes the following topics:

Downloading a Text File to the Startup or Running Configuration

Configuring the File to Boot as the Startup Configuration

Copying the Startup Configuration to the Running Configuration

Backing Up the Configuration

Downloading a Text File to the Startup or Running Configuration

You can download a text file from the following server types:

TFTP

FTP

HTTP

HTTPS

Make sure you have network access to the server:

For single context mode, configure any interface, its IP address, and any static routes required to reach the server. See the "Configuring Interfaces" section on page 28-2 and then Chapter 8, "Configuring IP Routing and DHCP Services."

For multiple context mode, add the admin context and configure interfaces, IP addresses, and routing to provide network access. See the "Configuring a Security Context" section on page 5-1, and then the "Configuring Interfaces" section on page 28-2 and Chapter 8, "Configuring IP Routing and DHCP Services."

To check connectivity, use the ping command.

To copy the startup configuration or running configuration from the server to the security appliance, enter one of the following commands for the appropriate download server.


Note When you copy a configuration to the running configuration, you merge the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.


To copy from a TFTP server, enter the following command:

hostname# copy tftp://server[/path]/filename {startup-config | running-config}

To copy from an FTP server, enter the following command:

hostname# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] 
{startup-config | running-config}

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

You can use ASCII or binary for configuration files.

To copy from an HTTP or HTTPS server, enter the following command:

hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename 
{startup-config | running-config}

For example, to copy the configuration from a TFTP server, enter the following command:

hostname# copy tftp://209.165.200.226/configs/startup.cfg startup-config

To copy the configuration from an FTP server, enter the following command:

hostname# copy ftp://admin:letmein@209.165.200.227/configs/startup.cfg;type=an 
startup-config

To copy the configuration from an HTTP server, enter the following command:

hostname# copy http://209.165.200.228/configs/startup.cfg startup-config

Configuring the File to Boot as the Startup Configuration

By default, the security appliance boots from a startup configuration that is a hidden file. You can alternatively set any configuration to be the startup configuration by entering the following command:

hostname(config)# boot config {flash:/ | disk0:/ | disk1:/}[path/]filename

The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1:/ keyword represents the external Flash memory on the ASA.

Copying the Startup Configuration to the Running Configuration

Copy a new startup configuration to the running configuration using one of these options:

To merge the startup configuration with the current running configuration, enter the following command:

hostname(config)# copy startup-config running-config

To load the startup configuration and discard the running configuration, restart the security appliance by entering the following command:

hostname# reload

Alternatively, you can use the following commands to load the startup configuration and discard the running configuration without requiring a reboot:

hostname/contexta(config)# clear configure all
hostname/contexta(config)# copy startup-config running-config

Backing Up the Configuration

To back up your configuration, copy it to an external server. Use one of the following methods:

Backing up the Single Mode or Multiple Mode System Configuration

Backing up a Context Configuration within the Context

Copying the Configuration from the Terminal Display

Backing up the Single Mode or Multiple Mode System Configuration

In single context mode, or from the system configuration in multiple mode, you can copy the startup configuration, running configuration, or any configuration file in Flash memory.

Enter one of the following commands for the appropriate backup server:

To copy to a TFTP server, enter the following command:

hostname# copy {startup-config | running-config | flashmem:/[path/]filename} 
tftp://server[/path]/filename

where flashmem is flash, disk0, or disk1. The flash keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash or disk0 for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1 keyword represents the external Flash memory on the ASA.

To copy to an FTP server, enter the following command:

hostname# copy {startup-config | running-config | flashmem:/[path/]filename} 
ftp://[user[:password]@]server[/path]/filename[;type=xx]

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

Use ASCII or binary for configuration files (as in this case), and binary only for image files.

Backing up a Context Configuration within the Context

In multiple context mode, from within a context, you can perform the following backups:

To copy the running configuration to the startup configuration server (connected to the admin context), enter the following command:

hostname/contexta# copy running-config startup-config

To copy the running configuration to a TFTP server connected to the context network, enter the following command:

hostname/contexta# copy running-config tftp:/server[/path]/filename

Copying the Configuration from the Terminal Display

To print the configuration to the terminal, enter the following command:

hostname# show running-config

Copy the output from this command, then paste the configuration into a text file.

Configuring Auto Update Support

Auto Update is a protocol specification that allows an Auto Update Server to download configurations and software images to a many security appliances, and can provide basic monitoring of the security appliances from a central location. The security appliance periodically polls the Auto Update Server for updates to software images and configuration files.


Note Auto Update is supported in single context mode only.


This section includes the following topics:

Configuring Communication with an Auto Update Server

Viewing Auto Update Status

Configuring Communication with an Auto Update Server

To configure Auto Update, perform the following steps:


Step 1 To specify the URL of the AUS, use the following command:

hostname(config)# auto-update server url [source interface] [verify-certificate]

Where url has the following syntax:

http[s]://[user:password@]server_ip[:port]/pathname

You can configure only one server. SSL is used when https is specified. The user and password arguments of the URL are used for Basic Authentication when logging in to the server. If you use the write terminal, show configuration or show tech-support commands to view the configuration, the user and password are replaced with `********'.

The default port is 80 for HTTP and 443 for HTTPS.

The source interface argument specifies which interface to use when sending requests to the AUS. If you specify the same interface specified by the management-access command, the Auto Update requests travel over the same IPSec VPN tunnel used for management access.

The verify-certificate keyword verifies the certificate returned by the AUS.

Step 2 (Optional) To identify the device ID to send when communicating with the AUS, enter the following command:

hostname(config)# auto-update device-id {hardware-serial | hostname | ipaddress [if-name] 
| mac-address [if-name] | string text}

The identifier used is determined by using one of the following parameters:

hardware-serial—Use the security appliance serial number.

hostname—Use the security appliance hostname.

ipaddress—Use the IP address of the specified interface. If the interface name is not specified, it uses the IP address of the interface used to communicate with the AUS.

mac-address—Use the MAC address of the specified interface. If the interface name is not specified, it uses the MAC address of the interface used to communicate with the AUS.

string—Use the specified text identifier, which cannot contain white space or the characters `, ", , >, & and ?.

Step 3 (Optional) To specify how often to poll the AUS for configuration or image updates, enter the following command:

hostname(config)# auto-update poll-period poll-period [retry-count [retry-period]]

The poll-period argument specifies how often (in minutes) to check for an update. The default is 720 minutes (12 hours).

The retry-count argument specifies how many times to try reconnecting to the server if the first attempt fails. The default is 0.

The retry-period argument specifies how long to wait (in minutes) between retries. The default is 5.

Step 4 (Optional) If the Auto Update Server has not been contacted for a certain period of time, the following command will cause it to cease passing traffic:

hostname(config)# auto-update timeout period

Where period specifies the timeout period in minutes between 1 and 35791. The default is to never time out (0). To restore the default, enter the no form of this command.

Use this command to ensure that the security appliance has the most recent image and configuration. This condition is reported with system log message 201008.


In the following example, a security appliance is configured to poll an AUS with IP address 209.165.200.224, at port number 1742, from the outside interface, with certificate verification.

It is also configured to use the hostname of the security appliance as the device ID, and the polling period has been decreased from the default of 720 minutes to 600 minutes. On a failed polling attempt, it will try to reconnect to the AUS 10 times, and wait 3 minutes between attempts at reconnecting.

hostname(config)# auto-update server 
https://jcrichton:farscape@209.165.200.224:1742/management source outside 
verify-certificate
hostname(config)# auto-update device-id hostname
hostname(config)# auto-update poll-period 600 10 3

Viewing Auto Update Status

To view the Auto Update status, enter the following command:

hostname(config)# show auto-update

The following is sample output from the show auto-update command:

hostname(config)# show auto-update
Server: https://********@209.165.200.224:1742/management.cgi?1276
Certificate will be verified
Poll period: 720 minutes, retry count: 2, retry period: 5 minutes
Timeout: none
Device ID: host name [corporate]
Next poll in 4.93 minutes
Last poll: 11:36:46 PST Tue Nov 13 2004
Last PDM update: 23:36:46 PST Tue Nov 12 2004