Copy ASA5520 firewall IOS flash into computer

I'm using my laptop as the TFTP server and copy the ios into my laptop.

To do this, you must configure your laptop as the TFTP server. I'm using PumpKIN as the application to run TFTP server on my laptop. PumpKIN is a free software you can get it here. Install and run it on your laptop. (you may want to edit the PumpKIN download path at option).

Then enter your ASA firewall console, follow below command (in blue) to successfully transfer the IOS into your laptop.

ASA>en

ASA#sh flash: --Display the current flash

-#- --length-- -----date/time------ path

6 2844 Jul 27 2010 15:10:54 admin.cfg

7 1868412 Jan 01 2003 08:07:00 securedesktop-asa-3.1.1.29-k9.pkg

8 398305 Jan 01 2003 08:07:16 sslclient-win-1.1.0.154.pkg

9 0 Nov 02 2007 15:51:50 crypto_archive

10 6287244 Nov 02 2007 15:54:10 asdm-523.bin

13 8515584 Apr 22 2008 08:06:38 asa724-k8.bin

14 6514852 Apr 22 2008 08:07:46 asdm-524.bin

15 4401 Jul 27 2010 15:10:54 old_running.cfg

231735296 bytes available (23691264 bytes used)

ASA#copy flash: tftp: --begin to transfer IOS by using TFTP

Source filename []? asa724-k8.bin --enter (type) the ios name
Address or name of remote host []? 172.17.8.55 --enter your laptop ip address
Destination filename [asa724-k8.bin]? --press ENTER to begin the trasfer process

On your laptop, PumpKIN will prompt this window,click Accept to begin the transfer process:

On the ASA console, the transfer process begin

Writing file tftp://172.17.8.55/asa724-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<<<<<<<<<<<<<<<<<<<<output omitted>>>>>>>>>>>>>>>>>>>>>>>>>>

Transfer process may took longer time if the IOS file is big and depends on your connection. I'm suggest you using wired connection rather than wireless, wireless took longer time to transfer and error while transferring the file might occur (connection lost).

Radius Server Installation Guide

I'm using freeradius as the radius server and i installed it on centos OS, the command would be slightly different depends on OS used.

Installing freeradius

To install freeradius in RedHat Linux or CentOS operating system, type this command in the terminal:

# yum install freeradius

Type ‘y’ when ‘Is this ok [y/N]:’prompt. Below is the example output of the command entered:

[root@radius01 ~]# yum install freeradius

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * addons: mirror.nus.edu.sg

 * base: mirror.nus.edu.sg

 * extras: mirror.nus.edu.sg

 * updates: mirror.nus.edu.sg

Setting up Install Process

Resolving Dependencies

--> Running transaction check

---> Package freeradius.i386 0:1.1.3-1.5.el5_4 set to be updated

--> Processing Dependency: net-snmp-utils for package: freeradius

--> Processing Dependency: net-snmp for package: freeradius

--> Processing Dependency: perl(DBI) for package: freeradius

--> Running transaction check

---> Package net-snmp.i386 1:5.3.2.2-7.el5_4.2 set to be updated

--> Processing Dependency: libsensors.so.3 for package: net-snmp

---> Package net-snmp-utils.i386 1:5.3.2.2-7.el5_4.2 set to be updated

---> Package perl-DBI.i386 0:1.52-2.el5 set to be updated

--> Running transaction check

---> Package lm_sensors.i386 0:2.10.7-4.el5 set to be updated

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

 Package              Arch       Version                    Repository     Size

================================================================================

Installing:

 freeradius           i386       1.1.3-1.5.el5_4            updates       1.1 M

Installing for dependencies:

 lm_sensors           i386       2.10.7-4.el5               base          513 k

 net-snmp             i386       1:5.3.2.2-7.el5_4.2        updates       696 k

 net-snmp-utils       i386       1:5.3.2.2-7.el5_4.2        updates       185 k

 perl-DBI             i386       1.52-2.el5                 base          600 k

Transaction Summary

================================================================================

Install      5 Package(s)

Update       0 Package(s)

Remove       0 Package(s)

 Total download size: 3.1 M

Is this ok [y/N]: y

Downloading Packages:

(1/5): net-snmp-utils-5.3.2.2-7.el5_4.2.i386.rpm         | 176 kB     00:00

http://mirror.nus.edu.sg/centos/5.4/updates/i386/RPMS/net-snmp-utils-5.3.2.2-7.el5_4.2.i386.rpm: [Errno 4] Socket Error: timed out

Trying other mirror.

(1/5): net-snmp-utils-5.3.2.2-7.el5_4.2.i386.rpm         | 185 kB     00:00

(2/5): lm_sensors-2.10.7-4.el5.i386.rpm                  | 513 kB     00:00

(3/5): perl-DBI-1.52-2.el5.i386.rpm                      | 576 kB     00:00

http://mirror.nus.edu.sg/centos/5.4/os/i386/CentOS/perl-DBI-1.52-2.el5.i386.rpm: [Errno 4] Socket Error: timed out

Trying other mirror.

(3/5): perl-DBI-1.52-2.el5.i386.rpm                      | 600 kB     00:00

(4/5): net-snmp-5.3.2.2-7.el5_4.2.i386.rpm               | 696 kB     00:00

(5/5): freeradius-1.1.3-1.5.el5_4.i386.rpm               | 1.1 MB     00:24

--------------------------------------------------------------------------------

Total                                            27 kB/s | 3.1 MB     01:56

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

  Installing     : perl-DBI                                                 1/5

  Installing     : lm_sensors                                               2/5

  Installing     : net-snmp                                                 3/5

  Installing     : net-snmp-utils                                           4/5

  Installing     : freeradius                                               5/5

Installed:

  freeradius.i386 0:1.1.3-1.5.el5_4

Dependency Installed:

  lm_sensors.i386 0:2.10.7-4.el5            net-snmp.i386 1:5.3.2.2-7.el5_4.2

  net-snmp-utils.i386 1:5.3.2.2-7.el5_4.2   perl-DBI.i386 0:1.52-2.el5

Complete!

 

At this point you have successfully installed the radius server, next you have to verify that the radius server is installed.

Check the Server Radius System Version

To check the version of the Radius Server that has been installed, use this command:

# rpm -qa freeradius

Below is the example output of the command entered:

root@radius01 ~]# rpm -qa freeradius

freeradius-1.1.3-1.5.el5_4

radiusd.conf configuration 

Next you have to configure the radiusd.conf file based on your network details, in this tutorial, the example show the details of my network configuration.

Using vi text editor, edit the radiusd.conf file using the following configuration. Firstly, enter this command to edit the radius.conf file in the terminal console:

vi /etc/raddb/radiusd.conf

vi /etc/raddb/radiusd.conf

ldap {

                server = "192.168.4.41"

                # identity = "cn=admin,o=My Org,c=UA"

                # password =secret

                basedn = "ou=people,o=mydomain.gov.my,o=gov"

                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

    password_attribute = "userPassword"

                # base_filter = "(objectclass=radiusprofile)"

password_attribute = userPassword

#access_attr = "dialupAccess"

authorize {

        #

        #  The preprocess module takes care of sanitizing some bizarre

        #  attributes in the request, and turning them into attributes

        #  which are more standard.

        #

        #  The ldap module will set Auth-Type to LDAP if it has not

        #  already been set

        ldap

#     $INCLUDE  ${confdir}/sql.conf

authenticate {

        #

        # PAP authentication, when a back-end database listed

        # in the 'authorize' section supplies a password.  The

        # password can be clear-text, or encrypted.

        # Uncomment it if you want to use ldap for authentication

        # Note that this means "check plain-text password against

        # the ldap database", which means that EAP won't work,

        # as it does not supply a plain-text password.

        Auth-Type LDAP {

                ldap

        }

 

Save the configuration before exit by typing ‘:wq’ and enter.

Users configuration

Edit the users by using vi text editor, use following configuration. To edit the users, enter this command in the terminal console:

vi /etc/raddb/Users

Below is the users configuration:

vi /etc/raddb/Users

DEFAULT Auth-Type = System

        Fall-Through = 1

DEFAULT Auth-Type := LDAP

        Fall-Through = 1

Save the configuration before exit by typing ‘:wq’ and enter.

Client.conf configuration

Edit the Client.conf file by using vi text editor, use following configuration. To edit the Client.conf, enter following command in the terminal console:

vi /etc/raddb/Client.conf

Below is the Client.conf configuration:

vi /etc/raddb/Client.conf

client 192.168.0.0/16 {

       secret          = test

       shortname       = private-network-2

}

Save the configuration before exit by typing ‘:wq’ and enter.

Start radius server.

In order to start the radius server, use following command in the terminal console:

# /etc/init.d/radiusd start

Stop radius server.

In order to stop the radius server, use following command in the terminal console:

# /etc/init.d/radiusd stop

Restart radius server.

In order to restart the radius server, use following command in the terminal console:

# /etc/init.d/radiusd restart

Below is the example of the output of restart command entered:

[root@radius01 raddb]# /etc/init.d/radiusd restart

Stopping RADIUS server:                                    [  OK  ]

Starting RADIUS server: Tue Apr 13 11:00:48 2010 : Info: Starting - reading configuration files ...

                                                           [  OK  ]
 

For information, radius server is not automatically start after the operating system is rebooted, so you have to manually enter the start or restart command.

Test The radius Configuration

In order to check the radius server is working and functioning, use following command:

 

  radtest {username} {password} {hostname} 10 {radius_secret}

If the authentication is not successfull, Access-reject message will be display. Access-accept will be display if the authentication is successful.