Cisco ASA 9.2 on Cisco ASA 5505 with Unsupported Memory Configuration Fail

EDIT: 16/11/2015 – It looks like it now works. I am currently running asa924-2-k8.bin on my 5505s, with my 1GB sticks of RAM, and it hasn’t complained! 🙂

The Cisco ASA 5505 officially supports a maximum of 512MB RAM.

Last year I wrote a post detailing a small experiment I done where I upgrade both my Cisco ASA 5505s to use 1GB sticks of RAM, double the officially supported value.

Since then, it has worked great and both boxes have been chilling out in my rack, but recently Cisco released ASA 9.2.

The full list of new features and changes can be read in the release notes, but the feature I was most excited about was BGP support being added.

The ASA has had OSPF support for some time, but it was lacking BGP, which I always thought was a feature it should have. Now that it has been added, I was quite excited to play with it!

So I grabbed the latest 9.1 image (asa921-k8.bin), and dropped it on both my ASAs. Switched the bootloader configuration to load the new image. Next I reloaded the secondary device, and waited for it to come back up. Half an hour later, nothing. So I connected a serial cable to see what’s up, and to my surprise I find that it not doing anything. It’s just stuck saying:

Loading disk0:/asa921-k8.bin...

Initially I wasn’t really sure what was causing this, so I tried switching out the RAM and putting the stock 512MB stick that I got with the box, and magic! It worked.

I’m quite disappointed that my 1GB sticks won’t work with 9.2, but it’s not a huge loss. My Cacti graphs I only use around 300MB anyway!

Memory Usage on my Cisco ASA 5505s
Memory Usage on my Cisco ASA 5505s

I’m going to have to buy a 512MB stick for my secondary ASA, as now they refuse to be in a failover configuration due to having different software versions and different memory sizes.

Alternatively, I’m thinking of just replacing these boxes with something else. My ISP (Virgin Media) will be upgrading my line to 152Mbit/s later this year. The ASA 5505 only has 100Mbit ports so I will be losing 52Mbits! I don’t want that, so I’ll have to get something faster. I’ll probably either go with just a custom Linux box with IPtables, or maybe a virtual ASA now that Cisco offers that! 🙂

Home Lab: Added a Cisco 3845 ISR

Why? Well, I wanted more ISRs in my home lab.

That, plus my ISP (Virgin Media), will be upgrading my line from 120mbit to 152mbit in the second half of 2014. Looking at the Cisco docs, the 2851 ISR I am using can only do up to around 112mbit/s.

Although there is a long time for my ISP to go forward with this upgrade, I saw the 3845 going reasonably cheap on eBay, cheaper than what I expect it will be next year when my ISP WILL have upgraded my line. So, I decided to just buy it now. 🙂

I am really starting to have a problem with space for my home lab.  My rack is already pretty much fully populated, so I now have equipment on top of, and surrounding my rack. I don’t really have space for a second rack at the moment, so it looks like I can’t expand my lab any more for a while. Oh well. 🙁

Home Lab Network Redesign Part 2: The Edge Routers

As I have never used a Mikrotik router before, there was quite a big learning curve.

I’ve only really used Cisco/Juniper like interfaces to configure routers, and I’m a fan of them. Even though I have gotten a little more used to the RouterOS command line, I must say I’m not a huge fan of it. Most of the reasons are quite minor reasons, but some of the reasons I don’t really like it is:

  • I find it silly how the menus are structured. For example, I have to first configure an interface in “/interface” context first, then switch context to “/ip address” to add an IP address. Same goes for just getting an IP from a DHCP server. To do this, you can’t do it from the “/ip address” context, but rather “/ip dhcp-client” context. There are many other cases of this, and while none of this is really a big deal, I find it is quite inconvenient. I want to configure the options for a single interface in one place.
  • There are a lot of little things I think ROS is lacking. For example, creating a GRE tunnel from the “/interface gre” context, you have to provide a local-address to source the packets from. This is a pain because if you are on a dynamic IP address, it involves an extra step of editing the address every time your address changes. On Cisco routers, you can just do “tunnel source $INTERFACE” and it’ll automagically use the correct source address. This is also for adding routes via the DHCP provided default gateway. On IOS, I can just do “ip route 8.8.8.8 255.255.255.255 dhcp” to route some packets explicitly via the DHCP assigned default gateway. This is useful because in order to reach my dedicated server, I need a single route via my DHCP assigned default gateway, before BGP from my dedicated server pushes down a new default route. In ROS you can’t do this, and have to add a static route manually yourself, and edit it each time your address changes. Again, these are minor things, but I’m sure there are some bigger things which I cannot remember at the moment.

To be fair, these reasons are quite minor, and considering the price difference between a Mikrotik router, and a Cisco/Juniper router, I guess it is acceptable.

In terms of setting up the RB2011UAS-RM, I wanted to keep the config as simple as possible:

  • Make the DHCP client add the default route with a distance of 250. This allows the default route pushed from my dedicated server have priority, and be the active route.
  • Add a static route to my dedicated server via the DHCP assigned default gateway.
  • Setup VRRP on the “inside” interfaces of both edge routers
  • Setup GRE tunnels back to my dedicated server
  • Configure BGP between both edge routers to the dedicated server, and BGP peering to each other via the point-to-point connection.
  • Added static routes to my internal network behind my ASAs.

I didn’t want to add any masquerading/NAT rules on the edge routers, because I felt it’ll add extra CPU load for no reason since the default route will be via the dedicated server, and NAT will be done there, but I dedicated it might be better to just add a rule to NAT any traffic going straight out to the internet (not via the GRE tunnels) just incase for whatever reason, the BGP sessions on both routers were down, and traffic was no longer going via my dedicated server.

That’s pretty much it for the edge routers. It’s simple, and it’s working well so far!

Again, I can share config files if anyone wants to look at them!

Home Lab Network Redesign Part 1: The Remote Dedicated Server

Home Lab Diagram
As promised, here is a very very basic diagram of my home lab. This is quite a high level overview of it, and the layer 2 information is not present as I suck at Visio, and all the connectors were getting messy on Visio with the layer 2 stuff present! What is not shown in the digram:

  1. There are two back-to-back links between the edge routers which are in an active-passive bond.
  2. Each edge router has two links going into two switches (one link per switch), both these links are in an active-passive bonded interface.
  3. The two edge firewalls only have two links going to each of those switches. One port is in the “inside” VLAN, and the other is on the “outside” VLAN. I wanted to have two links per VLAN, going to both switches, but the Cisco ASAs don’t do STP, or Port-Channels so I having two links would have made a loop.
  4. The link between the two ASAs is actually going through a single switch on a dedicated failover VLAN. From reading around, the ASAs go a little crazy sometimes if you use a crossover cable as the secondary will see it’s own port go down as well in the event the primary fails. It seems that this can cause some funny things to happen. Using a switch between them means that if the primary goes down, the secondary ASA’s port will still stay up avoiding any funnyness.
  5. The core gateway only has two interfaces, each going two a different switch. One port is on the “inside” VLAN that the firewalls are connected to, and the other port is a trunk port with all my other VLANs. This isn’t very redundant, but I’m hoping to put in a second router when I have some more rack space and use HSRP to allow high availability.

As I mentioned in my previous post, I have a dedicated server hosted with Rapid Switch, through I wanted to route all my connections. There were a few reasons I wanted to do this:

  1. Without routing through the dedicated server, if one of my internet connections went down, and I failed over to the other, then my IP would be different from my primary line. This will mess up some sessions, and create a problem for DNS as I can only really point records at one line or the other.
  2. My ISP only provides dynamic IP addresses. Although the DHCP lease is long enough to not make the IP addresses change often, it’s a pain updating DNS everywhere on the occasions that it does change. Routing via my dedicated server allows me to effectively have a static IP address, I only really need to change the end point IPs for the GRE tunnels should my Virgin Media provided IP change.
  3. I also get the benefit of  being able to order more IPs if needed, Virgin Media do not offer more than one!
  4. Routing via my dedicated server at Rapid Switch also has the benefit of keeping my IP even if I change my home ISP.

The basic setup of the dedicated server is as follows:

  1. There is a GRE tunnel going from the dedicated server (diamond) to each of my edge routers. Both GRE tunnels have a private IPv4 address, and an IPv6 address. The actual GRE tunnel is transported over IPv4.
  2. I used Quagga to add the IPv6 address to the GRE tunnels as the native RedHat ifup scripts for tunnels don’t allow you to add an IPv6 address through them.
  3. I used Quagga’s BGPd to create a iBGP peering over the GRE tunnels to each of the Mikrotik routers, and push down a default route to them. The edge routers also announced my internal networks back to the dedicated server.
  4. I originally wanted to use eBGP between the dedicated servers and the edge routers, but I was having some issues where the BGP session wouldn’t establish if I used different ASNs. I’m still looking into that.
  5. There are some basic iptables rules just forwarding ports, doing NAT, and a cleaning up some packets before passing them over the GRE tunnel, but that’s all really.

Other than that, there isn’t much to see on the dedicated server. It’s quite a simple setup on there. If anyone would like to see more, I can post any relevant config.

Home Lab Network Redesign with Mikrotik Routers

I have two cable connections from Virgin Media coming into my house due to some annoying contract problems.

I originally had one line on the 60Mbit package, and the other on 100mbit, but when Virgin Media upgraded me to 120mbit I downgraded the 60mbit line to 30mbit to reduce costs.

Since I got into this strange arrangement with Virgin Media, I have been using a Cisco 1841 Integrated Services Router on the 30mbit line, and a Cisco 2821 Integrated Services Router on the 120mbit line, but I found that I wasn’t able to max out the faster line using the Cisco 2821 ISR. Looking at Cisco’s performance sheet, the Cisco 2821 ISR is only really designed to support lines of up to around 87 mbit.

So naturally, it was time to upgrade! Initially I wanted to get a faster Cisco router, but looking at the second generation ISRs, it’ll be a bit pricey!

I did actually upgrade all my 7204 VXRs to have NPE-400 modules, which according to the performance sheet should do around 215 mbits, but the 7204s are extremely loud, and I only switch them on when I am using them.

Michael and Jamie have always been talking about Mikrotik routers so I figured since Cisco is a no go, I’ll give Mikrotik a chance. I ended up buying two RouterBOARD 2011UAS-RM from WiFi Stock.

To put the RB-20011UAS-RM boxes in, I decided I was going to restructure my network a bit. I will be making a series of posts discussing my re-designed network.

My goals for the redesign were as follows:

  • The RB-2011UAS-RM boxes will only function as edge routers, encapsulating traffic in GRE tunnels, and that’s all.
  • There will be a link between both edge routers, with a BGP peering for redirecting traffic should one of my lines go down.
  • They will have GRE tunnels to all my dedicated servers/VPSs.
  • I will use Quagga on all dedicated servers, and VPSs outside my network to create BGP peerings with my edge routers.
  • I wanted to route all my internet out of a server I currently have hosted with Rapid Switch, so BGP on the RapidSwitch box (called diamond) will have to push down a default route.
  • I wanted to use my Cisco ASA 5505 Adaptive Security Appliance as firewalls between the edge routers and the core.
  • I recently bought a Cisco 2851 Integrated Services Router, which I will use as a “core” router.
  • I wanted as much redundancy as possible.

In my next post I will create a diagram of what I will be doing, and discussing the setup of the server I have hosted at RapidSwitch.

As I have never used Mikrotik routers before, I will also attempt to discuss my experiences of RouterOS so far as I go along.

Open vSwitch 1.9.0 on Red Hat Enterprise Linux (RHEL) 6.4

I’ve been using Open vSwitch as a replacement for the stock bridge module in Linux for a few months now.

Open vSwitch is basically a open source virtual switch for Linux. It gives you much greater flexibility than the stock bridge module, effectively turning it into a managed, virtual layer 2 switch.

Open vSwitch has a very long list of features, but I chose to use it instead of the stock bridging module because Open vSwitch offers much greater flexibility with VLANing on Virtual Machines than what is possible with the stock Linux bridge module.

As my KVM servers are running an older version of Open vSwitch (1.4.6), I decided to upgrade to the latest version, which is 1.9.0 at time of writing this post.

RedHat actually provide RPMs for Open vSwitch as part of a tech preview in the Red Hat OpenStack Folsom Preview repository. They also include the Open vSwitch kernel module in their kernel, but they are using version 1.7.1, I wanted 1.9.0, so I decided to write this blog post.

EDIT: 10/04/2013 – Looking closer, it looks like RedHat also have an RPM for 1.9.0, but they do not include the brcompat module. If you need this module, then you’ll have to build your own RPMs.

RedHat have actually back-ported a number of functions from newer kernels into the kernel provided with RHEL. This causes a problem when compiling the Open vSwitch kernel module as the OVS guys have also back-ported those functions and were using kernel version checks to apply those backports.

The OVS guys have pushed a patch into the OVS git repo which fixes this problem, so I won’t be using the tarball provided on the OVS site, but rather building from the OVS 1.9 branch of the git repository.

When using the git version of Open vSwitch, we need to run the bootstrap script to create the configure script etc, but this requires a newer version of autoconf. You can either compile autoconf yourself, or I’m sure someone has create a RHEL6 RPM for a newer version of autoconf somewhere, but I just done this part on a Fedora machine instead as it was easier:
git clone git://openvswitch.org/openvswitch
git checkout -b branch-1.9 origin/branch-1.9
./boot.sh
./configure
make dist

Now you’ll have a shiny new tarball: openvswitch-1.9.1.tar.gz

I moved this over to my dedicated RPM building virtual machine and extracted it:
tar -xf openvswitch-1.9.1.tar.gz
cd openvswitch-1.9.1

I got a compilation error when trying to build the Open vSwitch tools inside mock as openssl-devel isn’t listed as a requirement in the spec file so mock doesn’t pull it in. It’s an easy fix, I edited the spec file and added openssl/openssl-devel to it:
--- openvswitch.spec.orig 2013-04-01 18:43:50.337000000 +0100
+++ openvswitch.spec 2013-04-01 18:44:10.612000000 +0100
@@ -19,7 +19,8 @@ License: ASL 2.0
Release: 1
Source: openvswitch-%{version}.tar.gz
Buildroot: /tmp/openvswitch-rpm
-Requires: openvswitch-kmod, logrotate, python
+Requires: openvswitch-kmod, logrotate, python, openssl
+BuildRequires: openssl-devel

%description
Open vSwitch provides standard network bridging functions and

Next, I created the SRPMs using mock:

mock -r epel-6-x86_64 --sources ../ --spec rhel/openvswitch.spec --buildsrpm
mv /var/lib/mock/epel-6-x86_64/result/*.rpm ./


mock -r epel-6-x86_64 --sources ../ --spec rhel/openvswitch-kmod-rhel6.spec --buildsrpm
mv /var/lib/mock/epel-6-x86_64/result/*.rpm ./

Then, actually build the RPMs:

mkdir ~/openvswitch-rpms/

mock -r epel-6-x86_64 --rebuild openvswitch-1.9.1-1.src.rpm
mv /var/lib/mock/epel-6-x86_64/result/*.rpm ~/openvswitch-rpms/

mock -r epel-6-x86_64 --rebuild openvswitch-kmod-1.9.1-1.el6.src.rpm
mv /var/lib/mock/epel-6-x86_64/result/*.rpm ~/openvswitch-rpms/

All done! Next either sign and dump the freshly built RPMs from ~/openvswitch-rpms/ into into your yum repository, or scp them over to each host you will be installing them on, and use yum to install:
yum localinstall openvswitch-1.9.1-1.x86_64.rpm kmod-openvswitch-1.9.1-1.el6.x86_64.rpm

I won’t go into configuration of Open vSwitch in this post, but it’s not too difficult, and there are many posts elsewhere that go into this.

Connecting to Usenet via Two Internet Connections

As I mentioned in a earlier post, I have two connections from Virgin Media at home and I wanted to use them both to grab content from usenet.

My Usenet provider is Supernews, I’ve used them for a couple of months, and from what I understand they are actually just a product of Giganews.

Supernews only actually allow you to connect to their servers from one IP per account, so even if I had set up load balancing to split connections over both my connections, it would not have worked very well for usenet as I will be going out via two IP addresses! So for this reason I decided to take another route.

I have a dedicated server with OVH which has a 100mbit line, my two lines with Virgin Media are 60mbit and 30mbit, so I figured if I route my traffic out via my dedicated server, I should be able to saturate my line when usenetting. 🙂

So the way I done this was to create two tunnels on my Cisco 2821 Integrated Services Router going to my dedicated server, one tunnel per WAN connection and basically “port forwarding” port 119 and 443 coming over the tunnels to go to Supernews. It’s working great so far and saturating both lines fully!

So the way I done this was as follows. First I setup the tunnels on my trusty Cisco 2821 ISR:

interface Tunnel1
description Tunnel to Dedi via WAN1
ip address 10.42.42.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1420
tunnel source GigabitEthernet0/0.10
tunnel mode ipip
tunnel destination 123.123.123.123

interface Tunnel2
description Tunnel to Dedi via WAN2
ip address 10.42.42.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1420
tunnel source GigabitEthernet0/1.11
tunnel mode ipip
tunnel destination 123.123.123.123

That isn’t the complete configuration, I also decided to NAT my home network to the IPs of the two tunnels. This was just in order to do it quickly. If I had not used NAT on the two tunnels, I would have to put a route on my dedicated server for my home network’s private IP range. Although this is easy, I was mainly doing this out of curiosity to see if it would work, and to do it without NAT on the tunnels I would have had to figure out how to do policy based routing in order to overcome asymmetric routing on Linux. That can be a project for another day. 🙂

My dedicated is running RHEL6, so to set up the tunnel on the dedicated server I created the relevant ifcfg-tunl* files:

[root@moka ~]# cat /etc/sysconfig/network-scripts/ifcfg-tunl1
DEVICE="tunl1"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="IPIP"
PEER_OUTER_IPADDR="IP_OF_WAN_1"
PEER_INNER_IPADDR="10.42.42.1"
MY_OUTER_IPADDR="123.123.123.123"
MY_INNER_IPADDR="10.42.42.2"

[root@moka ~]# cat /etc/sysconfig/network-scripts/ifcfg-tunl2
DEVICE="tunl2"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="IPIP"
PEER_OUTER_IPADDR="IP_OF_WAN_2"
PEER_INNER_IPADDR="10.42.42.5"
MY_OUTER_IPADDR="123.123.123.123"
MY_INNER_IPADDR="10.42.42.6"

I don’t really want to go into detail on how configure netfilter rules using IPtables, so I will only paste the relevant lines of my firewall script:

# This rule masquerades all packets going out of eth0 to the IP of eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Forward packets coming in from tunl1 with the destination IP of 10.42.42.2 and a source port of either 119 or 443 (Supernews use 443 for NNTP SSL port) to Supernews' server IP
iptables -t nat -A PREROUTING -p tcp -i tunl1 -d 10.42.42.2 --dport 119 -j DNAT --to 138.199.67.30
iptables -t nat -A PREROUTING -p tcp -i tunl1 -d 10.42.42.2 --dport 443 -j DNAT --to 138.199.67.30

# Forward packets coming in from tunl2 with the destination IP of 10.42.42.6 and a source port of either 119 or 443 (Supernews use 443 for NNTP SSL port) to Supernews' server IP
iptables -t nat -A PREROUTING -p tcp -i tunl2 -d 10.42.42.6 --dport 119 -j DNAT --to 138.199.67.30
iptables -t nat -A PREROUTING -p tcp -i tunl2 -d 10.42.42.6 --dport 443 -j DNAT --to 138.199.67.30

That’s all there is to it really! Of course I have a more complete rule set, but I don’t really want to go into that in this post!

Next, I just added two servers in my usenet client, one pointing at 10.42.42.2 and the other at 10.42.42.6. And magic! Now both lines will be used when my usenet client is doing its thing!

Note: If you got to the end of this post, I apologize if I make no sense, I was pretty tired while writing this post, and really just wanted to go to sleep. If you have any questions or suggestions on how to do this better, I’d be very interested in hearing them.  :~)

Dead Cisco Catalyst 3560

I’ve been trying to acquire a Cisco Catalyst 3560 as it provides features which are not supported by my Catalyst 3550s, such as Private VLANs. I believe the QoS features differ on 3560 as well.

So, as I was browsing eBay (one of my favourite pastimes! :P), I found an auction for a WS-C3560-8PC-S which had been labelled “untested”. From past experiences, I have found that listings that state that they haven’t been tested are usually faulty devices, but I thought I would take the risk anyway. I was hoping it would be some small issue which I could either work around or repair, such as a bad port, or screwed up IOS image which I could just reload myself (hey! I’ve seen devices sell on eBay for pretty cheap due to non-techy people assuming it was broken because the IOS image was missing!). But I guess my luck was bad, and two days after the end of the auction, I received a large green paperweight. 🙁

After plugging the power in, the LEDs on the front of the Catalyst 3560 go on, but they just stay on in a solid state, where as they should be blinking during the boot process. I plugged the console cable in, only to find that there is no output whatsoever, not even from ROMMON, which is the first step before even loading IOS.

I have pretty little knowledge of electronics, but I did test basic things that I knew how, such as checking if the PSU was giving out the correct voltages, which it was, but that’s pretty much all I know how to check!

From my limited knowledge of electronics, I assume that something must be wrong with the Boot ROM chip since not even ROMMON is able to start. None of the parts on a Catalyst 3560 are field replicable, so I don’t think I can test any parts by switching them around either.

I am quite disappointed that this Catalyst 3560 is dead, but I tried my luck, and it turned out bad, no biggie. 🙂

Hopefully I will be able to find a Catalyst 3650 soon!

If anyone has any ideas I can try in order to fix this device, I would be quite eager to make an attempt! 🙂

Two more Cisco 7204 VXRs Added to My Home Lab!

Cisco 7204 VXRs Last week, I was browsing eBay (as you do!), and noticed two Cisco 7204 VXR routers auctions which were about to end pretty soon, price was £0.99, and there were no bids! So, I figured I would go ahead and bid. To my surprise, I won both!

I managed to win one of them for £20, and the other for £0.99! £20.99 for two 7204 VXRs isn’t bad at all, just a quick search on eBay shows that the NPE-300s, which came with both routers, is generally selling for £30, so I’m quite pleased.

The I/O controllers (C7200-I/O) are a bit old, and use DB-25 connector for the console port and not the normal RJ-45 that most Cisco devices use. The I/O controller don’t have any Ethernet ports either, but I did get some FastEthernet modules with both routers. I will probably upgrade the I/O controllers to C7200-I/O-2FE/E some time this year, but for now, it’ll do. 🙂

I now have three 7204 VXRs in my rack, the first one I bought last year some time.

In the picture:

  • Top 7204 VXR has: NPE-225, 128MB RAM, C7200-I/O, Dual FastEthernet Module and an Enhanced ATM module (ATM PA-A3).
  • Middle 7204 VXR has: NPE-300 with 256MB RAM (if I remember correctly), C7200-I/O, Single EthernetModule, and an Enhanced ATM module (ATM PA-A3).
  • Bottom 7204 VXR has: NPE-300 with 256MB RAM (if I remember correctly), C7200-I/O-2FE/E, and an Enhanced ATM module (ATM PA-A3).

I’m not really sure if the Enhanced ATM modules will be of any use to me, as I don’t think it is possible to use them back-to-back (please correct me if I am wrong!). I do want to get a few Cisco PA-4T+ 4 Port Serial modules but that’s for later on.

Cisco ASA 5505 RAM Upgrade

Edit: 3rd June 2014 – If you are reading this post, you should check out my follow up post: Cisco ASA 9.2 on Cisco ASA 5505 with Unsupported Memory Configuration Fail.

I have two Cisco ASA 5505s in my home lab which I acquired almost two years ago from eBay. I was pretty lucky, as I paid under £70 for each because the seller wasn’t too sure what they were! Looking on eBay now, they are selling for around £120! 🙂

Pretty much straight away, I wanted to upgrade to the ASA 8.3 code, which required a RAM upgrade, so I upgraded it.

Starting from ASA 8.3, the minimum required RAM needed to run 8.3 code and newer on a 5505 is 512MB. This is also the maximum officially supported amount of RAM.

Buying official Cisco RAM is, as always, quite expensive, but since the ASA 5505 uses standard DDR RAM, it is actually possible to use third-party RAM in the ASA 5505.

When I originally performed this upgrade, I found that on various forums many people had actually upgraded past the official supported amount of RAM, and upgraded their ASA 5505s to 1GB RAM.

Intrigued  by this, and due to needing the extra RAM for the 8.3 code, I decided to upgrade both my ASAs to 1GB as well!

There aren’t any ground breaking advantages to upgrading to 1GB as far as I know. I’m guessing the ASA will be able to hold a lot more entries in the NAT table, but I don’t really push my ASAs to their limits anyway.

I ended up buying two CT12864Z40B sticks from Crucial, which have worked flawlessly for the past year.

Almost 14 months later, I needed to crack open the case of the ASAs again to get to the CompactFlash. I thought I’d make a quick post about the RAM upgrade process while I’m at it.

The upgrade is very easy, anyone could do it, but I was bored, and wanted to write a blog post! 🙂

  1. Place the ASA upside down, and unscrew the three screws at the bottom.
    Cisco ASA 5505 Screws
  2. Remove the cover
    Cisco ASA 5505 Internals
  3. Take out the old RAM, and put in the new RAM.
    Cisco ASA 5505 RAM
  4. You can optionally also upgrade the CompactFlash at this time. I’m using the stock 128MB that came with the ASAs at the moment, but I will probably upgrade sometime soon. 🙂
    Cisco ASA 5505 CompactFlash
  5. Close everything up, and plug-in the power!
    Cisco ASA 5505 Failover Pair

All done! I haven’t got a screenshot of it booting at the moment, but I will probably update this post tomorrow with one.

I plan to upgrade the CompactFlash to 4GB as well so I have more working space when I am using the “packet sniffer” built into the ASA. This is a very easy process as well, but you have to be careful to copy over your licence files as well. I will be making a post about this as well when I have done the upgrade.