cisco asa firewall management via serial usb

Had a bit of fun recently with a problematic cisco 5510 and needed to locally connect to it in the data centre. Figured I’d make a post about the exact steps needed to connect to it.

You’ll likely need a serial to USB adapter first and foremost. Then you’ll also need an RJ to serial cable.

Then, connect the RJ to the console port on the firewall.

Now, you can either use minicom or tio to connect. I prefer tio but I’ll go through both as the setup is essentially the same.

The most important thing to know before starting is what the USB device name is, the simplest way to find out is to check with dmesg.

dmesg | grep tty

You’ll then get an output along the lines of this

maisy@cerberus ~ $ sudo dmesg | grep tty
[    0.000000] console [tty0] enabled
[15982.172287] usb 1-1: pl2303 converter now attached to ttyUSB0

Now we know what the device is called we can try using tio or minicom to connect. From everything I’ve read a baud rate of 9600 is the most commonly working rate, though I didn’t actually have any issues with the default of 115200. The stopbits / databits are more important and I found only a value of 8 for databits worked, but this seems to be the default anyway.

Both tio and minicom need to be run as root / sudo privileges.

tio can be completely configured from the command line

tio /dev/ttyUSB0 -b 9600 -d 8 -s 1

minicom may be able to be configured all from the command line, but I wasn’t sure about some of the switches. Assuming the databits / stopbits are correct, you can just set the baudrate and device

minicom -D /dev/ttyUSB0 -b 9600

However, you may want to check directly in the minicom settings

minicom -s

You then want to go to “Serial port setup”, then “Bps/Par/Bits” and change stopbits to 1 and databits to 8-N-1. Once done, press escape until you are back at the menu and “Save setup as dfl”. You can then run the previous command again.

Once you’ve connected, you can admin the firewall as you would via ssh.

I might make a follow up post on the actual admin side of the firewall, but I’m not that well versed in it right now.