Pfsense(or Opnsense) on a Cisco ASA-5512-X

Deslok

Well-Known Member
Jul 15, 2015
1,122
124
63
32
deslok.dyndns.org
I recently decommissioned a pair of 5512-X units at the office because they couldn't keep up with our incoming connection anymore. To my suprise when I took a peek inside one of them I found a fairly conventional layout with a Pentium G6590 in it, usb boot, socketed ddr3, sata storage and the nics attached via pcie. What caught my attention was this is actually more cpu than I use to route a gigabit connection at my house(2 cores of a E5-2470 V2) does anyone have any idea if there's a way to load something else on it(maybe by flashing the usb boot device?) to try and make them useful again?
 
  • Like
Reactions: altmind

WANg

Well-Known Member
Jun 10, 2018
1,217
828
113
44
New York, NY
Probably not - I don’t think they are engineered to allow normal borg standard Linux / BSD installs. I mean, install Linux on another SATA SSD card and swap it into the ASA, then look at the serial console and see if it attempt to boot.
 
  • Like
Reactions: MrGuvernment

Evan

Well-Known Member
Jan 6, 2016
3,346
584
113
Couldn’t keep up routing traffic or being a vpn end point ?
Didn’t think 5512-X would be so bad unless it’s vpn then it’s garbage
 

Deslok

Well-Known Member
Jul 15, 2015
1,122
124
63
32
deslok.dyndns.org
Couldn’t keep up routing traffic or being a vpn end point ?
Didn’t think 5512-X would be so bad unless it’s vpn then it’s garbage
The 5512-x is limited to 200mbs of traffic for anything considered "multi protocol" which seemed odd but meant we were capped at 200 on our new 500mb line(after we had just replaced our ISR units with mikrotik CCR1036 units to go above 100 and they were literally just doing BGP) so now I have a 1036 running bgp and a 1036 as the firewall, likely to eventually be a pair of 1009 units(or maybe 2004) running bgp(since the 1036 is at 0 load and about 500mb of ram used) and then the 1036 units as active/passive firewalls (all on our dual symetric 500mb links)
 

Evan

Well-Known Member
Jan 6, 2016
3,346
584
113
Oh yeah if you using the UTM functions and doing traffic inspection also garbage performance. A Meraki MX67 out outperforms for far far less money or as you discovered better options.
I thought you were just using it as a straight basic ASA ruleset.
 

rocketpanda40

Member
Dec 12, 2019
36
23
8
The cisco c170 and s170 are the same hardware but with less NICs, two drive bays instead of one, and the c170 doesn't have the pcie socket soldered on (just the pins on the mobo). Both of these can have whatever os installed on them, and from when I was looking at it, the best processor would be an i5-660 for speed and aes-ni support.

All I've seen on the web is the ASAs are different in terms of validating the installed image and only booting the actual ASA image, but I haven't had first hand experience with one.
 

Deslok

Well-Known Member
Jul 15, 2015
1,122
124
63
32
deslok.dyndns.org
Oh yeah if you using the UTM functions and doing traffic inspection also garbage performance. A Meraki MX67 out outperforms for far far less money or as you discovered better options.
I thought you were just using it as a straight basic ASA ruleset.
I thought we were using a fairly simple ruleset myself, mostly a handfull of NAT stuff and then the vpn, no inspection or anything like that, but apparently forwarding UDP and TCP traffic counted as "multiprotocall" (or at least that's what the vendor that sold it to us came back with) I had already had my eye on the 1036/1016 for a bgp replacment for the ISR units we had(because those were limited to 100mb without a software upgrade that cost more than a new CCR unit) and got lucky that I could do all the BGP in one 1036 and all the firewall stuff in the second until I get a pair of something to handle the bgp traffic(something much smaller based on how little resources it seems to actually use)
 

Deslok

Well-Known Member
Jul 15, 2015
1,122
124
63
32
deslok.dyndns.org
The cisco c170 and s170 are the same hardware but with less NICs, two drive bays instead of one, and the c170 doesn't have the pcie socket soldered on (just the pins on the mobo). Both of these can have whatever os installed on them, and from when I was looking at it, the best processor would be an i5-660 for speed and aes-ni support.

All I've seen on the web is the ASAs are different in terms of validating the installed image and only booting the actual ASA image, but I haven't had first hand experience with one.
I had a hunch the board got recycled into other hardware since it had pads for more memory modules and an unused sata port(physically there just no bay) as well as a pcie slot that wasn't doing anything. The fact that those systems can run different software gives me a bit of hope, i'll order an IDC cable and see what I can do!
 

Deslok

Well-Known Member
Jul 15, 2015
1,122
124
63
32
deslok.dyndns.org
First step, had to make a custom cable to access the internal usb boot device but it's just a 4Gb FAT32 drive, I had expected at least some variant of EXT
1603231015164.png
 

eabeukes

New Member
Jul 28, 2017
3
2
3
37
I may have done some work on this going the other way, as the ASA is essentially a standard BusyBox system running LINA as a loadable module.
Have a look here to see how to get the Firepower Linux OS boot environment installed.
There is also a really good presentation on the JETPLOW exploit by zeroknights which shows how to build a custom image to inject whatever you want too boot or run.
You could also simply download something like the x86 version of OpenWRT and try to boot it. If I had ready access to the hardware I'd attempt that first.
 

t4thfavor

New Member
Mar 9, 2021
6
1
3
I know it's a year old thread, but I just acquired an ASA5512-X for free. Is the IDC cable just a USB board header? Anyone want to share some more details? I'd like to get opnSense or maybe Mikrotik RouterOS running on this little guy. Maybe even standard Debian just to play around with as I have absolutely zero use for an ASA appliance.
 

t4thfavor

New Member
Mar 9, 2021
6
1
3
I know it's a year old thread, but I just acquired an ASA5512-X for free. Is the IDC cable just a USB board header? Anyone want to share some more details? I'd like to get opnSense or maybe Mikrotik RouterOS running on this little guy. Maybe even standard Debian just to play around with as I have absolutely zero use for an ASA appliance.
Will reply to my own self since I figured it out... Sort of.

I used a VGA to board header cable that I bought (found a thread on Reddit for the Ironport C170 which is apparently the same board), I entered the bios using F2 and changed the boot order to USB-HDD first, and that's it.

I also got RouterOS to run by loading a linux SSD in the SSD bay, running a VM with the onboard USB disk passed through to the guestOS. Booted from the RouterOS ISO, and did the install to the USB disk. Changed the bios to boot from the USB chip again, and it was good to go.

It's worth noting that this 100% destroys your IOS image, so what I did was take an image backup of the usb disk using dd if=/dev/sdc |bzip2 --best > Cisco.img.bz2

/dev/sdc was my drive obviously.
 
  • Like
Reactions: Evan