How to Upgrade the License on a Cisco ASA

The different licensing levels on a Cisco Adaptive Security Appliance allow organizations to buy only what they need. Cisco ASA devices will typically have limits on hosts and this can be troublesome if you need to NAT more hosts than the typical 10 or 25 limit. You can see the licensing information using the command below:

ciscoasa# show activation-key
Serial Number:  JMX1316M41H
Running Activation Key: 0x2174cf47 0x945b4c3a 0x74159120 0xba2ca848 0x8f602feb

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

The flash activation key is the SAME as the running key.

To activate a new license, you must go into the global configuration command and then use the activation-key command.

ciscoasa# configure terminal
ciscoasa(config)# activation-key 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8
Failover is different.
   flash activation key: Restricted(R)
   new activation key: Unrestricted(UR)
Proceed with update flash activation key? [confirm]

The new activation key was accepted. The output above shows that the activation key saved in flash memory is ‘Restricted’ while the new one we’ve supplied is ‘Unrestricted’. The ASA will prompt us to update the key- Press Enter.

Failover is different.
   running activation key: Restricted(R)
   new activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
The flash activation key was updated with the requested key, and will
become active after the next reload.
ciscoasa(config)#

The ASA will prompt us that the key stored in the flash memory was updated. To reload for all the new features to take effect, you must reload the router.

ciscoasa(config)# end
ciscoasa# reload
Proceed with reload? [confirm]

Once the ASA finishes reloading, log back in and verify the license information.

ciscoasa# show activation-key
Serial Number:  JMX1316M41H
Running Activation Key: 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 20, DMZ Unrestricted
Inside Hosts                 : Unlimited
Failover                     : Active/Standby
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 25
WebVPN Peers                 : 2
Dual ISPs                    : Enabled
VLAN Trunk Ports             : 8
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2         

This platform has an ASA 5505 Security Plus license.

The flash activation key is the SAME as the running key.

That’s all there is to it. You can start using all the new features on the new license.

Leave a Reply

Your email address will not be published. Required fields are marked *