Remove FTD KB ID 0001496
Problem
A few weeks ago I posted an article about re-image your Cisco ASA to FTD (FirePOWER Threat Defence). Now you may find the the FTD is not as ‘Feature rich’ as your old firewall, or that there’s a ‘Lack of feature parity’, which are two polite ways of saying that it’s crap, (sorry it’s just awful, as usual Cisco should’ve spent a LOT longer developing this product, before they released it!)
So now you want to remove the FTD image and go back to good old fashioned ASA code, so you can use the ASDM to manage it, or (of course) command line.
Prerequisites : Remove FTD
You will need a few things to perform the re-image;
- A copy of the Cisco ASA operating system downloaded from Cisco (requires an in date support contract)
- A copy of the Cisco ADSM Image downloaded from Cisco (requires an in date support contract)
- The Activation Code for your firewall (which if you followed my previous article, you kept safe) If you don’t have it you need to get the firewall serial number and go to Cisco licensing, start an online chat, and be polite!
- A TFTP server, (you can set this up on your laptop) I used a mac so TFTP is built in, if you are a Windows user then go here.
- A rollover/serial cable and some terminal software, see this post for details.
Re-Image Cisco ASA5500-X to Remove FTD
Connect to the firewall via console cable and login, then reboot the firewall.
[box]
PNL-FirePOWER login: admin Password: {Enter your password} Last login: Thu Dec 13 20:18:35 UTC 2018 from 10.254.254.49 on pts/0 Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. Cisco Fire Linux OS v6.2.3 (build 13) Cisco ASA5506-X Threat Defense v6.2.3.6 (build 37) > reboot This command will reboot the system. Continue? Please enter 'YES' or 'NO': YES Broadcast message from root@PNL-Stopping Cisco ASA5506-X Threat Defense...
[/box]
When the ASA reboots, Press ‘Break’ to interrupt the startup and boot int ROMMON mode.
[box]
Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015 by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders
Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present
Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 6c:b2:ae:de:01:06
Use BREAK or ESC to interrupt boot. {Break}
Use SPACE to begin boot immediately.
Boot interrupted.
rommon 1 >
[/box]
You need to erase the contents of the built in flash drive;
[box]
rommon 1 > erase disk0:
erase: Erasing 7515 MBytes ...................................................
..............................................................................
..............................................................................
..............................................................................
rommon 2 >
[/box]
I’m re-imaging an ASA5506-x, so I don’t need to specify an interface, (it will use the management interface so MAKE SURE that is connected to the same network as your TFTP Server. Note: If you are not re-imaging a 5506, 5508, 5516, then you can specify which interface to use, by using an ‘interface gigabitethernet0/1‘ command.
Give the ASA some IP details, tell it where the TFTP server is and what the update file is called. You can then view the settings with a ‘set‘ command;
[box]
rommon 2 > address 10.254.254.253 rommon 3 > server 10.254.254.106 rommon 4 > gateway 10.254.254.106 rommon 5 > file asa992-36-lfbff-k8.SPA rommon 6 > set ADDRESS=10.254.254.253 NETMASK=255.255.255.0 GATEWAY=10.254.254.106 SERVER=10.254.254.106 IMAGE=asa992-36-lfbff-k8.SPA CONFIG= PS1="rommon ! > " rommon 7 >
[/box]
Note: I set the default gateway to the same IP as the TFTP server, (that’s fine).
To initiate the download you need to execute a ‘tftpdnld‘ command;
[box]
rommon 7 > tftpdnld
ADDRESS: 10.254.254.253
NETMASK: 255.255.255.0
GATEWAY: 10.254.254.106
SERVER: 10.254.254.106
IMAGE: asa992-36-lfbff-k8.SPA
MACADDR: 6c:b2:ae:de:01:06
VERBOSITY: Progress
RETRY: 40
PKTTIMEOUT: 7200
BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
PHYMODE: Auto Detect
..
Receiving asa992-36-lfbff-k8.SPA from 10.254.254.106!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
File reception completed.
[/box]
The firewall will startup running the correct ASA code. WARNING: At this point the operating system is NOT in the flash, and the firewall is running the factory default config, so don’t reboot it, before you have carried out the following procedures.
Once started go to enable mode (password will be blank), and configure terminal mode, and format the flash drive, (don’t worry, the OS is running in memory at this point, it wont break).
[box]
ciscoasa> enable {Enter} ciscoasa(config)# format disk0: Format operation may take a while. Continue? [confirm] {Enter} Format operation will destroy all data in "disk0:". Continue? [confirm] {Enter} Initializing partition - done! Creating FAT32 filesystem mkdosfs 2.11 (12 Mar 2005) System tables written to disk Format of disk0 complete
[/box]
Now you need to copy in the operating system (this time to flash memory), and set it as the boot image.
[box]
ciscoasa(config)# copy tftp disk0: Address or name of remote host []? 10.254.254.106 Source filename []? asa992-36-lfbff-k8.SPA Destination filename [asa992-36-lfbff-k8.SPA]? {Enter} Accessing tftp://10.254.254.106/asa992-36-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Verifying file disk0:/asa992-36-lfbff-k8.SPA... Writing file disk0:/asa992-36-lfbff-k8.SPA... 111503184 bytes copied in 338.80 secs (329891 bytes/sec) ciscoasa(config)# boot system disk0:/asa992-36-lfbff-k8.SPA
[/box]
Then repeat the procedure, but this time to copy over the ASDM image, and set it as default.
[box]
ciscoasa(config)# copy tftp disk0: Address or name of remote host [10.254.254.106]? {Enter} Source filename [asa992-36-lfbff-k8.SPA]? asdm-7101.bin Destination filename [asdm-7101.bin]? {Enter} Accessing tftp://10.254.254.106/asdm-7101.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Verifying file disk0:/asdm-7101.bin... Writing file disk0:/asdm-7101.bin... INFO: No digital signature found 34143680 bytes copied in 118.250 secs (289353 bytes/sec) ciscoasa(config)# asdm image disk0:/asdm-7101.bin
[/box]
You now need to enter your activation key again, to unlock any licensed features you have.
[box]
ciscoasa(config)# activation-key 3602fa77 540a5abc 50c13234 a378e777 c839300a
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)#
[/box]
Then either configure the firewall manually, or restore from a backup, and save the changes!
Backup and Restore a Cisco Firewall
Backup and Restore a Cisco Router with TFTP
[box]
ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 849a4713 61a6532b 0eb6d7a5 92ff32c3
3879 bytes copied in 0.280 secs
[OK]
ciscoasa(config)#
[/box]
hehe 🙂 it`s a crap, true.