Cisco ASA: Remove FTD and Return to ASA and ASDM

Remove FTD KB ID 0001496

Problem

A few weeks ago I posted an article about re-image your Cisco ASA to FTD (FirePOWER Threat Defence). Now you may find the the FTD is not as ‘Feature rich’ as your old firewall, or that there’s a ‘Lack of feature parity’, which are two polite ways of saying that it’s crap, (sorry it’s just awful, as usual Cisco should’ve spent a LOT longer developing this product, before they released it!)

So now you want to remove the FTD image and go back to good old fashioned ASA code, so you can use the ASDM to manage it, or (of course) command line.

Prerequisites : Remove FTD

You will need a few things to perform the re-image;

  • A copy of the Cisco ASA operating system downloaded from Cisco (requires an in date support contract)
  • A copy of the Cisco ADSM Image downloaded from Cisco (requires an in date support contract)
  • The Activation Code for your firewall (which if you followed my previous article, you kept safe) If you don’t have it you need to get the firewall serial number and go to Cisco licensing, start an online chat, and be polite!
  • A TFTP server, (you can set this up on your laptop) I used a mac so TFTP is built in, if you are a Windows user then go here.
  • A rollover/serial cable and some terminal software, see this post for details.

Re-Image Cisco ASA5500-X to Remove FTD

Connect to the firewall via console cable and login, then reboot the firewall.

[box]

PNL-FirePOWER login: admin
Password: {Enter your password}
Last login: Thu Dec 13 20:18:35 UTC 2018 from 10.254.254.49 on pts/0

Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506-X Threat Defense v6.2.3.6 (build 37)

> reboot
This command will reboot the system.  Continue?
Please enter 'YES' or 'NO': YES

Broadcast message from root@PNL-Stopping Cisco ASA5506-X Threat Defense...

[/box]

When the ASA reboots, Press ‘Break’ to interrupt the startup and boot int ROMMON mode.

[box]

Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015  by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders

Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 6c:b2:ae:de:01:06

Use BREAK or ESC to interrupt boot. {Break}
Use SPACE to begin boot immediately.
Boot interrupted.

rommon 1 >

[/box]

You need to erase the contents of the built in flash drive;

[box]

rommon 1 > erase disk0:
erase: Erasing 7515 MBytes ...................................................
..............................................................................
..............................................................................
..............................................................................
rommon 2 >

[/box]

I’m re-imaging an ASA5506-x, so I don’t need to specify an interface, (it will use the management interface so MAKE SURE that is connected to the same network as your TFTP Server. Note: If you are not re-imaging a 5506, 5508, 5516, then you can specify which interface to use, by using an ‘interface gigabitethernet0/1‘ command.

Give the ASA some IP details, tell it where the TFTP server is and what the update file is called. You can then view the settings with a ‘set‘ command;

[box]

rommon 2 > address 10.254.254.253
rommon 3 > server 10.254.254.106
rommon 4 > gateway 10.254.254.106
rommon 5 > file asa992-36-lfbff-k8.SPA
rommon 6 > set
    ADDRESS=10.254.254.253
    NETMASK=255.255.255.0
    GATEWAY=10.254.254.106
    SERVER=10.254.254.106
    IMAGE=asa992-36-lfbff-k8.SPA
    CONFIG=
    PS1="rommon ! > "

rommon 7 >

[/box]

Note: I set the default gateway to the same IP as the TFTP server, (that’s fine).

To initiate the download you need to execute a ‘tftpdnld‘ command;

[box]

rommon 7 > tftpdnld
             ADDRESS: 10.254.254.253
             NETMASK: 255.255.255.0
             GATEWAY: 10.254.254.106
              SERVER: 10.254.254.106
               IMAGE: asa992-36-lfbff-k8.SPA
             MACADDR: 6c:b2:ae:de:01:06
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect
..
Receiving asa992-36-lfbff-k8.SPA from 10.254.254.106!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
File reception completed.

[/box]

The firewall will startup running the correct ASA code. WARNING: At this point the operating system is NOT in the flash, and the firewall is running the factory default config, so don’t reboot it, before you have carried out the following procedures.

Once started go to enable mode (password will be blank), and configure terminal mode, and format the flash drive, (don’t worry, the OS is running in memory at this point, it wont break).

[box]

ciscoasa> enable
{Enter}
ciscoasa(config)# format disk0:

Format operation may take a while. Continue? [confirm] {Enter}

Format operation will destroy all data in "disk0:".  Continue? [confirm] {Enter}
Initializing partition - done!
Creating FAT32 filesystem
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete

[/box]

Now you need to copy in the operating system (this time to flash memory), and set it as the boot image.

[box]

ciscoasa(config)# copy tftp disk0:

Address or name of remote host []? 10.254.254.106

Source filename []? asa992-36-lfbff-k8.SPA

Destination filename [asa992-36-lfbff-k8.SPA]? {Enter}

Accessing tftp://10.254.254.106/asa992-36-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!
Verifying file disk0:/asa992-36-lfbff-k8.SPA...

Writing file disk0:/asa992-36-lfbff-k8.SPA...

111503184 bytes copied in 338.80 secs (329891 bytes/sec)
ciscoasa(config)# boot system disk0:/asa992-36-lfbff-k8.SPA

[/box]

Then repeat the procedure, but this time to copy over the ASDM image, and set it as default.

[box]

ciscoasa(config)# copy tftp disk0:

Address or name of remote host [10.254.254.106]? {Enter}

Source filename [asa992-36-lfbff-k8.SPA]? asdm-7101.bin

Destination filename [asdm-7101.bin]? {Enter}

Accessing tftp://10.254.254.106/asdm-7101.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-7101.bin...

Writing file disk0:/asdm-7101.bin...

INFO: No digital signature found
34143680 bytes copied in 118.250 secs (289353 bytes/sec)
ciscoasa(config)# asdm image disk0:/asdm-7101.bin

[/box]

You now need to enter your activation key again, to unlock any licensed features you have.

[box]

ciscoasa(config)# activation-key 3602fa77 540a5abc 50c13234 a378e777 c839300a
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)#

[/box]

Then either configure the firewall manually, or restore from a backup, and save the changes!

Backup and Restore a Cisco Firewall

Backup and Restore a Cisco Router with TFTP

[box]

ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 849a4713 61a6532b 0eb6d7a5 92ff32c3

3879 bytes copied in 0.280 secs
[OK]
ciscoasa(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Convert ASA 5500-X To FirePOWER Threat Defence

One thought on “Cisco ASA: Remove FTD and Return to ASA and ASDM

Leave a Reply

Your email address will not be published. Required fields are marked *