Cisco FPR – Re-image from FTD to ASA Code

KB ID 0001766

Problem

Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010). 

Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an activation code for the ASA. But if you are using an FPR device then YOU DON’T NEED TO DO THAT.

You might also want to do this because, (at time of writing) buying a Cisco FPR device running ASA code, the lead times in the UK are eye wateringly long (200-300 days!) But you can buy a chassis running FTD code and then convert that to ASA code with the following procedure.

Solution

Connect to your FPR device with a console cable, and log on as admin (the default password is Admin123, unless you have changed it of course!) Download the latest version of ASA code for your device from Cisco, in my case (at time of writing) that’s cisco-asa-fp1k.9.14.3.15.SPA. Copy that onto a USB drive (WARNING: The drive needs to be formatted with FAT32, the firewall will not recognise or mount the drive unless it is!) Finally insert the USB drive into the firewall, and issue the following commands.

[box]

FTD-1# scope firmware
FTD-1 /firmware # download image usbA:/cisco-asa-fp1k.9.14.3.15.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
FTD-1 /firmware # show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloading

% Download-task cisco-asa-fp1k.9.14.3.15.SPA : completed successfully.

[/box]

Note: If it says, ‘failed. Download failure – USB drive is not mounted‘ the drive is probably formatted incorrectly. If it says ‘Download-task failed. Failed signature validation‘, then the image is probably corrupt, try again, or use a different version.

Verify the file has downloaded correctly.

[box]

show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloaded

[/box]

Then make sure the package is listed with a show package command.

[box]

FTD-1 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.13.1.2.SPA                   9.13.1.2
cisco-asa-fp1k.9.14.3.15.SPA                  9.14.3.15
cisco-ftd-fp1k.6.6.0-90.SPA                   6.6.0-90

[/box]

Note: You can see (above) there’s an ASA code version from a previous install and it shows the current running FTD code also. To re-image the firewall execute the following commands. (Note: you enter the VERSION NOT THE FILENAME!)

[box]

FTD-1 /firmware # scope auto-install
FTD-1 /firmware/auto-install # install security-pack version 9.14.3.15

The system is currently installed with security software package 6.6.0-90, which has:
   - The platform version: 2.8.1.105
   - The CSP (ftd) version: 6.6.0.90
If you proceed with the upgrade 9.14.3.15, it will do the following:
   - upgrade to the new platform version 2.8.1.172
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes {Enter}

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes {Enter}

Triggered the install of software package version 9.14.3.15
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
FTD-1 /firmware/auto-install #

[/box]

Now go and have a coffee, it will take 20 minutes, and a few reboots before it’s finished. When completed you should see a login prompt, login with admin/Admin123 and reset the password. 

[box]

firepower-1010 login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Last failed login: Sun Nov 21 16:55:16 UCT 2021 on ttyS0
There was 1 failed login attempt since the last successful login.
Hello admin. You must change your password.
Enter new password: password123
Confirm new password: password123
Your password was updated successfully.

[/box]

Then connect to the ASA CLI with the connect asa command. Go to enable mode, and set the enable password. Finally, save the config.

[box]

firepower-1010# connect asa
firepower-1010# Verifying signature for cisco-asa.9.14.3.15 ...
Verifying signature for cisco-asa.9.14.3.15 ... success
ciscoasa>
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: password123
Repeat Password: password123
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory
Building configuration...
Cryptochecksum: a607255a a64f2898 97bb6b40 9a8ff25c

[/box]

You will now be running ASA code with the factory settings (Inside 192.168.1.1/24, Management 192.168.45.1/24 (with DHCP enabled), Outside set to get IP dynamically, and all traffic allowed out).

Remember if you’re a ‘light weight’ and cant use command line, then you will need to install and configure the ASDM 🙂 

Related Articles, References, Credits, or External Links

Reimage Cisco 1010 ASA to FTD

Convert ASA 5500-X To FirePOWER Threat Defence

Replacing Cisco Firewalls with Fortinet Firewalls

KB ID 0001741

Replacing Cisco

If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls.

This article is so you can make an informed choice about what you want to replace your Cisco firewall with.

Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to ‘Enterprise sized’ firewalls as I have the time.

Replacing Cisco SOHO Small Business Firewalls with FortiGate

If ever there was something that was incorrectly sold it was likely a SOHO Cisco firewall. The problem was, back in the day of the ASA5505 the only alternative was a ASA5510 and that was four times the price, plus the 5505 had a built in switch which saved you having to buy one of those as well. Even now (in 2021) these things are ubiquitous, I see them balanced in wall mounted comms cabinets, and sat in data centres and popped under peoples desks.

To make matters worse it’s replacement the ASA5506-X was a decent firewall but it wasn’t also a switch! (Cisco half heartedly tried to fix this and made it worse). To add insult to injury if you paid for the NGFW Firepower option Cisco just disabled it without warning in version 9.10.(1)

Then we got the FPR1010 this comes in two flavours, the ASA Code version which I deploy, and the FDM version which is bobbins! (I get 10 questions a day on the site to help people set them up). This (at time of writing) is a relatively new firewall but I’ll include it for completeness, (and article longevity).

High Availability: Seriously? I see this more often than I should! Don’t be deploying home sized firewalls and wanting Enterprise solutions! Stop it now. On a serous note, all the little ASA/FPR support it, but they all need additional licensing to do so. 

Stats: Remember when comparing the stats, we are comparing (mostly) old hardware against brand new (purpose built) hardware so the FortiGates will always look better on paper.

Cisco ASA5505, 5506-X and FPR1010 Specifications

Fortigate 40F, 60F, and 80F Specifications

Replacing Cisco SOHO Firewalls Conclusion

  • Unless you need 10Gb connectivity (on your WAN) then go for the 60F, if you need all those 1Gb ports and you want it to function as a switch.
  • If you don’t need so many LAN ports then go for the 40F (Note: even with 1x WAN port you can deploy SDWAN by using another interface!)

Replacing Cisco Medium Business / Small enterprise Firewalls with FortiGate

This is a difficult one to call, you can’t really say FortiGate model X is a direct comparison for Cisco model Y. To size a FortiGate firewall you need to 

First: Decide what throughput you need (remember to factor in NGFW/IDS/ATP and possibly HTTPS Throughput this will be LOWER than the max throughput!)

Second: Decide what connectivity you want.

FortiGate throughput for these classes of firewalls falls into roughly three different categories;

  1. 10Gbps Throughput (1Gbps HTTPS Inspection throughput) to 27Gbps Throughput (4Gbps HTTPS throughput) = 100 and 200 Series.
  2. 32Gbps Throughput (3.9Gbps HTTPS Inspection throughput) to 36Gbps Throughput (5.7Gbps HTTPS throughput) = 300, 400 and 500 Series.
  3. 36Gbps Throughput (8Gbps HTTPS Inspection throughput) to 52Gbps Throughput (3.9Gbps HTTPS throughput) = 600, 800 and 900 Series.

Note: If the figures dont overlap neatly, thats because these are a mixture of D, E and F Releases.

Cisco ASA5500 and 5500-X  Specifications

Cisco Firepower 1100 to 2100 Series Specifications

Fortigate 100 to 900 Series Specifications

Replacing Cisco Bonuses

  • Remote VPN: You don’t need to buy additional remote VPN (AnyConnect) licences any more. With FortiGate remote SSL VPN is built in, and the client numbers are impressive.
  • Failover: Is supported even for Active / Active and good old Active / Passive. and Clustering.
  • SDWAN: You now have this capability if you require it.
  • Redundant Power Supply: Is on all FortiGate models in this class.

If anyone wants to add any real world experiences or comments, please do so below.

Related Articles, References, Credits, or External Links

NA

Which Firepower To Replace Your ASA 5500-X?

KB ID 0001705

Problem

Well  the ASA5516-X was the last one to go end of sale. You may be able to get stock of the remainder of the ASA5500-X series as people clear their shelves, or they may be available as ‘refurb’ stock but they are disappearing.

So you would think that the replacements would be better documented? Well it’s sketchy at best, and when you look a the data sheets for the new FPR range the links on Cisco website go to the wrong place, or give you little or no guidance 🙁

Solution

I’ve put together the following to help, it’s not sanctioned by Cisco, (though I did engage Cisco Partner GVE to assist me. The following table shows FPR models that run ASA code, (not FTD code). I’m not a fan personally of the FTD solution, and I wont be deploying it anywhere for a client. But Standard Asa code keeps my support and network techs happy.

If you disagree with any of my recommendations, please post below, and (providing your objection is valid,) and I’ll update it accordingly.

Related Articles, References, Credits, or External Links

NA

Cisco Firepower 1010 (FTD) Initial Setup

KB ID 0001678

 

If you’re here you’ve either purchased a new Cisco Firepower device running FTD (FirePower Threat Defence) or have re-imaged your Firepower device from ASA to FTD code.

On its factory defaults, the unit will have the following settings.

  • Inside IP address (VLAN 1) 192.168.1.1 (on all interfaces from 2 to 8).
  • Outside IP Address set to DHCP in interface 1.
  • Management IP address 192.168.45.1 on the Management Interface.
  • DHCP Scopes on both the inside and management interfaces (192.168.1.x and 192.168.45.x respectively).

  1. Power Connector.
  2. 8 x Gigabit Ethernet ports: Normally GigabitEthernet 1/1 will be for the WAN, GigabitEthernet 1/2 though 1/8 will be for the LAN (with 1/7 and 1/8 being PoE).
  3. Management Port.
  4. Console Port (RJ45).
  5. Console Port (Mini USB).
  6. USB Port (useful for upgrades, and backups).
  7. Kensington Lock: Seriously? I’ve not seen one of these since about 2005, does anyone still use them?
  8. Reset Button: Depress for 3 seconds reverts the firewall to its factory settings, (and preserves the config apparently).
  9. Status Lights, (another reason not to put things on top of it!) Though you will notice there’s some on the back also. Note: When all lights are solid the firewall is operational, when the centre light is blinking, it’s still booting).

FirePower 1010 Setup

I will be deploying this as a stand alone FTD firewall, that will be managed locally on the device itself via FDM (Firepower Device Manager) and not via an FMC (Firepower Management Center) appliance.

Smart Licensing: If you’re not already familiar with Cisco Smart Licensing, I’ve covered it in more depth here. Set yourself up a free Smart License Account, and generate a token, copy it to the clipboard, (we will need it in a minute).

Connect to the firewall via a LAN port on https://192.168.1.1, or via the Management port on https://192.168.45.1 (unless you have ran though the FTD setup at command line, and have already changed the management IP).

Default usernames, (you will be asked to change them) are;

  • Username: admin
  • Password: Admin 123

Scroll down.

Here I’m accepting the default Outside/Public Interface settings of DHCP enabled, with IPv6 disabled, if yours has a static IP, or you want to user IPv6 then change the settings accordingly > Next.

I’ll accept the defaults here, be advised those NTP servers may take a little while to ‘go-green’ (you will see what I mean later) > Next.

I’m going to do this manually in a minute, so we can skip this > Next.

Note: The unit will have a default policy of let everything out (sourced from inside), and nothing in (sourced from outside) we will leave that as it is, as a decent start point.

Stanalone device > Configure Interfaces.

Note: Below I’m going to REMOVE the DHCP Scope, then change the ‘inside’ IP address (to avoid errors). Then later I will add the new DHCP scope back in again.

VLANs > Vlan1 > Edit. > DHCP section > Edit > Remove.

You can now set the inside IP address accordingly. (Don’t panic you wont lose connectivity yet!) > OK.

Now you need to Save/Commit the changes, and Deploy them. Now you will lose connectivity, if you have changed the inside IP address, so manually give yourself an IP address on the new network, and reconnect to the firewall.

Note: Update: Pleas ensure tha management is allowed in VLAN1 before proceeding (System Settings -> Management Access -> Data Interfaces.)

Cisco Firepower Setup DHCP

Create a new DHCP Scope: Should you require the firewall to be a DHCP server, log back in to the new internal IP address > System Settings > DHCP Server.

Create DHCP Server > Enable DHCP Server > Enter the new scope > OK.

Remember to commit the changes, and deploy them again!

Cisco Firepower FTD Licensing

Thankfully this is MUCH easier than doing the same thing while running ASA Code (on the same hardware!) > Smart Licence > View Configuration.

Register Device.

Paste in your token, (from above) > Set your location > Register Device. Go and have a coffee, it will look like it’s broken/not worked for a few minutes.

After a while you should see this;

There will be some outstanding changes to save and deploy also, now the unit is registered.

Back in the Cisco Smart Licence portal, it should look a bit like this;

Once fully complete and operational, all connected interfaces should have all the options ‘go-green’. For me the NTP servers took a while!

Note: Obviously the interfaces in orange are not in use!

 

Related Articles, References, Credits, or External Links

NA

Reimage Cisco 1010 ASA to FTD

KB ID 0001677

Problem

Sorry it’s taken me a while to get round to this, every time I do some work on the firewall I need to kill the internet at home, and I’ve got a wife and two daughters, who live online! So if you follow the site you will know I’ve got a Cisco Firepower 1010 device, and I’ve been looking at it running the ASA code.

Now here’s how to ‘re-image’ the device with the FTD (Firepower Threat Defence) operating system.

Warning this can take a while, if you are performing this in production equipment, plan in at least a couple of hours downtime.

Solution

Firstly this is a lot easier than it was on the old ASA 5500-x platform, If you have ever updated the OS on a Cisco ASA, then the process is pretty much the same.

Before proceeding, you need to unregister the firewall from its Smart Licence (assuming it’s registered correctly). You can do this with the following command;

[box]

licence smart deregister

[/box]

Or from the ASDM;

Then connect the firewall via console cable, I’m going to copy the operating system in from a TFTP server on my mac, (you can use FTP or HTTP if you prefer).

[box]

Petes-ASA# copy tftp flash

Address or name of remote host []? 192.168.1.20

Source filename []? cisco-ftd-fp1k.6.6.0-90.SPA

Destination filename [cisco-ftd-fp1k.6.6.0-90.SPA]? {Enter}
Accessing tftp://192.168.1.20/cisco-ftd-fp1k.6.6.0-90.SPA...!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/cisco-ftd-fp1k.6.6.0-90.SPA...

Writing file disk0:/cisco-ftd-fp1k.6.6.0-90.SPA...

1097176240 bytes copied in 331.300 secs (3314731 bytes/sec)
Petes-ASA#

[/box]

Now we simply need to set the image as the primary boot OS.

[box]

Petes-ASA# configure terminal
ciscoasa(config)# boot system disk0:/cisco-ftd-fp1k.6.6.0-90.SPA

The system is currently installed with security software package 9.13.1.2, which has:
   - The platform version:  2.7.1.107
   - The CSP (asa) version: 9.13.1.2
Preparing new image for install...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Attention:
   If you proceed, the system will be re-imaged and then reboot automatically.
   All existing configuration will be lost and the default configuration will be applied.
Installation of version 6.6.0-90 will do the following:
   - upgrade to the new platform version 2.8.1.105
   - upgrade to the CSP FTD version 6.6.0-90
Do you want to proceed? [confirm] {Enter}

[/box]

The firewall will install the new OS then reboot itself, it will take a while, be patient! Once rebooted the FTD software will ask you to login, the default username and password is admin and Admin123, upon logging in, you are asked to change the password.

[box]

firepower login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1

Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.6.0 (build 37)
Cisco Firepower 1010 Threat Defense v6.6.0 (build 90)

Hello admin. You must change your password.
Enter new password: {new-password}
Confirm new password: {new-password}
Your password was updated successfully.

Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.

[/box]

Now you can carry out an initial configuration of the Firepower. 

[box]

firepower# connect ftd

[/box]

Here I set the basic IPv4 settings, and tell the firewall it will be managed locally via FDM (Firepower Device Manager), that’s the web management interface on the device, rather than FMC (Firepower Management Center) a separate management appliance.

[box]

You must accept the EULA to continue.
Press  to display the EULA:
End User License Agreement

Effective: May 22, 2017

This is an agreement between You and Cisco Systems, Inc. or its affiliates
("Cisco") and governs your Use of Cisco Software. "You" and "Your" means the
individual or legal entity licensing the Software under this EULA. "Use" or
"Using" means to download, install, activate, access or otherwise use the
Software. "Software" means the Cisco computer programs and any Upgrades made

PRESS THE SPACE BAR A LOT!
---------------Output removed for the sake of Brevity---------------------
mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other
company. (1110R)

Please enter 'YES' or press Enter to AGREE to the EULA: YES

System initialization in progress.  Please stand by.
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [y]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface []: 10.254.254.254
Enter an IPv4 netmask for the management interface []: 255.255.255.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.254.254.1
Enter a fully qualified hostname for this system [firepower]: FTD-1
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: 8.8.8.8,8.8.4.4,194.168.4.100
Enter a comma-separated list of search domains or 'none' []: {Enter}
If your networking information has changed, you will need to reconnect.
Setting DNS servers: 8.8.8.8 8.8.4.4 194.168.4.100
No domain name specified to configure.
Setting hostname as FTD-1
Setting static IPv4: 10.254.254.254 netmask: 255.255.255.0 gateway: 10.254.254.1 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: {Enter}
Configuring firewall mode to routed


Update policy deployment information
    - add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

>

[/box]

At this point I reboot the unit, but be prepared, it can take a LONG time before it comes back online, (wait at least 40 minutes). 

IMPORTANT you have configured the IP address on the MANAGEMENT interface (1) , to configure further, and complete the Firepower 1010 initial setup, connect to any one of the LAN interfaces (2), and navigate to https://192.168.1.1 (you should get an DHCP address, if you don’t, then you’ve not waited long enough!)

Related Articles, References, Credits, or External Links

Cisco FPR – Re-image from FTD to ASA Code

Cisco Firepower 1010 Configuration

KB ID 0001673

Background

This page will be used as a central repository and ‘index’ for configuration on the Cisco Firepower 1010 series firewall. I intend to add to it as I test the capabilities and work out any problems whilst trialing/deploying and operating this platform.

Config Documents

VPN Firepower 1000 series running ASA Code.

General

Cisco Firepower 1010 Licensing

Reimage Cisco 1010 ASA to FTD

VPN

EZVPN

Is not supported on this platform, it cannot be configured as an EZVPN client.

Site to Site VPN (as per older 5500-x and 5500 series)

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

Cisco ASA Site To Site VPN IKEv1 “Using CLI” (Only normally required, if the other end does not support IKEv2)

Cisco ASA Site to Site VPN ‘Using ASDM’

Remote Access VPN

Cisco ASA AnyConnect VPN ‘Using CLI’

Cisco ASA AnyConnect VPN ‘Using ASDM’

Cisco ASA – L2TP over IPSEC VPN ‘Using CLI or ASDM’ (Using Windows 10 Built in VPN client)

Port Forwarding and NAT

Cisco ASA Port Forwarding ‘Using CLI or ASDM’

Cisco ASA Port Forwarding To A Different Port

Cisco ASA Port Forwarding a ‘Range of Ports’

Cisco ASA Static (One to One) NAT Translation

 

VPN Firepower 1000 series running FTD Code.

General

Cisco Firepower 1010 (FTD) Initial Setup

Cisco FTD: AMP/URL Filtering/Threat Detection and AVC

VPN

Site to Site VPN 

Cisco FTD Site to Site VPN

Remote Access VPN 

Cisco FTD Remote Access VPN (AnyConnect)

Cisco FTD (and ASA) Creating AnyConnect Profiles

 

 

I will continue to add to this page but please be patient. (I’m juggling two jobs, and have a personal life!)

Related Articles, References, Credits, or External Links

NA

macOS: ASDM Developer Cannot Be Verified

KB ID 0001667

Problem

When trying to connect to a Firepower 1010 ASDM I was met with this;

“Cisco ASDM-IDM.app” cannot be opened because the developer cannot be verified.
macOS cannot verify that this ap is free from malware

Solution

If you’ve spent much time using macOS then this is quite common, Open System Preferences > Security and Privacy > General tab > You will see a warning about the Cisco ASDM-IDM > Click ‘Open Anyway‘.

If you are prompted again simply click ‘Open‘.

Related Articles, References, Credits, or External Links

NA

Firepower 1010 Review

KB ID 0001666

What Is It?

I’ve been trying to get my hands on one of these for a while. So thanks to my employer for sending me one to take a look at. The Firepower 1010 appliance is aimed at Small Office / Home Office, and possibly Small Remote Branch offices. But like its predecessors it will probably get put in EVERYWHERE because it’s ‘cheap’, (Note: for cheap, read possibly under-specced* and the wrong size!)

*Seriously, I’ve deployed a LOT of 5506-X (and 5508-X) firewalls, and then clients enabled every inspection, IDS/AMP/Web Filtering etc. Then complained that their internet connection was then terrible, ‘Why is my new firewall slower than the old one!’ So look at the throughput for these things, with inspection enabled before deciding to buy the cheapest one!

A Brief History

The Firepower 1010, will end up being the replacement for the ASA5506-X, which in turn was the replacements for the ASA5505

Left to Right: ASA 5505, ASA 5506-X, Firepower 1010

The 5505, was brilliant, I still see them everywhere, tucked in the bottom of comms cabinets, and balanced on top of other things in Data Centers. I know of 5505s that I installed new over 15 years ago that are still chugging away. It had built in PoE, a 7 port switch, (you need one port for the WAN.) The only thing that ever let the 5505 down, was, the earlier versions didn’t have enough RAM to update past version 8.3. It replaced the earlier PIX 501 and the PIX506E (I do have both of these models also tucked away somewhere, I was just too lazy to dig them out).

The 5506-X was, (to be honest), a massive let down,  it shipped with 8 Ports on it, but those ports were independent, so you needed to buy a switch as well, and it didn’t have PoE. Cisco tried to ‘Fix’ the switch problem by introducing the BVI interface with version 9.7. the problem with that was, it was ‘horrifically terrible in the extreme‘. If you wanted to do anything even vaguely ‘firewall-ish’ with your firewall, the config would extend in size with a ratio like it was getting multiplied by the Fibonacci numbers. 🙁 The final nail in its coffin was, if you updated it past version 9.10 the FirePOWER module was disabled, (Regardless of the fact you had bought licences for it or not).

So Now the Firepower 1010

Is it FirePOWER or Firepower? : Good question, the rule was, if it was in an ASA it was FirePOWER if it was a dedicated device it was Firepower. But as the Firepower 1010 can run ASA code, it breaks the rules! So I’ll stick with Firepower for the new ones.

It runs ASA Code? : Yes Cisco firewall techs of the world rejoice! The Firepower 1010 model comes in two flavours;

  • FPR1010-ASA-K9: Good old Cisco ASA code, with an ASDM!
  • FPR1010-NGFW-K9: Runs the FTD (Firepower Threat Management) code.

I’ve written briefly about FTD on the Cisco ASA, I wasn’t really a fan, but I know we live in a ‘point and click’ society now, so maybe this version will win out in the end, but I hope not.

Oh Bugger! I’ve Ordered the wrong one! No problem, you can swap between versions, but you will need to ‘re-image’ the device completely (losing all settings).

What Do You Get With the Firepower 1010?

Out of the box you get the unit itself, a ‘Power Brick’ (with an annoying ‘Clover Leaf’ / ‘Mickey Mouse Ears’ / ‘IEC C5’ connector.) So if like me you get one with a Euro (2 pin) plug in the box and you live in the UK unless you have one spare you will have a problem. Luckily I’ve got most things at home, but if you unbox this in a Data Centre at 11 o’clock at night, good luck finding one of those Power Cables! You also get a USB console cable. There’s a quick setup card, mine was in French and Spanish, but the picture was self explanatory. Theres a licence envelope in there as well, on inspection, it’s just instructions on how to setup a ‘Smart’ License account.

It’s Fan-less: Like the 5506-X it’s fan-less (that’s why its covered in holes). So IT”S NOT SUPPOSED TO GO IN A RACK! If you want a rack mountable firewall buy a Firepower 1120.

But You Can Get Rack Mounting Kits For It? : I know, but then the world is full of people who sell the wrong stuff. If you put this thing in a rack, and impede airflow though it, it’s more likely to break, (lecture over).

It’s a Proper Switch! Yep even better than the 5505, it’s got proper switchports with proper switch commands! By default all Ports from GigabitEthernet 1/2 to 1/8 are in VLAN 1. Gigabit Ethernet 1/1 is a routed (no switchport) port.

PoE:  The unit has PoE on ports GigabitEthernet 1/7 and GigabitEthernet 1/8 (only).

Throughput: Cisco state with NGFW inspection ‘or’ IDS turned on 650Mbps (notice they don’t say ‘and’!)

AnyConnect: Comes with 75 ‘Premium’ Licences, (without extra licensing!)

Licensing: Smart License model only, so no more ‘classic’ licences, and activation-keys any more.

Failover? here’s a GOTCHA for failover you need to add an additional licence to BOTH units, (on the 1010 only) and they are not cheap! But if you want enterprise solutions, then buy enterprise class firewalls guys!

  1. Power:  Much better than the 5506-x and the terrible 5505 power connector, you could probably swing on this and it wont come out. Just a pity about the IEC C5  connector on the power brick.
  2. 8 x Gigabit Ethernet ports: Normally GigabitEthernet 1/1 will be for the WAN, GigabitEthernet 1/2 though 1/8 will be for the LAN (with 1/7 and 1/8 being PoE).
  3. Management Port.
  4. Console Port (RJ45).
  5. Console Port (Mini USB).
  6. USB port (useful for upgrades, and backups).
  7. Kensington Lock: Seriously? I’ve not seen one of these since about 2005, does anyone still use them?
  8. Reset Button: Depress for 3 seconds reverts the firewall to its factory settings, (and preserves the config apparently).
  9. Status Lights, (another reason not to put things on top of it!) Though you will notice there’s some on the back also.

Firepower 1010 Initial Setup (ASA Version)

It takes ages to boot! Like its predecessors the WAN Port will be set to get an IP address via DHCP, and the internal ports have DHCP enabled (192.168.1.0/24). The  Management Port also has DHCP enabled 192.168.45.0/24) So be careful before connecting it to a live network. ASDM is enabled to the entire inside and management networks. 

The only thing I can see different from its predecessor, (apart form the fact its got a working switch setup that isn’t terrible,) is the DNS servers are set to Ciscos, I’m assuming this is so that licensing and updates will ‘just work’ though some people will want to change this.

Annoyingly ICMP inspection is still disabled by default, and ESMTP inspection is enabled by default (If you have an Exchange server turn that off!)

All traffic is set to translate to the outside interfaces IP address (This is actually PAT translation, that’s why I didn’t say NATTED to the outside interfaces IP address).

Next Step: Cisco Firepower 1010 Licensing

Related Articles, References, Credits, or External Links

NA

Cisco SFR Cant Ping its Default Gateway?

KB ID 0001575

Problem

This is a strange one? I was deploying FirePOWER to a pair of ASA 5550-8-X firewalls in Active / Standby failover last week. After each SFR was updated (via ASDM.) I could no longer ‘ping it’, the SFR itself could ping everything on the same VLAN, APART from its own default gateway, (which was an SVI on the Cisco 3750 switch it was connected to).

This happened every time I updated the SFR, (or re-imaged it.) Then after an hour or so it was fine?

Solution

If I connected to the switch that the SFR, (and firewall) was connected to, I could NOT ping the SFR. The interface was up/up on the switch, and the firewalls Management interface was also up/up.

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

[/box]

I did notice it was in the ARP table though, (with the correct MAC address), So I manually removed it;

[box]

Petes-3750#clear ip arp 10.2.1.252

[/box]

Then it was fine?

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

[/box]

Now the ASDM would connect fine without complaining about the FirePOWER module.

Related Articles, References, Credits, or External Links

NA