Convert ASA 5500-X To FirePOWER Threat Defence

KB ID 0001490

Problem

I’m seeing more and more people asking questions in forums about FTD, so I thought it was about time I looked at it. Cisco ASA 5500-X firewalls can now be re-imaged to run the FTD software. The thinking is that the FTD will merge the Cisco ASA product and the FirePOWER product into one unified operating system. Then that is managed by FDM (FirePOWER Device Manager), basically a web management GUI.

Solution

Warning; Take a full backup of the ASA config, and save a copy of the activation key! (If you ever want to re-image it back to normal ASA code you will need these!)

The re-imaging is done in ROMMON, so before you start you need to ensure your ROMMON is 1.1.8 or newer. You can get that information with a show module command;

[box]

Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD2143XXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD2143XXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 6cb2.aede.0106 to 6cb2.aede.010f  2.0          1.1.8        9.8(1)
 sfr 6cb2.aede.0105 to 6cb2.aede.0105  N/A          N/A          6.2.0-362

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.2.0-362

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

Petes-ASA#

[/box]

What if yours isn’t?

Don’t panic! Download the firmware upgrade from Cisco, pop it in a TFTP server, and load it into the firewall, then run the upgrade, with the following two commands;

[box]

copy tftp://{IP-Of-TFTP-Server}/asa5500-firmware-1108.SPA disk0:asa5500-firmware-1108.SPA 
upgrade rommon disk0:/asa5500-firmware-1108.SPA

[/box]

Download FTD Software

You need two pieces of software, a boot image (.pkg), and an install package. (.lbff).

Note: You can install the boot image via TFTP but the main package needs to be deployed to the firewall via HTTP, FTP, or HTTPS

Boot the ASA into ROMMON

Power cycle the firewall and with a console cable attached press Esc when prompted, this will drop you into ROMMON mode.

[box]

Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015  by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders


Current image running: Boot ROM0
Last reset cause: PowerOn
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 6c:b2:ae:de:01:06


Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

rommon 1 >

[/box]

Set the ASA FTD Boot Image

As mentioned above I’m doing this via TFTP, on the Asa 5506-x (all variants), 5508-X, and 5526-X you need to connect the Management interface to the network with the TFTP server. For the target ASA firewalls you can specify which interface you are using like so (“rommon #1> interface gigabitethernet0/0″).

Set the basic networking requirements, specify the boot file, then use the ‘set‘ command to view the settings, and ‘sync‘ to commit that to memory. It’s also a good idea to make are you can ping the TFTP server, (Windows firewall off first though!)

[box]

rommon 1 > address 10.254.254.99
rommon 2 > netmask 255.255.255.0
rommon 3 > server 10.254.254.112
rommon 4 > gateway 10.254.254.112
rommon 5 > file ftd-boot-9.9.2.0.lfbff
rommon 6 > set
    ADDRESS=10.254.254.99
    NETMASK=255.255.255.0
    GATEWAY=10.254.254.112
    SERVER=10.254.254.112
    IMAGE=ftd-boot-9.9.2.0.lfbff
    CONFIG=
    PS1="rommon ! > "

rommon 6 > sync
rommon 7 > ping 10.254.254.112
Sending 10, 32-byte ICMP Echoes to 10.254.254.112 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)

[/box]

Execute the download/install of the boot image, (tftpdnld command);

[box]

rommon 12 > tftpdnld
             ADDRESS: 10.254.254.99
             NETMASK: 255.255.255.0
             GATEWAY: 10.254.254.112
              SERVER: 10.254.254.112
               IMAGE: ftd-boot-9.9.2.0.lfbff
             MACADDR: 6c:b2:ae:de:01:06
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

Receiving ftd-boot-9.9.2.0.lfbff from 10.254.254.112!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 103582240 (0x62c8a20) bytes
[image size]      103582240
[MD5 signaure]    ea7d29ce6fb200a9a9be486e37c78136
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5506.
Found device serial number JAD2143XXXX.
Found USB flash drive /dev/sdb
Found hard drive(s):  /dev/sda
fsck from util-linux 2.23.2
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
  65:01/00
  Not automatically fixing this.
/dev/sdb1: 53 files, 819023/1919830 clusters
Launching boot CLI ...
Configuring network interface using DHCP
Bringing up network interface.
Depending on your network, this might take a couple of minutes when using DHCP...
ifup: interface lo already configured
Using IPv4 address: 10.254.254.114
Using IPv6 address: fe80::6eb2:aeff:fede:105
Using DNS server: 8.8.8.8
Using DNS server: 8.8.4.4
Using default gateway: 10.254.254.1
INIT: Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
  generating ssh RSA key...
  generating ssh ECDSA key...
  generating ssh DSA key...
done.
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up

acpid: 1 rule loaded

acpid: waiting for events: event logging is off

Starting ntpd: done
Starting syslog-ng:.
Starting crond: OK



            Cisco FTD Boot 6.0.0 (9.9.2.)
              Type ? for list of commands
ciscoasa-boot>

[/box]

Now give the FTD some basic settings, you don’t actually have to give it an IP at this point. Obviously in a production environment, you would use your internal DNS and domain details .

[box]

ciscoasa-boot>setup


                Welcome to Cisco FTD Setup
                  [hit Ctrl-C to abort]
                Default values are inside []

Enter a hostname [ciscoasa]: Petes-ASA
Do you want to configure IPv4 address on management interface?(y/n) [Y]: N
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Enter the primary DNS server IP address [8.8.8.8]: {Enter}
Do you want to configure Secondary DNS Server? (y/n) [y]: Y
Enter the secondary DNS server IP address [8.8.4.4]:{Enter}
Do you want to configure Local Domain Name? (y/n) [n]: N
Do you want to configure Search domains? (y/n) [n]:N
Do you want to enable the NTP service? [Y]:Y
Enter the NTP servers separated by commas: 194.35.252.7,130.88.202.49,93.93.131.118

Please review the final configuration:
Hostname:               Petes-ASA
Management Interface Configuration

IPv6 Configuration:     Stateless autoconfiguration

DNS Configuration:
        DNS Server:
                        8.8.8.8
                        8.8.4.4

NTP configuration:
        194.35.252.7    130.88.202.49   93.93.131.118
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...

[/box]

This is the point where you need the main package file on either an http, https, or ftp site. I have a web server so that’s what I use. Note: This takes a while, best go get a coffee!

[box]

ciscoasa-boot>system install http://{IP-OF-SERVER}/ftd-6.2.3-83.pkg

######################## WARNING ############################
# The content of disk0: will be erased during installation! #
#############################################################

Do you want to continue? [y/N] Y
Erasing disk0 ...
Extracting   ...
Verifying
Downloading
Extracting
Package Detail
        Description:                    Cisco ASA-FTD 6.2.3-83 System Install
        Requires reboot:                Yes

Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Starting upgrade process ...
Populating new system image

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.

[/box]

Well, it’s telling us to reboot so let’s do so! After its backup you can login and specify the correct settings for the FTD/Management Interface. (Note the FTD Default username and password!)

[box]

Cisco ASA5506-X Threat Defense v6.2.3 (build 83)
firepower login: admin
Password: Admin123


Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506-X Threat Defense v6.2.3 (build 83)

You must accept the EULA to continue.
Press  to display the EULA: {Enter}
End User License Agreement

Effective: May 22, 2017

This is an agreement between You and Cisco Systems, Inc. or its affiliates
("Cisco") and governs your Use of Cisco Software. "You" and "Your" means the
<-------Output omitted - For the sake of Brevity -------->
partner does not imply a partnership relationship between Cisco and any other
company. (1110R)

Please enter 'YES' or press  to AGREE to the EULA: {Enter}

System initialization in progress.  Please stand by.
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:{Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 10.254.254.253
Enter an IPv4 netmask for the management interface [255.255.255.0]:{Enter}
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.254.254.254
Enter a fully qualified hostname for this system [firepower]: PNL-FirePOWER
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: 8.8.8.8,8.8.4.4
Enter a comma-separated list of search domains or 'none' []:{Enter}
If your networking information has changed, you will need to reconnect.
DHCP Server Disabled
The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable
For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to routed


Update policy deployment information
    - add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

[/box]

That’s us done for the conversion! You can now connect the the firewall with a web browser, (remember you just changed the password!)

Related Articles, References, Credits, or External Links

NA

WDS Deploying Windows Part 1: Install and Configure WDS

KB ID 0000735 

Problem

You want to deploy the Windows 8 Client Operating System, to a number of clients using WDS. In this part we will configure the WDS Server, then we will move onto taking an image of your reference Windows 8 machine. Finally we will cover taking that image, and deploying it out to many target systems.

Solution

Add the WDS Role

1. From Server Manager (ServerManager.exe) > Local Server.

2. Manage > Add Roles and Features.

3. Next.

4. Next.

5. Next.

6. Select ‘Windows Deployment services’ > Next > It will ask to install some other features let it do so.

7. Next.

8. Next.

9. Accept the default (both roles) > Next.

10. Install.

Configure the WDS Server

11. From the Start menu > Launch the Windows Deployment Services management console.

12. Expand servers > Right click the server name > Configure Server.

13. Read the prerequisites > Next.

14. Next.

15. Select the location where you want to store your images and keep the WDS files.

16. Note: In this case it’s warning me NOT to use the C: drive, as this is just a test server I will accept the warning and leave it as it is. In production environments make sure you are using a different drive/volume.

17. This particular server IS a DHCP server, but we will address the DHCP requirements when we are finished > Next.

18. I’m going to choose ‘Respond to all (known and unknown)’ > Next.

19. WDS should configure and the service SHOULD start.

20. Here we can see the service has not started (the server will have a small stop symbol on it).

21. So I need to manually start the service.

Adding Image Groups and Images

22. Firstly I’m going to create an group that will hold all my Windows 8 Client machine images. Right click Install Images > Add Image Group.

23. Give it a name > OK.

Adding a boot image (To send an image to a remote machine)

24. Now I need to add a boot image, so I can boot my remote clients from the WDS server and use this image to load WindowsPE on them, so they can be imaged. Right click Boot Images > Add Boot Image.

25. You can use either a Windows 8 DVD or a Windows Server 2012 DVD, you will need to navigate to the sources directory, and locate Boot.wim > Open.

26. Next.

27. Rename the image ‘Install an Image’ > Enter a description > Next.

28. Next.

29. The Image will be imported.

30. Finish.

Adding a Capture Image (To take an image from a remote machine)

31. Right click the image we have just added > Create Capture Image.

32. Call this one ‘Capture an Image’ > Give it a description > Save the image (with a .wim extension). Note: It does not matter where you save the image, but I would suggest somewhere in the ‘Remote Install’ folder > Next.

33. The image will be created.

34. Finish

35. Now even through we have created the capture image, we still need to import it. Right click > Add Boot Image.

36. Select the capture image you created earlier > Next.

37. Make sure it’s called ‘Capture and Image’ > Next.

38. Next.

39. Now the capture image will be imported into WDS.

40. Finish.

Configure DHCP with WDS Options

41. Launch the DHCP management console.

42. Open the active scope > IPv4 > Server Options > Configure Options.

43. Tick Option 66 > Set its value to the IP address of the WDS server > Apply > OK.

44. Tick Option 67 > Set its value to;

[box] bootx64wdsnbp.com [/box]

Apply OK

45. Now you are ready to capture an image of your reference Windows 8 machine.

 

Related Articles, References, Credits, or External Links

2012 – WDS Deploying Windows 8 Part 2: Prepare Windows 8, and Capture to WDS

WDS 2003 Deploying Windows XP

WDS 2008 R2 Deploying Windows 7

Using Windows Deployment Services with Symantec Ghost

 

ASA Upgrading and Imaging a Hardware CX Module

KB ID 0001025

Problem

Last time I had to do one of these the process was very straight forward, one command and the ASA got its new image from FTP, extracted it, and then installed it.

I had a CX module fail last week, and Cisco shipped me out a replacement. After installing it and running the setup, I needed to upgrade it (it will be managed by PRSM). It was running version 9.0.2 (probably been on the shelf a while!). And every time I tried to run a system upgrade it told me this, (regardless of what version I tried to install).

[box]This package is not applicable to release 9.0.2.[/box]

If I tried to set a boot image in the ASA, I got the following errors;

[box] Module 1 cannot be recovered.

OR

ERROR: Module in slot 1 does not support recovery

[/box]

Well there is a boot image especially for the 5585-X CX module, so how do you use it?

Solution

Remember the ASA-SSP-CX unit is basically the same hardware as the ASA, you need to boot that card to ROMMON, then install the boot image via TFTP. Once that’s loaded you can run setup and install the new software package.

1. As you can see this one’s running a very old OS.

[box] Petes-CX>show version

Cisco ASA CX Platform 9.0.2 (103)

Cisco Prime Security Manager 9.0.2 (103) for Petes-CX firewall

Petes-CX>

[/box]

2. Reload the module and as it starts to boot, send a ‘break’ keystroke.

[box] Petes-CX>system reload
Are you sure you want to reload the system? [N]: y
Broadcast message from root (console) (Mon Jan 19 14:47:09 2015):
The system is going down for reboot NOW!
INIT: SwitchingStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 3862)
.
Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed
stopping Busybox inetd: inetd… stopped inetd (pid 3875)
done.
Stopping Vixie-cron.
Stopping ntpd: stopped process in pidfile ‘/var/run/ntp.pid’ (pid 3880)
done
Stopping syslogd/klogd: done
Deconfiguring network interfaces… done.
Stopping CGroup Rules Engine Daemon…stopped /usr/sbin/cgrulesengd (pid 3865)

Success
CGRE[3865]: Stopped CGroup Rules Engine Daemon at Mon Jan 19 14:47:13 2015
Stopping cgconfig service: Success
Sending all processes the TERM signal…
Sending all processes the KILL signal…
Unmounting remote filesystems…
Deactivating swap…
Unmounting local filesystems…
umount2: Device or resource busy

——————————————
–Output Removed for the Sake of Brevity–
——————————————

The system is restarting…

CISCO SYSTEMS

Embedded BIOS Version 2.0(13)0 20:40:45 10/21/11

USB storage device found … SMART eUSB USB Device

Total memory : 12 GB

Total number of CPU cores : 8

CPLD revision 0008h
Cisco Systems ROMMON Version (2.0(13)0) #0: Fri Oct 21 20:01:34 CDT 2011

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot in 10 seconds.

Boot interrupted.

Management0/0
Link is UP
MAC Address: 6c20.5658.928c

Use ? for help.
rommon #0>

[/box]

3. Remember in ROMMON mode you need to set up all the network settings to copy in the boot image (where 192.168.1.10 will be the CX,and .101 is the TFTP server).

Note: This is the BOOT image, it will have a .img file extension.

[box] rommon #0> ADDRESS=192.168.1.10
rommon #1> SERVER=192.168.1.101
rommon #2> GATEWAY=192.168.1.1
rommon #3> IMAGE=asacx-boot-9.3.2.1-9.img
rommon #4> [/box]

4. Make sure you can ping the TFTP server.

[box]rommon #4> ping 192.168.1.101
Sending 20, 100-byte ICMP Echoes to 192.168.1.101, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20)[/box]

5. Issue a sync command, then start the transfer.

[box]

rommon #5> sync

Updating NVRAM Parameters…

rommon #6> tftp
ROMMON Variable Settings:
ADDRESS=192.168.1.10
SERVER=192.168.1.101
GATEWAY=192.168.1.1
PORT=Management0/0
VLAN=untagged
IMAGE=asacx-boot-9.3.2.1-9.img
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

tftp asacx-boot-9.3.2.1-9.img@192.168.1.010 via 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

——————————————
–Output Removed for the Sake of Brevity–
——————————————

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 65605385 bytes

Launching TFTP Image…

Execute image at 0x14000
[STUB]
Boot protocol version 0x209

——————————————
–Output Removed for the Sake of Brevity–
——————————————

Starting syslogd/klogd: done
Cisco ASA CX Boot Image 9.3.2.1

Petes-CX login: admin
Password: ************

Cisco ASA CX Boot 9.3.2.1 (9)
Type ? for list of commands
Petes-CX-boot>

[/box]

WARNING the following procedure will erase all the settings from your CX module

6. Partition the CX module drive. (This takes a long time, good time to put the kettle on!)

[box]

Petes-CX-boot>partition
WARNING: You are about to erase all policy configurations and data.
You cannot undo this action.
Are you sure you want to proceed? [y/n]:y
Logical volume “data” successfully removed
Logical volume “var” successfully removed
Logical volume “packages” successfully removed

——————————————
–Output Removed for the Sake of Brevity–
——————————————

Persistent partition is there so create symbolic link /etc/ntp.conf
Persistent partition is there so create symbolic link /etc/hosts
Petes-CX-boot>

[/box]

7. Run the basic setup.

[box]

Petes-CX-boot>setup

Welcome to Cisco Prime Security Manager Setup
[hit Ctrl-C to abort]
Default values are inside []

Enter a hostname [asacx]: Petes-CX
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.10
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.20
Do you want to configure Secondary DNS Server? (y/n) [n]: Y
Enter the secondary DNS server IP address: 192.168.1.21
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 192.168.1.31,192.168.1.32
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname:Petes-CX
Management Interface Configuration

IPv4 Configuration:static
IP Address:192.168.1.10
Netmask:255.255.255.0
Gateway:192.168.1.1

IPv6 Configuration:Stateless autoconfiguration

DNS Configuration:
Domain:petenetlive.com
Search:
petenetlive.com
DNS Server:
192.168.1.20
192.168.1.21

NTP configuration:
192.168.1.31,192.168.1.32
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…
Restarting NTP service…
Done.
Press ENTER to continue…
Petes-CX-boot>

[/box]

8. You can now upgrade the CX module from FTP.

Note: This is the SYSTEM image, it will have a .pkg extension.

[box]

Petes-CX-boot>system install ftp://192.168.1.101/asacx-sys-9.3.2.1-9.pkg
Verifying..
Downloading..
Extracting..
Package Detail
Description:Cisco ASA-CX 9.3.2.1-9 System Upgrade
Requires reboot:Yes

Do you want to continue with upgrade? [y]: y

Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Upgrading..
Starting upgrade process ..
Populating new system image..
Copying over new application components..
Cleaning up old application components..
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.

PRESS ENTER

Broadcast message from root (consoStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 2883)

[/box]

9. After the module has reloaded, log in and make sure every thing is working.

[box]

Petes-CX login: admin
Password:***********


    Cisco Prime Security Manager 9.3.2.1 (9) for Petes-CX firewall
  Type ? for list of commands

Petes-CX>show services status
============================================================
Process           | PID   | Up    | Up Time
============================================================
HTTP Server       | 6139  | True  | 00:02:00
Data Plane        | 6665  | True  | 00:01:35
Opdata Helper     | 6299  | True  | 00:01:59
AD Interface      | 6674  | True  | 00:01:35
HW Regex Server   | 6572  | True  | 00:01:43
Message Nameserver| 6279  | True  | 00:01:59
HTTP Auth Daemon  | 6469  | True  | 00:01:57
Management Plane  | 6481  | True  | 00:01:57
signup            | 6347  | True  | 00:01:59
PDTS              | 6442  | True  | 00:01:59
Predictive Defense| 6679  | True  | 00:01:35
HTTP Inspector    | 6689  | True  | 00:01:35
HPM Monitor       | 6684  | True  | 00:01:35
Updater           | 7772  | True  | 00:00:19
Card Manager      | 6071  | True  | 00:02:00
ARP Daemon        | 6458  | True  | 00:01:58
Event Server      | 6512  | True  | 00:01:52
TLS Proxy         | 6719  | True  | 00:01:35
============================================================
Petes-CX>

[/box]

 

Related Articles, References, Credits, or External Links

Special thanks to Veronika Klauzova from Cisco TAC