While working out how to create a VPN on the Cisco FTD (Firepower 1010), I thought I might as well set it up to the Cisco ASA that I have in the Data Center on my test network. This is what I’m connecting;
Create Site to Site VPN On Cisco FTD (using FDM)
Using a web browser connect to the devices FDM > Site to Site VPN > View Configuration.
Create Site-to-site-connection.
Connection profile name: Something sensible like VPN-To-HQ or VPN-To-Datacentre.
Local VPN Access Interface: outside.
Local Network: Crete new network.
Name: This will be your local LAN so give it a recognisable name.
Type: Network
Network: Your local (behind the FTD) network i.e. 10.254.254.0/24
OK.
Remote IP Address: The public IP address of the other device (in my case the Cisco ASA).
Remote Network: Add
Crete new network
Name: This will be the remote sites LAN so give it a recognisable name.
Type: Network
Network: The remote (behind the ASA) network i.e. 192.168.100.0/24
OK.
Check the settings are correct > Next.
I’m using IKEv2 (if your ASA is older than version 8.4 you will need to use IKEv1) > IKE Version 2 Globally Applied > Edit.
Create new IKE Policy.
Priority: 1
Name: S2S-IKEv2-Policy
Encryption: DES Really! (Why is that the default?) Remove DES and replace with AES256
I leave the rest of the settings as they are some people might not like Sha1 if you want to change it to sha254 for example then do so, but remember to change it on the IKEv2 policy on the ASA also. Also DON’T CONFUSEPRF with PFS, we will get the chance to set PFS later. > OK.
Enter (and confirm) the local and remote Pre-Shared Key (I usually set these the same, but they don’t have to be). Scroll down.
Nat Exempt: inside
Diffie Helman Group for Perfect Forward Secrecy (PFS): Leave disabled.
Next
Review the settings > Finish.
FTD VPN One Way VPN Traffic Warning!
At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. This confused me for a while, I could ping from my house to my servers at the DC but they could not ping me!
Resolution: What you need to do is (on the FTD) ALLOW traffic ‘inbound’ on the outside interface, for the subnet behind the ASA. (Yes that’s bobbins I know, it should do that for you, but at the moment it does not).
Policies > Access Control > Add.
Title: Allow-VPN-Traffic
Source Zone: outside_zone
Source Networks: The Network behind the ASA
Source Ports: ANY
Destination Zone: inside_zone
Destination Networks: ANY
Destination Ports/Protocols: ANY
OK
Pending changes > Deploy Now.
It can take a while to deploy, I recheck pending changes, and wait until it says it’s finished.
Create ASA Config for VPN to Cisco FTD
I’ve covered Cisco ASA IKEv2 VPN configselsewhere, so I’ll just post the config here and you can change the details (in red) and copy and paste it into your ASA.
All the traditional command line tools we used to use for VPN troubleshooting are available to you, you will need to SSH into the ‘Management Port’ before you can use them though! Or you can simply do the debugging and troubleshooting on the ASA!
Troubleshoot phase 1 (IKE)
[box]
show crypto isa
debug crypto ikev2 protocol
[/box]
Troubleshoot phase 2 (IPSec)
[box]
show crypto ipsec sa
debug crypto ipsec 255
[/box]
Related Articles, References, Credits, or External Links
You have a Cisco FTD device that you manage via FDM, and you would like to setup port forwarding. In the example below I will forward TCP Port 80 (HTTP) traffic from the outside interface of my FTD Device (Firepower 1010) to an internal web server on 10.254.254.212
Solution (Step 1: Create an FTD NAT Policy)
Using a web browser connect to the FDM > Polices > NAT > Add.
Set the following options;
Title: Give the NAT rule a title e.g. Webserver-01
Create Rule for: Manual NAT
Status: Enable
Placement: Above a Specific Rule
Rule: InsideOutsideNATRule
Type: Static
Original Packet: Source Interface: inside
Original Packet: Source Address: Select ‘Create New Network’
In the Add new Network Object Window;
Name: Name of the server/object you are port forwarding to e.g. Webserver-01
Host: IP address of the server/object you are port forwarding to
OK
Back At the NAT Rule Window;
Source Address: Ensure it’s set to the object you just created
Original Packet: Source Port: HTTP (or whatever port you wish to forward)
Translated Packet: Destination Interface: outside
Translated PacketSource Address: Interface
Translated Packet: Source Port:HTTP (or whatever port you wish to forward)
OK.
Solution (Step 2: Create an FTD Access Control Policy Rule)
Policies > Access Control > Add.
Set the access rule as follows;
Title: Give the access rule a title e.g. Webserver-Access
Source Zone: outside_zone
Source Networks: any-ipv4
Source Ports: ANY
Destination Zone: inside_zone
DestinationNetworks: The Object you created (above)
Destination: Ports/Protocols: HTTP
OK
You can expand the rule, and see a diagram version if you wish.
Pending Changes > Deploy Now.
Wait! The changes probably haven’t deployed yet, you can check progress by clicking the pending changes button again.
Related Articles, References, Credits, or External Links
Sorry it’s taken me a while to get round to this, every time I do some work on the firewall I need to kill the internet at home, and I’ve got a wife and two daughters, who live online! So if you follow the site you will know I’ve got a Cisco Firepower 1010 device, and I’ve been looking at it running the ASA code.
Now here’s how to ‘re-image’ the device with the FTD (Firepower Threat Defence) operating system.
Warning this can take a while, if you are performing this in production equipment, plan in at least a couple of hours downtime.
Before proceeding, you need to unregister the firewall from its Smart Licence (assuming it’s registered correctly). You can do this with the following command;
Now we simply need to set the image as the primary boot OS.
[box]
Petes-ASA# configure terminal
ciscoasa(config)# boot system disk0:/cisco-ftd-fp1k.6.6.0-90.SPA
The system is currently installed with security software package 9.13.1.2, which has:
- The platform version: 2.7.1.107
- The CSP (asa) version: 9.13.1.2
Preparing new image for install...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Attention:
If you proceed, the system will be re-imaged and then reboot automatically.
All existing configuration will be lost and the default configuration will be applied.
Installation of version 6.6.0-90 will do the following:
- upgrade to the new platform version 2.8.1.105
- upgrade to the CSP FTD version 6.6.0-90
Do you want to proceed? [confirm] {Enter}
[/box]
The firewall will install the new OS then reboot itself, it will take a while, be patient! Once rebooted the FTD software will ask you to login, the default username and password is admin and Admin123, upon logging in, you are asked to change the password.
[box]
firepower login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.6.0 (build 37)
Cisco Firepower 1010 Threat Defense v6.6.0 (build 90)
Hello admin. You must change your password.
Enter new password: {new-password}
Confirm new password: {new-password}
Your password was updated successfully.
Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.
[/box]
Now you can carry out an initial configuration of the Firepower.
[box]
firepower# connect ftd
[/box]
Here I set the basic IPv4 settings, and tell the firewall it will be managed locally via FDM (Firepower Device Manager), that’s the web management interface on the device, rather than FMC (Firepower Management Center) a separate management appliance.
[box]
You must accept the EULA to continue.
Press to display the EULA:
End User License Agreement
Effective: May 22, 2017
This is an agreement between You and Cisco Systems, Inc. or its affiliates
("Cisco") and governs your Use of Cisco Software. "You" and "Your" means the
individual or legal entity licensing the Software under this EULA. "Use" or
"Using" means to download, install, activate, access or otherwise use the
Software. "Software" means the Cisco computer programs and any Upgrades made
PRESS THE SPACE BAR A LOT!---------------Output removed for the sake of Brevity---------------------
mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
Please enter 'YES' or press Enter to AGREE to the EULA: YES
System initialization in progress. Please stand by.
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [y]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface []: 10.254.254.254
Enter an IPv4 netmask for the management interface []: 255.255.255.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.254.254.1
Enter a fully qualified hostname for this system [firepower]: FTD-1
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: 8.8.8.8,8.8.4.4,194.168.4.100
Enter a comma-separated list of search domains or 'none' []: {Enter}
If your networking information has changed, you will need to reconnect.
Setting DNS servers: 8.8.8.8 8.8.4.4 194.168.4.100
No domain name specified to configure.
Setting hostname as FTD-1
Setting static IPv4: 10.254.254.254 netmask: 255.255.255.0 gateway: 10.254.254.1 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: {Enter}
Configuring firewall mode to routed
Update policy deployment information
- add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.
>
[/box]
At this point I reboot the unit, but be prepared, it can take a LONG time before it comes back online, (wait at least 40 minutes).
IMPORTANT you have configured the IP address on the MANAGEMENT interface (1) , to configure further, and complete the Firepower 1010 initial setup, connect to any one of the LAN interfaces (2), and navigate to https://192.168.1.1 (you should get an DHCP address, if you don’t, then you’ve not waited long enough!)
Related Articles, References, Credits, or External Links
I’m seeing more and more people asking questions in forums about FTD, so I thought it was about time I looked at it. Cisco ASA 5500-X firewalls can now be re-imaged to run the FTD software. The thinking is that the FTD will merge the Cisco ASA product and the FirePOWER product into one unified operating system. Then that is managed by FDM (FirePOWER Device Manager), basically a web management GUI.
Solution
Warning; Take a full backup of the ASA config, and save a copy of the activation key! (If you ever want to re-image it back to normal ASA code you will need these!)
The re-imaging is done in ROMMON, so before you start you need to ensure your ROMMON is 1.1.8 or newer. You can get that information with a show module command;
[box]
Petes-ASA# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD2143XXXX
sfr FirePOWER Services Software Module ASA5506 JAD2143XXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 6cb2.aede.0106 to 6cb2.aede.010f 2.0 1.1.8 9.8(1)
sfr 6cb2.aede.0105 to 6cb2.aede.0105 N/A N/A 6.2.0-362
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.2.0-362
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
Petes-ASA#
[/box]
What if yours isn’t?
Don’t panic! Download the firmware upgrade from Cisco, pop it in a TFTP server, and load it into the firewall, then run the upgrade, with the following two commands;
You need two pieces of software, a boot image (.pkg), and an install package. (.lbff).
Note: You can install the boot image via TFTP but the main package needs to be deployed to the firewall via HTTP, FTP, or HTTPS
Boot the ASA into ROMMON
Power cycle the firewall and with a console cable attached press Esc when prompted, this will drop you into ROMMON mode.
[box]
Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015 by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders
Current image running: Boot ROM0
Last reset cause: PowerOn
DIMM Slot 0 : Present
Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 6c:b2:ae:de:01:06
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
rommon 1 >
[/box]
Set the ASA FTD Boot Image
As mentioned above I’m doing this via TFTP, on the Asa 5506-x (all variants), 5508-X, and 5526-X you need to connect the Management interface to the network with the TFTP server. For the target ASA firewalls you can specify which interface you are using like so (“rommon #1>interface gigabitethernet0/0″).
Set the basic networking requirements, specify the boot file, then use the ‘set‘ command to view the settings, and ‘sync‘ to commit that to memory. It’s also a good idea to make are you can ping the TFTP server, (Windows firewall off first though!)
Execute the download/install of the boot image, (tftpdnld command);
[box]
rommon 12 > tftpdnld
ADDRESS: 10.254.254.99
NETMASK: 255.255.255.0
GATEWAY: 10.254.254.112
SERVER: 10.254.254.112
IMAGE: ftd-boot-9.9.2.0.lfbff
MACADDR: 6c:b2:ae:de:01:06
VERBOSITY: Progress
RETRY: 40
PKTTIMEOUT: 7200
BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
PHYMODE: Auto Detect
Receiving ftd-boot-9.9.2.0.lfbff from 10.254.254.112!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 103582240 (0x62c8a20) bytes
[image size] 103582240
[MD5 signaure] ea7d29ce6fb200a9a9be486e37c78136
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5506.
Found device serial number JAD2143XXXX.
Found USB flash drive /dev/sdb
Found hard drive(s): /dev/sda
fsck from util-linux 2.23.2
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
/dev/sdb1: 53 files, 819023/1919830 clusters
Launching boot CLI ...
Configuring network interface using DHCP
Bringing up network interface.
Depending on your network, this might take a couple of minutes when using DHCP...
ifup: interface lo already configured
Using IPv4 address: 10.254.254.114
Using IPv6 address: fe80::6eb2:aeff:fede:105
Using DNS server: 8.8.8.8
Using DNS server: 8.8.4.4
Using default gateway: 10.254.254.1
INIT: Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
generating ssh RSA key...
generating ssh ECDSA key...
generating ssh DSA key...
done.
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up
acpid: 1 rule loaded
acpid: waiting for events: event logging is off
Starting ntpd: done
Starting syslog-ng:.
Starting crond: OK
Cisco FTD Boot 6.0.0 (9.9.2.)
Type ? for list of commands
ciscoasa-boot>
[/box]
Now give the FTD some basic settings, you don’t actually have to give it an IP at this point. Obviously in a production environment, you would use your internal DNS and domain details .
[box]
ciscoasa-boot>setup
Welcome to Cisco FTD Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [ciscoasa]: Petes-ASA
Do you want to configure IPv4 address on management interface?(y/n) [Y]: N
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Enter the primary DNS server IP address [8.8.8.8]: {Enter}
Do you want to configure Secondary DNS Server? (y/n) [y]: Y
Enter the secondary DNS server IP address [8.8.4.4]:{Enter}
Do you want to configure Local Domain Name? (y/n) [n]: N
Do you want to configure Search domains? (y/n) [n]:N
Do you want to enable the NTP service? [Y]:Y
Enter the NTP servers separated by commas: 194.35.252.7,130.88.202.49,93.93.131.118
Please review the final configuration:
Hostname: Petes-ASA
Management Interface Configuration
IPv6 Configuration: Stateless autoconfiguration
DNS Configuration:
DNS Server:
8.8.8.8
8.8.4.4
NTP configuration:
194.35.252.7 130.88.202.49 93.93.131.118
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...
[/box]
This is the point where you need the main package file on either an http, https, or ftp site. I have a web server so that’s what I use. Note: This takes a while, best go get a coffee!
[box]
ciscoasa-boot>system install http://{IP-OF-SERVER}/ftd-6.2.3-83.pkg
######################## WARNING ############################
# The content of disk0: will be erased during installation! #
#############################################################
Do you want to continue? [y/N] Y
Erasing disk0 ...
Extracting ...
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-FTD 6.2.3-83 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Starting upgrade process ...
Populating new system image
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
[/box]
Well, it’s telling us to reboot so let’s do so! After its backup you can login and specify the correct settings for the FTD/Management Interface. (Note the FTD Default username and password!)
[box]
Cisco ASA5506-X Threat Defense v6.2.3 (build 83)
firepower login: admin
Password: Admin123
Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506-X Threat Defense v6.2.3 (build 83)
You must accept the EULA to continue.
Press to display the EULA: {Enter}
End User License Agreement
Effective: May 22, 2017
This is an agreement between You and Cisco Systems, Inc. or its affiliates
("Cisco") and governs your Use of Cisco Software. "You" and "Your" means the
<-------Output omitted - For the sake of Brevity -------->
partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
Please enter 'YES' or press to AGREE to the EULA: {Enter}
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:{Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 10.254.254.253
Enter an IPv4 netmask for the management interface [255.255.255.0]:{Enter}
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.254.254.254
Enter a fully qualified hostname for this system [firepower]: PNL-FirePOWER
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: 8.8.8.8,8.8.4.4
Enter a comma-separated list of search domains or 'none' []:{Enter}
If your networking information has changed, you will need to reconnect.
DHCP Server Disabled
The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to routed
Update policy deployment information
- add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.
[/box]
That’s us done for the conversion! You can now connect the the firewall with a web browser, (remember you just changed the password!)
Related Articles, References, Credits, or External Links