Cisco FPR – Re-image from FTD to ASA Code

KB ID 0001766

Problem

Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010). 

Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an activation code for the ASA. But if you are using an FPR device then YOU DON’T NEED TO DO THAT.

You might also want to do this because, (at time of writing) buying a Cisco FPR device running ASA code, the lead times in the UK are eye wateringly long (200-300 days!) But you can buy a chassis running FTD code and then convert that to ASA code with the following procedure.

Solution

Connect to your FPR device with a console cable, and log on as admin (the default password is Admin123, unless you have changed it of course!) Download the latest version of ASA code for your device from Cisco, in my case (at time of writing) that’s cisco-asa-fp1k.9.14.3.15.SPA. Copy that onto a USB drive (WARNING: The drive needs to be formatted with FAT32, the firewall will not recognise or mount the drive unless it is!) Finally insert the USB drive into the firewall, and issue the following commands.

[box]

FTD-1# scope firmware
FTD-1 /firmware # download image usbA:/cisco-asa-fp1k.9.14.3.15.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
FTD-1 /firmware # show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloading

% Download-task cisco-asa-fp1k.9.14.3.15.SPA : completed successfully.

[/box]

Note: If it says, ‘failed. Download failure – USB drive is not mounted‘ the drive is probably formatted incorrectly. If it says ‘Download-task failed. Failed signature validation‘, then the image is probably corrupt, try again, or use a different version.

Verify the file has downloaded correctly.

[box]

show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloaded

[/box]

Then make sure the package is listed with a show package command.

[box]

FTD-1 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.13.1.2.SPA                   9.13.1.2
cisco-asa-fp1k.9.14.3.15.SPA                  9.14.3.15
cisco-ftd-fp1k.6.6.0-90.SPA                   6.6.0-90

[/box]

Note: You can see (above) there’s an ASA code version from a previous install and it shows the current running FTD code also. To re-image the firewall execute the following commands. (Note: you enter the VERSION NOT THE FILENAME!)

[box]

FTD-1 /firmware # scope auto-install
FTD-1 /firmware/auto-install # install security-pack version 9.14.3.15

The system is currently installed with security software package 6.6.0-90, which has:
   - The platform version: 2.8.1.105
   - The CSP (ftd) version: 6.6.0.90
If you proceed with the upgrade 9.14.3.15, it will do the following:
   - upgrade to the new platform version 2.8.1.172
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes {Enter}

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes {Enter}

Triggered the install of software package version 9.14.3.15
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
FTD-1 /firmware/auto-install #

[/box]

Now go and have a coffee, it will take 20 minutes, and a few reboots before it’s finished. When completed you should see a login prompt, login with admin/Admin123 and reset the password. 

[box]

firepower-1010 login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Last failed login: Sun Nov 21 16:55:16 UCT 2021 on ttyS0
There was 1 failed login attempt since the last successful login.
Hello admin. You must change your password.
Enter new password: password123
Confirm new password: password123
Your password was updated successfully.

[/box]

Then connect to the ASA CLI with the connect asa command. Go to enable mode, and set the enable password. Finally, save the config.

[box]

firepower-1010# connect asa
firepower-1010# Verifying signature for cisco-asa.9.14.3.15 ...
Verifying signature for cisco-asa.9.14.3.15 ... success
ciscoasa>
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: password123
Repeat Password: password123
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory
Building configuration...
Cryptochecksum: a607255a a64f2898 97bb6b40 9a8ff25c

[/box]

You will now be running ASA code with the factory settings (Inside 192.168.1.1/24, Management 192.168.45.1/24 (with DHCP enabled), Outside set to get IP dynamically, and all traffic allowed out).

Remember if you’re a ‘light weight’ and cant use command line, then you will need to install and configure the ASDM 🙂 

Related Articles, References, Credits, or External Links

Reimage Cisco 1010 ASA to FTD

Convert ASA 5500-X To FirePOWER Threat Defence

DrayTek Vigor – Reset To Factory Settings

KB ID 0000573

Problem

If you cannot get access to your router, or you have bought, found or been given one, and you cannot access it. The simplest thing to do it to reset to to factory settings. Once the Router has been reset its settings will be as follows;

DrayTek Default Username and Passwords

Model
Username
Password
Vigor Rev. ALL admin admin
Vigor 2600 admin {blank}
Vigor 2800 {blank} {blank}
Vigor 2900+ admin admin
Vigor 3300 draytek 1234

Note: The Router will set itself up with a static IP address http://192.168.1.1) and will act as a DHCP server (Make sure your network card it set to get its address automatically.

 

Solution

Warning: Make sure you have all your Routers settings, before you start, especially your ADSL username and password (ring your ISP and confirm) before resetting the Router as all these settings will be WIPED!

Factory Reset DrayTek Vigor: Option 1 (If you do not know the password)

Note: Model shown is a DrayTek Vigor 2800

1. with the router powered on in normal operation the power light should be blinking (slowly)

2. Use a pen, to depress the factory reset button on the rear of the device.

3. The power light will blink rapidly.

4. Release the factory reset button.

Factory Reset DrayTek Vigor: Option 2 (If you know the password)

If you can log in but just want to wipe the settings, and revert to factory defaults.

1. Connect to the web management console and navigate to, System Maintenance > Reboot system > Tick “Using factory default configuration”.

Factory Reset DrayTek Vigor: Option 3 (If you know the password)

If you can log in but just want to wipe the settings, and revert to factory defaults.

1. Familiarise yourself with the DrayTek Vigor firmware upgrade procedure. But use the firmware that ends in .RST NOT the firmware that ends in .ALL. (Note: The .all firmware just updates the firmware but keeps the settings).

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

Draytek Vigor Router Port Forwarding

 

Cisco ASA5500 Update System and ASDM (From CLI)

Do the same from the ASDM

KB ID 0000074

Problem

Below is a walkthrough for upgrading the OS image and ASDM using CLI, you will need a TFTP server up and running with the files sat in the TFTP servers upload directory. NOTE for updated ASA and ASDM software you need a valid Cisco CCO Login and support contract.

For information on Installing and using a TFTP Server CLICK HERE

Warning:

Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERY IMPORTANT if your ASA was shipped before February 2010. See the link below for more information.

ASA – Memory Error (Post upgrade to version 8.3)

Warning 2:

Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.

ASA Enable AAA LOCAL Authentication for SSH

Solution

1. Login to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.

[box]

ciscoasa> enable
Password:*********
ciscoasa#

[/box]

2. Copy the ASA software file from your TFTP server (in this case at IP ADDRESS 10.1.0.212) you will need to give it the name of the file (In this case asa722-k8.bin)

[box]

ciscoasa# copy tftp disk0

Address or name of remote host []? 10.1.0.212

Source filename []? asa722-k8.bin

Destination filename [disk0]? asa722-k8.bin

Accessing tftp://10.1.0.212/asa722-k8.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:asa722-k8.bin… !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 8312832 bytes copied in 70.230 secs (118754 bytes/sec) [/box]

3. Now using the same commands copy the new ASDM Image to the firewall (In this case asm-522.bin)

[box]

ciscoasa# copy tftp disk0

Address or name of remote host [10.1.0.212]?{Enter}

Source filename [asa722-k8.bin]? asdm-522.bin

Destination filename [disk0]? asdm-522.bin

Accessing tftp://10.1.0.212/asdm-522.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:asdm-522.bin… !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!! 5623108 bytes copied in 47.880 secs (119640 bytes/sec) [/box]

4. NOTE It it fails due to lack of space see step 9 below to see how to delete things from flash.

5. Make sure they are actually in there by issuing a show flash command.

[box]

 

ciscoasa(config)# show flash

Initializing disk0: cache, please wait….

Done. -#- –length– —–date/time—— path 6 6764544

Jan 01 2003 00:05:22 asa712-k8.bin 7 1868412

Jan 01 2003 00:05:48 securedesktop-asa-3.1.1.29-k9.pkg 8 398305

Jan 01 2003 00:06:04 sslclient-win-1.1.0.154.pkg 9 7495680

Apr 25 2007 14:41:54 asdm512-k8.bin 12 8312832

May 21 2007 13:29:08 asa722-k8.bin 13 5623108

May 21 2007 13:31:26 asdm-522.bin

224886784 bytes available (30539776 bytes used) [/box]

6. Now set the ASA to use the new OS when it Starts.

[box]

ciscoasa(config)# boot system disk0:/asa722-k8.bin

[/box]

7. Note sometimes it will keep the old one as well to remove it you can issue a “no boot system” command.

[box]

ciscoasa(config)# no boot system disk0:/asa712-k8.bin 

[/box]

8. You will now need to tell the ASA to use the NEW ASDM image. Then DONT FORGET to save the changes with a “write mem” command.

[box]

ciscoasa(config)# asdm image disk0:/asdm-522.bin
ciscoasa(config)# write mem
Building configuration...
Cryptochecksum: 6a88d6fc fef680b3 b86e1ae8 d768560f 

1515 bytes copied in 3.700 secs (505 bytes/sec) [OK] ciscoasa(config)#

[/box]

9. I will usually issue a “reload” command now and make sure the Firewall reboots OK, you can then delete the old image and ASDM with the following commands.

[box]

 

ciscoasa(config)# delete disk0:/asa712-k8.bin

Delete filename [asa712-k8.bin]?{Enter}

Delete disk0:/asa712-k8.bin? [confirm]{Enter}

ciscoasa(config)# delete disk0:/asdm512-k8.bin

Delete filename [asdm512-k8.bin]?{Enter}

Delete disk0:/asdm512-k8.bin? [confirm]{Enter}

[/box]  

Related Articles, References, Credits, or External Links

Update Cisco ASA – Directly from Cisco (via ASDM)

Originally written 09/11/09

Cisco ASA5500 Update System and ASDM (From ASDM)

Do the same from command line

KB ID 0000073

Problem

Below is a walkthrough for upgrading the OS image and ASDM using the ASDM, this method does not require access to a TFTP server.

Warning:

Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERY IMPORTANT if your ASA was shipped before February 2010. See the link below for more information.

ASA – Memory Error (Post upgrade to version 8.3)

Warning 2:

Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.

ASA Enable AAA LOCAL Authentication for SSH

Solution

1. Firstly make sure you have the latest system and ASDM images on your PC, you will need a valid service agreement and a CCO login with Cisco to download them.

 

2. Connect to the ASDM either via the client software or a web page pointed to https://IP_OF_THE ASA (NOTE you need to be on an IP that’s allowed to connect to to the ASA.)

3. Tools > Upgrade software from Local Computer, or Upload Image on Local PC, on older versions.

4. Select “ASA Image” > Browse Local.

5. The image will upload, if it complains there is not enough space, the go to tools, file management and delete the old image (yes it’s safe to do that, as long as you don’t reboot the firewall or have a power cut).

6. ‘Yes’ to use the new image..

Note: On older versions o the ASDM you have to set this manually, (Configuration > Device Administration > Boot Image > Boot Config File Path Section > Browse Flash).

Note: On even older ASDM’s this is on the Properties Page

 

7. OK.

 

Update ASDM from the ASDM

8. Tools > Upgrade software from Local Computer, or Upload Image on Local PC, on older versions.

 

9. This time select ASDM > Browse to the ASDM image > Upload Image.

 

10. The new image will be uploaded to the firewall.

 

11. Yes.

Note: On older versions this needs to be set on Configuration > Device Administration > Boot Image > ASDM Image File Path Section > Browse Flash.

Note: On even older versions this is on the Properties Page.

 

12. OK > Save..

 

13. Tools > System Reload.

 

14. Select ASDM Image > Browse Local.

 

 

Related Articles, References, Credits, or External Links

Cisco ASA5500 Update System and ASDM (From CLI)