Cisco FPR – Re-image from FTD to ASA Code

KB ID 0001766

Problem

Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010). 

Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an activation code for the ASA. But if you are using an FPR device then YOU DON’T NEED TO DO THAT.

You might also want to do this because, (at time of writing) buying a Cisco FPR device running ASA code, the lead times in the UK are eye wateringly long (200-300 days!) But you can buy a chassis running FTD code and then convert that to ASA code with the following procedure.

Solution

Connect to your FPR device with a console cable, and log on as admin (the default password is Admin123, unless you have changed it of course!) Download the latest version of ASA code for your device from Cisco, in my case (at time of writing) that’s cisco-asa-fp1k.9.14.3.15.SPA. Copy that onto a USB drive (WARNING: The drive needs to be formatted with FAT32, the firewall will not recognise or mount the drive unless it is!) Finally insert the USB drive into the firewall, and issue the following commands.

[box]

FTD-1# scope firmware
FTD-1 /firmware # download image usbA:/cisco-asa-fp1k.9.14.3.15.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
FTD-1 /firmware # show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloading

% Download-task cisco-asa-fp1k.9.14.3.15.SPA : completed successfully.

[/box]

Note: If it says, ‘failed. Download failure – USB drive is not mounted‘ the drive is probably formatted incorrectly. If it says ‘Download-task failed. Failed signature validation‘, then the image is probably corrupt, try again, or use a different version.

Verify the file has downloaded correctly.

[box]

show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloaded

[/box]

Then make sure the package is listed with a show package command.

[box]

FTD-1 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.13.1.2.SPA                   9.13.1.2
cisco-asa-fp1k.9.14.3.15.SPA                  9.14.3.15
cisco-ftd-fp1k.6.6.0-90.SPA                   6.6.0-90

[/box]

Note: You can see (above) there’s an ASA code version from a previous install and it shows the current running FTD code also. To re-image the firewall execute the following commands. (Note: you enter the VERSION NOT THE FILENAME!)

[box]

FTD-1 /firmware # scope auto-install
FTD-1 /firmware/auto-install # install security-pack version 9.14.3.15

The system is currently installed with security software package 6.6.0-90, which has:
   - The platform version: 2.8.1.105
   - The CSP (ftd) version: 6.6.0.90
If you proceed with the upgrade 9.14.3.15, it will do the following:
   - upgrade to the new platform version 2.8.1.172
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes {Enter}

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes {Enter}

Triggered the install of software package version 9.14.3.15
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
FTD-1 /firmware/auto-install #

[/box]

Now go and have a coffee, it will take 20 minutes, and a few reboots before it’s finished. When completed you should see a login prompt, login with admin/Admin123 and reset the password. 

[box]

firepower-1010 login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Last failed login: Sun Nov 21 16:55:16 UCT 2021 on ttyS0
There was 1 failed login attempt since the last successful login.
Hello admin. You must change your password.
Enter new password: password123
Confirm new password: password123
Your password was updated successfully.

[/box]

Then connect to the ASA CLI with the connect asa command. Go to enable mode, and set the enable password. Finally, save the config.

[box]

firepower-1010# connect asa
firepower-1010# Verifying signature for cisco-asa.9.14.3.15 ...
Verifying signature for cisco-asa.9.14.3.15 ... success
ciscoasa>
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: password123
Repeat Password: password123
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory
Building configuration...
Cryptochecksum: a607255a a64f2898 97bb6b40 9a8ff25c

[/box]

You will now be running ASA code with the factory settings (Inside 192.168.1.1/24, Management 192.168.45.1/24 (with DHCP enabled), Outside set to get IP dynamically, and all traffic allowed out).

Remember if you’re a ‘light weight’ and cant use command line, then you will need to install and configure the ASDM 🙂 

Related Articles, References, Credits, or External Links

Reimage Cisco 1010 ASA to FTD

Convert ASA 5500-X To FirePOWER Threat Defence

Cisco ASA: Remove FTD and Return to ASA and ASDM

Remove FTD KB ID 0001496

Problem

A few weeks ago I posted an article about re-image your Cisco ASA to FTD (FirePOWER Threat Defence). Now you may find the the FTD is not as ‘Feature rich’ as your old firewall, or that there’s a ‘Lack of feature parity’, which are two polite ways of saying that it’s crap, (sorry it’s just awful, as usual Cisco should’ve spent a LOT longer developing this product, before they released it!)

So now you want to remove the FTD image and go back to good old fashioned ASA code, so you can use the ASDM to manage it, or (of course) command line.

Prerequisites : Remove FTD

You will need a few things to perform the re-image;

  • A copy of the Cisco ASA operating system downloaded from Cisco (requires an in date support contract)
  • A copy of the Cisco ADSM Image downloaded from Cisco (requires an in date support contract)
  • The Activation Code for your firewall (which if you followed my previous article, you kept safe) If you don’t have it you need to get the firewall serial number and go to Cisco licensing, start an online chat, and be polite!
  • A TFTP server, (you can set this up on your laptop) I used a mac so TFTP is built in, if you are a Windows user then go here.
  • A rollover/serial cable and some terminal software, see this post for details.

Re-Image Cisco ASA5500-X to Remove FTD

Connect to the firewall via console cable and login, then reboot the firewall.

[box]

PNL-FirePOWER login: admin
Password: {Enter your password}
Last login: Thu Dec 13 20:18:35 UTC 2018 from 10.254.254.49 on pts/0

Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506-X Threat Defense v6.2.3.6 (build 37)

> reboot
This command will reboot the system.  Continue?
Please enter 'YES' or 'NO': YES

Broadcast message from root@PNL-Stopping Cisco ASA5506-X Threat Defense...

[/box]

When the ASA reboots, Press ‘Break’ to interrupt the startup and boot int ROMMON mode.

[box]

Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015  by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders

Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 6c:b2:ae:de:01:06

Use BREAK or ESC to interrupt boot. {Break}
Use SPACE to begin boot immediately.
Boot interrupted.

rommon 1 >

[/box]

You need to erase the contents of the built in flash drive;

[box]

rommon 1 > erase disk0:
erase: Erasing 7515 MBytes ...................................................
..............................................................................
..............................................................................
..............................................................................
rommon 2 >

[/box]

I’m re-imaging an ASA5506-x, so I don’t need to specify an interface, (it will use the management interface so MAKE SURE that is connected to the same network as your TFTP Server. Note: If you are not re-imaging a 5506, 5508, 5516, then you can specify which interface to use, by using an ‘interface gigabitethernet0/1‘ command.

Give the ASA some IP details, tell it where the TFTP server is and what the update file is called. You can then view the settings with a ‘set‘ command;

[box]

rommon 2 > address 10.254.254.253
rommon 3 > server 10.254.254.106
rommon 4 > gateway 10.254.254.106
rommon 5 > file asa992-36-lfbff-k8.SPA
rommon 6 > set
    ADDRESS=10.254.254.253
    NETMASK=255.255.255.0
    GATEWAY=10.254.254.106
    SERVER=10.254.254.106
    IMAGE=asa992-36-lfbff-k8.SPA
    CONFIG=
    PS1="rommon ! > "

rommon 7 >

[/box]

Note: I set the default gateway to the same IP as the TFTP server, (that’s fine).

To initiate the download you need to execute a ‘tftpdnld‘ command;

[box]

rommon 7 > tftpdnld
             ADDRESS: 10.254.254.253
             NETMASK: 255.255.255.0
             GATEWAY: 10.254.254.106
              SERVER: 10.254.254.106
               IMAGE: asa992-36-lfbff-k8.SPA
             MACADDR: 6c:b2:ae:de:01:06
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect
..
Receiving asa992-36-lfbff-k8.SPA from 10.254.254.106!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
File reception completed.

[/box]

The firewall will startup running the correct ASA code. WARNING: At this point the operating system is NOT in the flash, and the firewall is running the factory default config, so don’t reboot it, before you have carried out the following procedures.

Once started go to enable mode (password will be blank), and configure terminal mode, and format the flash drive, (don’t worry, the OS is running in memory at this point, it wont break).

[box]

ciscoasa> enable
{Enter}
ciscoasa(config)# format disk0:

Format operation may take a while. Continue? [confirm] {Enter}

Format operation will destroy all data in "disk0:".  Continue? [confirm] {Enter}
Initializing partition - done!
Creating FAT32 filesystem
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete

[/box]

Now you need to copy in the operating system (this time to flash memory), and set it as the boot image.

[box]

ciscoasa(config)# copy tftp disk0:

Address or name of remote host []? 10.254.254.106

Source filename []? asa992-36-lfbff-k8.SPA

Destination filename [asa992-36-lfbff-k8.SPA]? {Enter}

Accessing tftp://10.254.254.106/asa992-36-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!
Verifying file disk0:/asa992-36-lfbff-k8.SPA...

Writing file disk0:/asa992-36-lfbff-k8.SPA...

111503184 bytes copied in 338.80 secs (329891 bytes/sec)
ciscoasa(config)# boot system disk0:/asa992-36-lfbff-k8.SPA

[/box]

Then repeat the procedure, but this time to copy over the ASDM image, and set it as default.

[box]

ciscoasa(config)# copy tftp disk0:

Address or name of remote host [10.254.254.106]? {Enter}

Source filename [asa992-36-lfbff-k8.SPA]? asdm-7101.bin

Destination filename [asdm-7101.bin]? {Enter}

Accessing tftp://10.254.254.106/asdm-7101.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-7101.bin...

Writing file disk0:/asdm-7101.bin...

INFO: No digital signature found
34143680 bytes copied in 118.250 secs (289353 bytes/sec)
ciscoasa(config)# asdm image disk0:/asdm-7101.bin

[/box]

You now need to enter your activation key again, to unlock any licensed features you have.

[box]

ciscoasa(config)# activation-key 3602fa77 540a5abc 50c13234 a378e777 c839300a
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)#

[/box]

Then either configure the firewall manually, or restore from a backup, and save the changes!

Backup and Restore a Cisco Firewall

Backup and Restore a Cisco Router with TFTP

[box]

ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 849a4713 61a6532b 0eb6d7a5 92ff32c3

3879 bytes copied in 0.280 secs
[OK]
ciscoasa(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Convert ASA 5500-X To FirePOWER Threat Defence

Convert ASA 5500-X To FirePOWER Threat Defence

KB ID 0001490

Problem

I’m seeing more and more people asking questions in forums about FTD, so I thought it was about time I looked at it. Cisco ASA 5500-X firewalls can now be re-imaged to run the FTD software. The thinking is that the FTD will merge the Cisco ASA product and the FirePOWER product into one unified operating system. Then that is managed by FDM (FirePOWER Device Manager), basically a web management GUI.

Solution

Warning; Take a full backup of the ASA config, and save a copy of the activation key! (If you ever want to re-image it back to normal ASA code you will need these!)

The re-imaging is done in ROMMON, so before you start you need to ensure your ROMMON is 1.1.8 or newer. You can get that information with a show module command;

[box]

Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD2143XXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD2143XXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 6cb2.aede.0106 to 6cb2.aede.010f  2.0          1.1.8        9.8(1)
 sfr 6cb2.aede.0105 to 6cb2.aede.0105  N/A          N/A          6.2.0-362

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.2.0-362

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

Petes-ASA#

[/box]

What if yours isn’t?

Don’t panic! Download the firmware upgrade from Cisco, pop it in a TFTP server, and load it into the firewall, then run the upgrade, with the following two commands;

[box]

copy tftp://{IP-Of-TFTP-Server}/asa5500-firmware-1108.SPA disk0:asa5500-firmware-1108.SPA 
upgrade rommon disk0:/asa5500-firmware-1108.SPA

[/box]

Download FTD Software

You need two pieces of software, a boot image (.pkg), and an install package. (.lbff).

Note: You can install the boot image via TFTP but the main package needs to be deployed to the firewall via HTTP, FTP, or HTTPS

Boot the ASA into ROMMON

Power cycle the firewall and with a console cable attached press Esc when prompted, this will drop you into ROMMON mode.

[box]

Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015  by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders


Current image running: Boot ROM0
Last reset cause: PowerOn
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 6c:b2:ae:de:01:06


Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

rommon 1 >

[/box]

Set the ASA FTD Boot Image

As mentioned above I’m doing this via TFTP, on the Asa 5506-x (all variants), 5508-X, and 5526-X you need to connect the Management interface to the network with the TFTP server. For the target ASA firewalls you can specify which interface you are using like so (“rommon #1> interface gigabitethernet0/0″).

Set the basic networking requirements, specify the boot file, then use the ‘set‘ command to view the settings, and ‘sync‘ to commit that to memory. It’s also a good idea to make are you can ping the TFTP server, (Windows firewall off first though!)

[box]

rommon 1 > address 10.254.254.99
rommon 2 > netmask 255.255.255.0
rommon 3 > server 10.254.254.112
rommon 4 > gateway 10.254.254.112
rommon 5 > file ftd-boot-9.9.2.0.lfbff
rommon 6 > set
    ADDRESS=10.254.254.99
    NETMASK=255.255.255.0
    GATEWAY=10.254.254.112
    SERVER=10.254.254.112
    IMAGE=ftd-boot-9.9.2.0.lfbff
    CONFIG=
    PS1="rommon ! > "

rommon 6 > sync
rommon 7 > ping 10.254.254.112
Sending 10, 32-byte ICMP Echoes to 10.254.254.112 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)

[/box]

Execute the download/install of the boot image, (tftpdnld command);

[box]

rommon 12 > tftpdnld
             ADDRESS: 10.254.254.99
             NETMASK: 255.255.255.0
             GATEWAY: 10.254.254.112
              SERVER: 10.254.254.112
               IMAGE: ftd-boot-9.9.2.0.lfbff
             MACADDR: 6c:b2:ae:de:01:06
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

Receiving ftd-boot-9.9.2.0.lfbff from 10.254.254.112!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 103582240 (0x62c8a20) bytes
[image size]      103582240
[MD5 signaure]    ea7d29ce6fb200a9a9be486e37c78136
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5506.
Found device serial number JAD2143XXXX.
Found USB flash drive /dev/sdb
Found hard drive(s):  /dev/sda
fsck from util-linux 2.23.2
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
  65:01/00
  Not automatically fixing this.
/dev/sdb1: 53 files, 819023/1919830 clusters
Launching boot CLI ...
Configuring network interface using DHCP
Bringing up network interface.
Depending on your network, this might take a couple of minutes when using DHCP...
ifup: interface lo already configured
Using IPv4 address: 10.254.254.114
Using IPv6 address: fe80::6eb2:aeff:fede:105
Using DNS server: 8.8.8.8
Using DNS server: 8.8.4.4
Using default gateway: 10.254.254.1
INIT: Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
  generating ssh RSA key...
  generating ssh ECDSA key...
  generating ssh DSA key...
done.
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up

acpid: 1 rule loaded

acpid: waiting for events: event logging is off

Starting ntpd: done
Starting syslog-ng:.
Starting crond: OK



            Cisco FTD Boot 6.0.0 (9.9.2.)
              Type ? for list of commands
ciscoasa-boot>

[/box]

Now give the FTD some basic settings, you don’t actually have to give it an IP at this point. Obviously in a production environment, you would use your internal DNS and domain details .

[box]

ciscoasa-boot>setup


                Welcome to Cisco FTD Setup
                  [hit Ctrl-C to abort]
                Default values are inside []

Enter a hostname [ciscoasa]: Petes-ASA
Do you want to configure IPv4 address on management interface?(y/n) [Y]: N
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Enter the primary DNS server IP address [8.8.8.8]: {Enter}
Do you want to configure Secondary DNS Server? (y/n) [y]: Y
Enter the secondary DNS server IP address [8.8.4.4]:{Enter}
Do you want to configure Local Domain Name? (y/n) [n]: N
Do you want to configure Search domains? (y/n) [n]:N
Do you want to enable the NTP service? [Y]:Y
Enter the NTP servers separated by commas: 194.35.252.7,130.88.202.49,93.93.131.118

Please review the final configuration:
Hostname:               Petes-ASA
Management Interface Configuration

IPv6 Configuration:     Stateless autoconfiguration

DNS Configuration:
        DNS Server:
                        8.8.8.8
                        8.8.4.4

NTP configuration:
        194.35.252.7    130.88.202.49   93.93.131.118
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...

[/box]

This is the point where you need the main package file on either an http, https, or ftp site. I have a web server so that’s what I use. Note: This takes a while, best go get a coffee!

[box]

ciscoasa-boot>system install http://{IP-OF-SERVER}/ftd-6.2.3-83.pkg

######################## WARNING ############################
# The content of disk0: will be erased during installation! #
#############################################################

Do you want to continue? [y/N] Y
Erasing disk0 ...
Extracting   ...
Verifying
Downloading
Extracting
Package Detail
        Description:                    Cisco ASA-FTD 6.2.3-83 System Install
        Requires reboot:                Yes

Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Starting upgrade process ...
Populating new system image

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.

[/box]

Well, it’s telling us to reboot so let’s do so! After its backup you can login and specify the correct settings for the FTD/Management Interface. (Note the FTD Default username and password!)

[box]

Cisco ASA5506-X Threat Defense v6.2.3 (build 83)
firepower login: admin
Password: Admin123


Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506-X Threat Defense v6.2.3 (build 83)

You must accept the EULA to continue.
Press  to display the EULA: {Enter}
End User License Agreement

Effective: May 22, 2017

This is an agreement between You and Cisco Systems, Inc. or its affiliates
("Cisco") and governs your Use of Cisco Software. "You" and "Your" means the
<-------Output omitted - For the sake of Brevity -------->
partner does not imply a partnership relationship between Cisco and any other
company. (1110R)

Please enter 'YES' or press  to AGREE to the EULA: {Enter}

System initialization in progress.  Please stand by.
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:{Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 10.254.254.253
Enter an IPv4 netmask for the management interface [255.255.255.0]:{Enter}
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.254.254.254
Enter a fully qualified hostname for this system [firepower]: PNL-FirePOWER
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: 8.8.8.8,8.8.4.4
Enter a comma-separated list of search domains or 'none' []:{Enter}
If your networking information has changed, you will need to reconnect.
DHCP Server Disabled
The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable
For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to routed


Update policy deployment information
    - add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

[/box]

That’s us done for the conversion! You can now connect the the firewall with a web browser, (remember you just changed the password!)

Related Articles, References, Credits, or External Links

NA

ASA Upgrading and Imaging a Hardware CX Module

KB ID 0001025

Problem

Last time I had to do one of these the process was very straight forward, one command and the ASA got its new image from FTP, extracted it, and then installed it.

I had a CX module fail last week, and Cisco shipped me out a replacement. After installing it and running the setup, I needed to upgrade it (it will be managed by PRSM). It was running version 9.0.2 (probably been on the shelf a while!). And every time I tried to run a system upgrade it told me this, (regardless of what version I tried to install).

[box]This package is not applicable to release 9.0.2.[/box]

If I tried to set a boot image in the ASA, I got the following errors;

[box] Module 1 cannot be recovered.

OR

ERROR: Module in slot 1 does not support recovery

[/box]

Well there is a boot image especially for the 5585-X CX module, so how do you use it?

Solution

Remember the ASA-SSP-CX unit is basically the same hardware as the ASA, you need to boot that card to ROMMON, then install the boot image via TFTP. Once that’s loaded you can run setup and install the new software package.

1. As you can see this one’s running a very old OS.

[box] Petes-CX>show version

Cisco ASA CX Platform 9.0.2 (103)

Cisco Prime Security Manager 9.0.2 (103) for Petes-CX firewall

Petes-CX>

[/box]

2. Reload the module and as it starts to boot, send a ‘break’ keystroke.

[box] Petes-CX>system reload
Are you sure you want to reload the system? [N]: y
Broadcast message from root (console) (Mon Jan 19 14:47:09 2015):
The system is going down for reboot NOW!
INIT: SwitchingStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 3862)
.
Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed
stopping Busybox inetd: inetd… stopped inetd (pid 3875)
done.
Stopping Vixie-cron.
Stopping ntpd: stopped process in pidfile ‘/var/run/ntp.pid’ (pid 3880)
done
Stopping syslogd/klogd: done
Deconfiguring network interfaces… done.
Stopping CGroup Rules Engine Daemon…stopped /usr/sbin/cgrulesengd (pid 3865)

Success
CGRE[3865]: Stopped CGroup Rules Engine Daemon at Mon Jan 19 14:47:13 2015
Stopping cgconfig service: Success
Sending all processes the TERM signal…
Sending all processes the KILL signal…
Unmounting remote filesystems…
Deactivating swap…
Unmounting local filesystems…
umount2: Device or resource busy

——————————————
–Output Removed for the Sake of Brevity–
——————————————

The system is restarting…

CISCO SYSTEMS

Embedded BIOS Version 2.0(13)0 20:40:45 10/21/11

USB storage device found … SMART eUSB USB Device

Total memory : 12 GB

Total number of CPU cores : 8

CPLD revision 0008h
Cisco Systems ROMMON Version (2.0(13)0) #0: Fri Oct 21 20:01:34 CDT 2011

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot in 10 seconds.

Boot interrupted.

Management0/0
Link is UP
MAC Address: 6c20.5658.928c

Use ? for help.
rommon #0>

[/box]

3. Remember in ROMMON mode you need to set up all the network settings to copy in the boot image (where 192.168.1.10 will be the CX,and .101 is the TFTP server).

Note: This is the BOOT image, it will have a .img file extension.

[box] rommon #0> ADDRESS=192.168.1.10
rommon #1> SERVER=192.168.1.101
rommon #2> GATEWAY=192.168.1.1
rommon #3> IMAGE=asacx-boot-9.3.2.1-9.img
rommon #4> [/box]

4. Make sure you can ping the TFTP server.

[box]rommon #4> ping 192.168.1.101
Sending 20, 100-byte ICMP Echoes to 192.168.1.101, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20)[/box]

5. Issue a sync command, then start the transfer.

[box]

rommon #5> sync

Updating NVRAM Parameters…

rommon #6> tftp
ROMMON Variable Settings:
ADDRESS=192.168.1.10
SERVER=192.168.1.101
GATEWAY=192.168.1.1
PORT=Management0/0
VLAN=untagged
IMAGE=asacx-boot-9.3.2.1-9.img
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

tftp asacx-boot-9.3.2.1-9.img@192.168.1.010 via 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

——————————————
–Output Removed for the Sake of Brevity–
——————————————

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 65605385 bytes

Launching TFTP Image…

Execute image at 0x14000
[STUB]
Boot protocol version 0x209

——————————————
–Output Removed for the Sake of Brevity–
——————————————

Starting syslogd/klogd: done
Cisco ASA CX Boot Image 9.3.2.1

Petes-CX login: admin
Password: ************

Cisco ASA CX Boot 9.3.2.1 (9)
Type ? for list of commands
Petes-CX-boot>

[/box]

WARNING the following procedure will erase all the settings from your CX module

6. Partition the CX module drive. (This takes a long time, good time to put the kettle on!)

[box]

Petes-CX-boot>partition
WARNING: You are about to erase all policy configurations and data.
You cannot undo this action.
Are you sure you want to proceed? [y/n]:y
Logical volume “data” successfully removed
Logical volume “var” successfully removed
Logical volume “packages” successfully removed

——————————————
–Output Removed for the Sake of Brevity–
——————————————

Persistent partition is there so create symbolic link /etc/ntp.conf
Persistent partition is there so create symbolic link /etc/hosts
Petes-CX-boot>

[/box]

7. Run the basic setup.

[box]

Petes-CX-boot>setup

Welcome to Cisco Prime Security Manager Setup
[hit Ctrl-C to abort]
Default values are inside []

Enter a hostname [asacx]: Petes-CX
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.10
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.20
Do you want to configure Secondary DNS Server? (y/n) [n]: Y
Enter the secondary DNS server IP address: 192.168.1.21
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 192.168.1.31,192.168.1.32
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname:Petes-CX
Management Interface Configuration

IPv4 Configuration:static
IP Address:192.168.1.10
Netmask:255.255.255.0
Gateway:192.168.1.1

IPv6 Configuration:Stateless autoconfiguration

DNS Configuration:
Domain:petenetlive.com
Search:
petenetlive.com
DNS Server:
192.168.1.20
192.168.1.21

NTP configuration:
192.168.1.31,192.168.1.32
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…
Restarting NTP service…
Done.
Press ENTER to continue…
Petes-CX-boot>

[/box]

8. You can now upgrade the CX module from FTP.

Note: This is the SYSTEM image, it will have a .pkg extension.

[box]

Petes-CX-boot>system install ftp://192.168.1.101/asacx-sys-9.3.2.1-9.pkg
Verifying..
Downloading..
Extracting..
Package Detail
Description:Cisco ASA-CX 9.3.2.1-9 System Upgrade
Requires reboot:Yes

Do you want to continue with upgrade? [y]: y

Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Upgrading..
Starting upgrade process ..
Populating new system image..
Copying over new application components..
Cleaning up old application components..
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.

PRESS ENTER

Broadcast message from root (consoStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 2883)

[/box]

9. After the module has reloaded, log in and make sure every thing is working.

[box]

Petes-CX login: admin
Password:***********


    Cisco Prime Security Manager 9.3.2.1 (9) for Petes-CX firewall
  Type ? for list of commands

Petes-CX>show services status
============================================================
Process           | PID   | Up    | Up Time
============================================================
HTTP Server       | 6139  | True  | 00:02:00
Data Plane        | 6665  | True  | 00:01:35
Opdata Helper     | 6299  | True  | 00:01:59
AD Interface      | 6674  | True  | 00:01:35
HW Regex Server   | 6572  | True  | 00:01:43
Message Nameserver| 6279  | True  | 00:01:59
HTTP Auth Daemon  | 6469  | True  | 00:01:57
Management Plane  | 6481  | True  | 00:01:57
signup            | 6347  | True  | 00:01:59
PDTS              | 6442  | True  | 00:01:59
Predictive Defense| 6679  | True  | 00:01:35
HTTP Inspector    | 6689  | True  | 00:01:35
HPM Monitor       | 6684  | True  | 00:01:35
Updater           | 7772  | True  | 00:00:19
Card Manager      | 6071  | True  | 00:02:00
ARP Daemon        | 6458  | True  | 00:01:58
Event Server      | 6512  | True  | 00:01:52
TLS Proxy         | 6719  | True  | 00:01:35
============================================================
Petes-CX>

[/box]

 

Related Articles, References, Credits, or External Links

Special thanks to Veronika Klauzova from Cisco TAC