Page 1
Cisco ASA and Firepower Threat Defense Reimage Guide Cisco ASA and Firepower Threat Defense Reimage Guide This guide describes how to reimage between ASA and Firepower Threat Defense (FTD), and also how to perform a reimage for FTD using a new image version; this method is distinct from an upgrade, and sets the FTD to a factory default state.
Page 2
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage the ASA 5500-X or ISA 3000 Note For the Firepower Threat Defense on the ASA 5512-X through 5555-X, you must install a Cisco solid state drive (SSD). For more information, see the ASA 5500-X hardware guide.
Page 3
Cisco ASA and Firepower Threat Defense Reimage Guide Download Software Table 1: Firepower Threat Defense Software Firepower Threat Defense Model Download Location Packages ASA 5506-X, ASA See: Note You will also see patch files 5508-X, and ASA http://www.cisco.com/go/asa-firepower-sw. ending in .sh; the patch...
Page 4
Cisco ASA and Firepower Threat Defense Reimage Guide Download Software Table 2: ASA Software ASA Model Download Location Packages ASA 5506-X, ASA 5508-X, http://www.cisco.com/go/asa-firepower-sw and ASA 5516-X ASA Software The ASA software file has a filename like asa962-lfbff-k8.SPA. Choose your model > Adaptive Security Appliance (ASA) Software >...
Page 5
1.1.5 9.4(1) sfr 7426.aceb.cce9 to 7426.aceb.cce9 Procedure Step 1 Obtain the new ROMMON image from Cisco.com, and put it on a server to copy to the ASA. This procedure shows a TFTP copy. Download the image from: https://software.cisco.com/download/type.html?mdfid=286283326&flowid=77251 Step 2 Copy the ROMMON image to the ASA flash memory: copy tftp://server_ip/asa5500-firmware-xxxx.SPA disk0:asa5500-firmware-xxxx.SPA...
Page 6
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from ASA to Firepower Threat Defense Step 3 Upgrade the ROMMON image: upgrade rommon disk0:asa5500-firmware-xxxx.SPA Example: ciscoasa# upgrade rommon disk0:asa5500-firmware-1108.SPA Verifying file integrity of disk0:/asa5500-firmware-1108.SPA Computed Hash SHA2: d824bdeecee1308fc64427367fa559e9 eefe8f182491652ee4c05e6e751f7a4f 5cdea28540cf60acde3ab9b65ff55a9f...
Page 7
Example: [...] Booting from ROMMON Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011 Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
Page 8
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from ASA to Firepower Threat Defense gateway gateway_ip_address filepath/filename sync tftpdnld The FTD boot image downloads and boots up to the boot CLI. See the following information: • interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other models always use the Management 1/1 interface.
Page 9
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from ASA to Firepower Threat Defense ADDRESS=10.86.118.3 NETMASK=255.255.255.0 SERVER=10.86.118.21 GATEWAY=10.86.118.21 VLAN=untagged IMAGE=ftd-boot-latest.lfbff CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 rommon 6 > sync Updating NVRAM Parameters... rommon 7 > tftpdnld Ping to troubleshoot connectivity to the server: rommon 1 >...
Page 10
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from ASA to Firepower Threat Defense Enter the netmask: 255.255.255.0 Enter the gateway: 10.123.123.1 Do you want to configure static IPv6 address on management interface?(y/n) [N]: n Stateless autoconfiguration will be enabled for IPv6 addresses.
Page 11
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from ASA to Firepower Threat Defense The installation process erases the flash drive and downloads the system image. You are prompted to continue with the installation. Enter y. Erasing disk0 ...
Page 12
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from ASA to Firepower Threat Defense Traceroute to test network connectivity: firepower-boot>traceroute -n 10.100.100.1 traceroute to 10.100.100.1 (10.100.100.1), 30 hops max, 60 byte packets 1 10.123.123.1 0.937 ms 1.078 ms 1.154 ms^C firepower-boot>...
Page 13
Thu Sep 24 19:53:44 UTC 2015: Begin installation ... Found hard drive(s): /dev/sda Erasing files from flash ... You can also view the upgrade.log, pyos.log, and commandd.log under /var/log/cisco with the same command for boot CLI related issues. Step 10 You can use either Firepower Device Manager or Firepower Management Center to manage your device.
Page 14
Example: [...] Booting from ROMMON Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011 Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
Page 15
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from Firepower Threat Defense to ASA sync tftpdnld The ASA image downloads and boots up to the CLI. See the following information: • interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other models always use the Management 1/1 interface.
Page 16
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from Firepower Threat Defense to ASA IMAGE=asalatest-lfbff-k8.SPA CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 rommon 8 > sync Updating NVRAM Parameters... rommon 9 > tftpdnld Example: Ping to troubleshoot connectivity to the server: rommon 1 > ping 10.123.123.2 Sending 10, 32-byte ICMP Echoes to 10.123.123.2 timeout is 4 seconds...
Page 17
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from Firepower Threat Defense to ASA c) Press Enter. By default, the password is blank. d) Access global configuration mode. configure terminal e) If you did not use the interactive prompts, copy and paste your configuration at the prompt.
Page 18
Example: ciscoasa# copy ftp://admin:test@10.86.118.21/asasfr-5500x-boot-6.0.1.img disk0:/asasfr-5500x-boot-6.0.1.img b) Download the ASA FirePOWER services system software install package from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the Management interface. Do not download it to disk0 on the ASA. c) Set the ASA FirePOWER module boot image location in ASA disk0:...
Page 19
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage from Firepower Threat Defense to ASA d) Load the ASA FirePOWER boot image: sw-module module sfr recover boot Example: ciscoasa# sw-module module sfr recover boot Module sfr will be recovered. This may erase all configuration and all data on that device and attempt to download/install a new image for it.
Page 20
Step 11 Obtain a Strong Encryption license and other licenses for an existing ASA for which you did not save the activation key: see http://www.cisco.com/go/license. In the Manage > Licenses section you can re-download your licenses. To use ASDM (and many other features), you need to install the Strong Encryption (3DES/AES) license. If you saved your license activation key from this ASA before you previously reimaged to the Firepower Threat Defense device, you can re-install the activation key.
Page 21
Choose IPS, Crypto, Other. Figure 2: IPS, Crypto, Other d) In the Search by Keyword field, enter asa, and select Cisco ASA 3DES/AES License. Figure 3: Cisco ASA 3DES/AES License e) Select your Smart Account, Virtual Account, enter the ASA Serial Number, and click Next.
Page 22
If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, see http://www.cisco.com/go/ccw. After you purchase a license, you will receive an email with a Product Authorization Key (PAK) that you can enter on http://www.cisco.com/go/license. For the AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same pool of user sessions.
Page 23
ASA FirePOWER module; it just provides the right to use the updates. If you did not buy an ASA 5500-X that included the ASA FirePOWER services, then you can purchase an upgrade bundle to obtain the necessary licenses. See the Cisco ASA with FirePOWER Services Ordering Guide for more information.
Page 24
Example: [...] Booting from ROMMON Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011 Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
Page 25
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage the Firepower Threat Defense Device About to erase the selected device, this will erase all files including configuration, and images. Continue with erase? y/n [n]: y Erasing Disk0: ....... [...] This step erases the old FTD boot and system images. If you do not erase the system image, you must remember to escape out of the boot process after you load the boot image in the next step;...
Page 27
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage the Firepower Threat Defense Device Step 7 Enter setup, and configure network settings for the Management interface to establish temporary connectivity to the HTTP or FTP server so that you can download and install the system software package.
Page 28
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage the Firepower Threat Defense Device CAUTION: You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly.
Page 29
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage the Firepower Threat Defense Device Step 9 To troubleshoot network connectivity, see the following examples. Example: View the network interface configuration: firepower-boot>show interface eth0 Link encap:Ethernet HWaddr 00:a0:c9:00:00:00 inet addr:10.123.123.123 Bcast:10.123.123.255 Mask:255.255.255.0...
Page 30
Thu Sep 24 19:53:44 UTC 2015: Begin installation ... Found hard drive(s): /dev/sda Erasing files from flash ... You can also view the upgrade.log, pyos.log, and commandd.log under /var/log/cisco with the same command for boot CLI related issues. Step 11 You can use either Firepower Device Manager or Firepower Management Center to manage your device.
Page 31
TFTP server for the initial download. Other images can be downloaded from other server types, such as HTTP or FTP. For the exact software package and server type, see the procedures. Note A Cisco.com login and Cisco service contract are required. Table 3: Firepower Threat Defense Software Firepower Threat...
Page 32
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage the Firepower 2100 to ASA or Firepower Threat Defense manager, either Firepower Management Center or Firepower Device Manager. However, this procedure is useful for reimaging the FTD to a new version before you add it to a manager.
Page 33
Cisco ASA and Firepower Threat Defense Reimage Guide Reimage the Firepower 2100 to ASA or Firepower Threat Defense • scp://username@server/[path/]image_name • sftp://username@server/[path/]image_name • tftp://server[:port]/[path/]image_name • usbA:/path/filename Example: firepower-2110 /firmware # download image scp://admin@10.88.29.181/cisco-ftd-fp2k.6.3.0-1.SPA Password: Please use the command 'show download-task' or 'show download-task detail' to check download progress.
Page 34
Cisco FPR Series Security Appliance firepower login: admin Password: Successful login attempts for user 'admin' : 1 Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved. [...] User enable_1 logged in to firepower Logins over the last 1 days: 1.
Page 35
Successful login attempts for user 'admin' : 1 Cisco Firepower Extensible Operating System (FX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2009-2018, Cisco Systems, Inc. All rights reserved. [...] User enable_1 logged in to ciscoasa Logins over the last 1 days: 1.
Page 36
Cisco ASA and Firepower Threat Defense Reimage Guide What s Next? firepower-2140# connect asa Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. ciscoasa> What s Next? Firepower Threat Defense See the quick start guide for your model and management application: •...
Page 37
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.