Reimage from Firepower Threat Defense to ASA
To reimage the Firepower Threat Defense on the Firepower 2100 to ASA software, you must access the ROMMON prompt. In ROMMON, you must erase the disks, and then use TFTP on the Management 1/1 interface to load FXOS from the ASA package; only TFTP is supported. After initially booting FXOS, you then configure network settings, download the ASA package (from a server of your choice), and then reboot again.
Procedure
Step 1
|
If you are managing the Firepower Threat Defense device from the Firepower Management Center, delete the device from the Management Center.
|
Step 2
|
If you are managing the Firepower Threat Defense device using Firepower Device Manager, be sure to unregister the device from the Smart Software Licensing server, either from the Firepower Device Manager or from the Smart Software Licensing server.
|
Step 3
|
Download the ASA image (see Download Software) to a TFTP server accessible by the Firepower Threat Defense device on the Management 1/1 interface.
|
Step 4
|
At the console port, log in to FXOS as admin, and reformat the system.
connect local-mgmt
format everything
firepower-2110# connect local-mgmt
firepower-2110(local-mgmt)# format everything
All configuration and bootable images will be lost.
Do you still want to format? (yes/no):yes
Enter yes, and the Firepower 2100 reboots.
|
Step 5
|
Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.
Example:
*******************************************************************************
Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARE
Copyright (c) 1994-2017 by Cisco Systems, Inc.
Compiled Thu 04/06/2017 12:16:16.21 by builder
*******************************************************************************
Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present
Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Press Esc at this point. If you miss the interrupt prompt, the Firepower 2100 attempts to reboot 3 times; because there is no image on the device, only ROMMON is available.
|
Step 6
|
Set the network settings for Management 1/1, and load FXOS (part of the ASA package) using the following ROMMON commands.
address management_ip_address
netmask subnet_mask
server tftp_ip_address
gateway gateway_ip_address
file path/ filename
set
sync
tftp -b
The FXOS image downloads and boots up to the CLI.
See the following information:
· gateway —Sets the gateway address to be the same as the server IP address if they’re on the same network.
· set —Shows the network settings. You can also use the ping command to verify connectivity to the server.
· sync —Saves the network settings.
· tftp -b —Loads FXOS.
Example:
rommon 1> address 10.86.118.4
rommon 2> netmask 255.255.252.0
rommon 3> server 10.86.118.21
rommon 4> gateway 10.86.118.21
rommon 5> file cisco-asa-fp2k.9.8.2.SPA
rommon 6> set
ROMMON Variable Settings:
ADDRESS=10.86.118.4
NETMASK=255.255.252.0
GATEWAY=10.86.118.21
SERVER=10.86.118.21
IMAGE=cisco-asa-fp2k.9.8.2.SPA
CONFIG=
PS1="rommon ! > "
rommon 7> sync
rommon 8> tftp -b
Enable boot bundle: tftp_reqsize = 268435456
ADDRESS: 10.86.118.4
NETMASK: 255.255.252.0
GATEWAY: 10.86.118.21
SERVER: 10.86.118.21
IMAGE: cisco-asa-fp2k.9.8.2.SPA
MACADDR: d4:2c:44:0c:26:00
VERBOSITY: Progress
RETRY: 40
PKTTIMEOUT: 7200
BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
PHYMODE: Auto Detect
link up
Receiving cisco-asa-fp2k.9.8.2.SPA from 10.86.118.21!!!!!!!!
[…]
|
Step 7
|
Log in to FXOS using the default username: admin and password: Admin123.
After the device boots up into FXOS, the Management IP address that you set in ROMMON is erased and set to the default: 192.168.45.45. You will need to set the correct IP address and other related settings for your network in FXOS before you can download the ASA package from the server.
|
Step 8
|
Disable the DHCP server.
scope system
scope services
disable dhcp-server
commit-buffer
Before you can change the management IP address, you must disable the DHCP server. You can reenable DHCP using new client IP addresses after you change the management IP address.
Example:
firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110 /system/services # disable dhcp-server
firepower-2110 /system/services* # commit-buffer
|
Step 9
|
Configure an IPv4 management IP address, and optionally the gateway.
scope fabric-interconnect a
set out-of-band static ip ip_address netmask network_mask gw gateway_ip_address
To keep the currently-set gateway (by default 0.0.0.0, which represents the ASA data interfaces), omit the gw keyword. If your download server is not on the local Management 1/1 network, then change the gateway IP address; the ASA data interfaces do not exist yet, so you cannot reach any remote servers with the default setting.
Example:
firepower-2110# scope fabric-interconnect a
firepower-2110 /fabric-interconnect #
firepower-2110 /fabric-interconnect # set out-of-band static ip 10.86.118.4 netmask 255.255.255.0
Warning: When committed, this change may disconnect the current CLI session
firepower-2110 /fabric-interconnect* #
|
Step 10
|
Delete and add new access lists for HTTPS, SSH, and SNMP to allow management connections from the new network.
a. Set the scope for system/services.
scope system
scope services
Example:
firepower-2110# scope system
firepower-2110 /system # scope services
b. View the current access lists.
show ip-block
Example:
firepower-2110 /system/services # show ip-block
Permitted IP Block:
IP Address Prefix Length Protocol
--------------- ------------- --------
192.168.45.0 24 https
192.168.45.0 24 ssh
firepower-2140 /system/services #
c. Add new access lists.
For IPv4:
enter ip-block ip_address prefix [http | snmp | ssh ]
For IPv6:
enter ipv6-block ipv6_address prefix [https | snmp | ssh ]
For IPv4, enter 0.0.0.0 and a prefix of 0 to allow all networks. For IPv6, enter :: and a prefix of 0 to allow all networks. You can also add access lists in the Firepower Chassis Manager at Platform Settings > Access List.
Example:
firepower-2110 /system/services # enter ip-block 192.168.4.0 24 https
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* # enter ip-block 192.168.4.0 24 ssh
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* #
a. Delete the old access lists.
For IPv4:
delete ip-block ip_address prefix [http | snmp | ssh ]
For IPv6:
delete ipv6-block ipv6_address prefix [https | snmp | ssh ]
Example:
firepower-2110 /system/services # delete ip-block 192.168.45.0 24 https
firepower-2110 /system/services* # delete ip-block 192.168.45.0 24 ssh
firepower-2110 /system/services* #
|
Step 11
|
(Optional) Reenable the IPv4 DHCP server.
scope system
scope services
enable dhcp-server start_ip_address end_ip_address
Example:
firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110 /system/services # enable dhcp-server 10.86.118.10 10.86.118.20
|
Step 12
|
Save the configuration.
commit-buffer
Example:
firepower-2110 /system/services* # commit-buffer
|
Step 13
|
Download and boot the ASA package.
a. Download the package.
scope firmware
download image url
show download-task
You can download the package from the same TFTP server you used earlier, or another server reachable on Management 1/1.
Example:
firepower-2110# scope firmware
firepower-2110 /firmware # download image tftp://10.86.118.21/cisco-asa-fp2k.9.8.2.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2110 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.2.SPA
Tftp 10.88.29.21 0 Downloaded
b. When the package finishes downloading (Downloaded state), boot the package.
show package
scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots.
Example:
firepower 2110 /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.2.SPA 9.8.2
firepower 2110 /firmware # scope auto-install
firepower 2110 /firmware/auto-install # install security-pack version 9.8.2
The system is currently installed with security software package not set, which has:
- The platform version: not set
If you proceed with the upgrade 9.8.2, it will do the following:
- upgrade to the new platform version 2.2.2.52
- install with CSP asa version 9.8.2
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Attention:
If you proceed the system will be re-imaged. All existing configuration will be lost,
and the default configuration applied.
Do you want to proceed? (yes/no):yes
Triggered the install of software package version 9.8.2
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
|
Step 14
|
Wait for the chassis to finish rebooting (5-10 minutes), and log in to FXOS using the default username: admin and password: Admin123.
Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages:
firepower-2110#
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2 ...
Verifying signature for cisco-asa.9.8.2 ... success
Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.
[…]
After the rest of the ASA startup messages show, you can return to the FXOS prompt.
|
Step 15
|
If you changed the FXOS Management 1/1 address in this procedure, you should change the ASA address to be on the correct network. The default ASA Management 1/1 interface IP address is 192.168.45.1.
a. From the console, connect to the ASA CLI and access global configuration mode.
connect asa
enable
configure terminal
The enable password is blank by default.
Example:
firepower-2110# connect asa
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: <blank>
ciscoasa# configure terminal
ciscoasa(config)#
b. Change the Management 1/1 IP address.
interface management1/1
ip address ip_address mask
Example:
ciscoasa(config)# interface management1/1
ciscoasa(config-ifc)# ip address 10.86.118.4 255.255.255.0
c. Change the network that can access ASDM.
no http 192.168.45.0 255.255.255.0 management
http ip_address mask management
Example:
ciscoasa(config)# no http 192.168.45.0 255.255.255.0 management
ciscoasa(config)# http 10.86.118.0 255.255.255.0 management
d. Save the configuration.
write memory
e. To return to the FXOS console, enter Ctrl+a, d.
|
Hiç yorum yok:
Yorum Gönder