Firepower convert To ASA

Reimage from Firepower Threat Defense to ASA

To reimage the Firepower Threat Defense on the Firepower 2100 to ASA software, you must access the ROMMON prompt. In ROMMON, you must erase the disks, and then use TFTP on the Management 1/1 interface to load FXOS from the ASA package; only TFTP is supported. After initially booting FXOS, you then configure network settings, download the ASA package (from a server of your choice), and then reboot again.

Procedure

---

Step 1	If you are managing the Firepower Threat Defense device from the Firepower Management Center, delete the device from the Management Center.
Step 2	If you are managing the Firepower Threat Defense device using Firepower Device Manager, be sure to unregister the device from the Smart Software Licensing server, either from the Firepower Device Manager or from the Smart Software Licensing server.
Step 3	Download the ASA image (see Download Software) to a TFTP server accessible by the Firepower Threat Defense device on the Management 1/1 interface.
Step 4	At the console port, log in to FXOS as admin, and reformat the system. connect local-mgmt  format everything    firepower-2110# connect local-mgmt firepower-2110(local-mgmt)# format everything All configuration and bootable images will be lost. Do you still want to format? (yes/no):yes   Enter yes, and the Firepower 2100 reboots.
Step 5	Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor. Example:   ******************************************************************************* Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARE Copyright (c) 1994-2017  by Cisco Systems, Inc. Compiled Thu 04/06/2017 12:16:16.21 by builder *******************************************************************************   Current image running: Boot ROM0 Last reset cause: ResetRequest DIMM_1/1 : Present DIMM_2/1 : Present   Platform FPR-2130 with 32768 MBytes of main memory BIOS has been successfully locked !! MAC Address: 0c:75:bd:08:c9:80   Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.   Press Esc at this point. If you miss the interrupt prompt, the Firepower 2100 attempts to reboot 3 times; because there is no image on the device, only ROMMON is available.
Step 6	Set the network settings for Management 1/1, and load FXOS (part of the ASA package) using the following ROMMON commands. address management_ip_address netmask subnet_mask server tftp_ip_address gateway gateway_ip_address file path/ filename set  sync  tftp -b  The FXOS image downloads and boots up to the CLI. See the following information: ·         gateway —Sets the gateway address to be the same as the server IP address if they’re on the same network.  ·         set —Shows the network settings. You can also use the ping command to verify connectivity to the server. ·         sync —Saves the network settings. ·         tftp -b —Loads FXOS. Example:   rommon 1> address 10.86.118.4 rommon 2> netmask 255.255.252.0 rommon 3> server 10.86.118.21 rommon 4> gateway 10.86.118.21 rommon 5> file cisco-asa-fp2k.9.8.2.SPA rommon 6> set ROMMON Variable Settings:   ADDRESS=10.86.118.4   NETMASK=255.255.252.0   GATEWAY=10.86.118.21   SERVER=10.86.118.21   IMAGE=cisco-asa-fp2k.9.8.2.SPA   CONFIG=   PS1="rommon ! > "   rommon 7> sync rommon 8> tftp -b Enable boot bundle: tftp_reqsize = 268435456                ADDRESS: 10.86.118.4              NETMASK: 255.255.252.0              GATEWAY: 10.86.118.21               SERVER: 10.86.118.21                IMAGE: cisco-asa-fp2k.9.8.2.SPA              MACADDR: d4:2c:44:0c:26:00            VERBOSITY: Progress                RETRY: 40           PKTTIMEOUT: 7200              BLKSIZE: 1460             CHECKSUM: Yes                 PORT: GbE/1              PHYMODE: Auto Detect   link up Receiving cisco-asa-fp2k.9.8.2.SPA from 10.86.118.21!!!!!!!! […]
Step 7	Log in to FXOS using the default username: admin and password: Admin123. After the device boots up into FXOS, the Management IP address that you set in ROMMON is erased and set to the default: 192.168.45.45. You will need to set the correct IP address and other related settings for your network in FXOS before you can download the ASA package from the server.
Step 8	Disable the DHCP server. scope system  scope services  disable dhcp-server  commit-buffer  Before you can change the management IP address, you must disable the DHCP server. You can reenable DHCP using new client IP addresses after you change the management IP address. Example:   firepower-2110# scope system firepower-2110 /system # scope services firepower-2110 /system/services # disable dhcp-server firepower-2110 /system/services* # commit-buffer
Step 9	Configure an IPv4 management IP address, and optionally the gateway. scope fabric-interconnect a  set out-of-band static ip ip_address netmask network_mask gw gateway_ip_address To keep the currently-set gateway (by default 0.0.0.0, which represents the ASA data interfaces), omit the gw keyword. If your download server is not on the local Management 1/1 network, then change the gateway IP address; the ASA data interfaces do not exist yet, so you cannot reach any remote servers with the default setting. Example:   firepower-2110# scope fabric-interconnect a firepower-2110 /fabric-interconnect # firepower-2110 /fabric-interconnect # set out-of-band static ip 10.86.118.4 netmask 255.255.255.0 Warning: When committed, this change may disconnect the current CLI session firepower-2110 /fabric-interconnect* #
Step 10	Delete and add new access lists for HTTPS, SSH, and SNMP to allow management connections from the new network. a.       Set the scope for system/services. scope system  scope services  Example:   firepower-2110# scope system firepower-2110 /system # scope services   b.       View the current access lists. show ip-block  Example:   firepower-2110 /system/services # show ip-block   Permitted IP Block:     IP Address      Prefix Length Protocol     --------------- ------------- --------     192.168.45.0               24 https     192.168.45.0               24 ssh firepower-2140 /system/services #               c.       Add new access lists. For IPv4: enter ip-block ip_address prefix [http | snmp | ssh ]  For IPv6: enter ipv6-block ipv6_address prefix [https | snmp | ssh ]  For IPv4, enter 0.0.0.0 and a prefix of 0 to allow all networks. For IPv6, enter :: and a prefix of 0 to allow all networks. You can also add access lists in the Firepower Chassis Manager at Platform Settings > Access List. Example:   firepower-2110 /system/services # enter ip-block 192.168.4.0 24 https firepower-2110 /system/services/ip-block* # exit firepower-2110 /system/services* # enter ip-block 192.168.4.0 24 ssh firepower-2110 /system/services/ip-block* # exit firepower-2110 /system/services* #   a.       Delete the old access lists. For IPv4: delete ip-block ip_address prefix [http | snmp | ssh ]  For IPv6: delete ipv6-block ipv6_address prefix [https | snmp | ssh ]  Example:   firepower-2110 /system/services # delete ip-block 192.168.45.0 24 https firepower-2110 /system/services* # delete ip-block 192.168.45.0 24 ssh firepower-2110 /system/services* #
Step 11	(Optional) Reenable the IPv4 DHCP server. scope system  scope services  enable dhcp-server start_ip_address end_ip_address Example:   firepower-2110# scope system firepower-2110 /system # scope services firepower-2110 /system/services # enable dhcp-server 10.86.118.10 10.86.118.20
Step 12	Save the configuration. commit-buffer  Example:   firepower-2110 /system/services* # commit-buffer
Step 13	Download and boot the ASA package. a.       Download the package. scope firmware  download image url show download-task  You can download the package from the same TFTP server you used earlier, or another server reachable on Management 1/1. Example:   firepower-2110# scope firmware firepower-2110 /firmware # download image tftp://10.86.118.21/cisco-asa-fp2k.9.8.2.SPA Please use the command 'show download-task' or 'show download-task detail' to check download progress. firepower-2110 /firmware # show download-task Download task:     File Name Protocol Server          Port       Userid          State     --------- -------- --------------- ---------- --------------- -----     cisco-asa-fp2k.9.8.2.SPA               Tftp     10.88.29.21             0                 Downloaded   b.       When the package finishes downloading (Downloaded state), boot the package. show package  scope auto-install  install security-pack version version In the show package  output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots. Example:   firepower 2110 /firmware # show package Name                                          Package-Vers --------------------------------------------- ------------ cisco-asa-fp2k.9.8.2.SPA                      9.8.2 firepower 2110 /firmware # scope auto-install firepower 2110 /firmware/auto-install # install security-pack version 9.8.2 The system is currently installed with security software package not set, which has:    - The platform version: not set If you proceed with the upgrade 9.8.2, it will do the following:    - upgrade to the new platform version 2.2.2.52    - install with CSP asa version 9.8.2 During the upgrade, the system will be reboot   Do you want to proceed ? (yes/no):yes   This operation upgrades firmware and software on Security Platform Components Here is the checklist of things that are recommended before starting Auto-Install (1) Review current critical/major faults (2) Initiate a configuration backup   Attention:    If you proceed the system will be re-imaged. All existing configuration will be lost,    and the default configuration applied. Do you want to proceed? (yes/no):yes   Triggered the install of software package version 9.8.2 Install started. This will take several minutes. For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
Step 14	Wait for the chassis to finish rebooting (5-10 minutes), and log in to FXOS using the default username: admin and password: Admin123. Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages:   firepower-2110# Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG='' Verifying signature for cisco-asa.9.8.2 ... Verifying signature for cisco-asa.9.8.2 ... success   Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG='' Cisco ASA starting ... Registering to process manager ... Cisco ASA started successfully. […]   After the rest of the ASA startup messages show, you can return to the FXOS prompt.
Step 15	If you changed the FXOS Management 1/1 address in this procedure, you should change the ASA address to be on the correct network. The default ASA Management 1/1 interface IP address is 192.168.45.1.  a.       From the console, connect to the ASA CLI and access global configuration mode. connect asa  enable  configure terminal  The enable password is blank by default. Example:   firepower-2110# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. ciscoasa> enable Password: <blank> ciscoasa# configure terminal ciscoasa(config)#   b.       Change the Management 1/1 IP address. interface management1/1  ip address ip_address mask Example:   ciscoasa(config)# interface management1/1 ciscoasa(config-ifc)# ip address 10.86.118.4 255.255.255.0   c.       Change the network that can access ASDM. no http 192.168.45.0 255.255.255.0 management  http ip_address mask management  Example:   ciscoasa(config)# no http 192.168.45.0 255.255.255.0 management ciscoasa(config)# http 10.86.118.0 255.255.255.0 management   d.       Save the configuration. write memory  e.       To return to the FXOS console, enter Ctrl+a, d.