Reimage ASA 5516X to FTD
The ASA 5516X box can use ASA software and FTD software. In this post, I will share how to reimage my ASA 5516X box that used ASA software to FTD software.
We need several things ready for reimaging to be successful:
- Direct console port access.
- Management port to upload the software.
- TFTP Server
- FTD Software and boot images.
- ROMMON image, we need this if the ROMMON software is below 1.1.8.
Direct Console Port and Management Port Access
We need to connect the laptop to the console port ASA box because all the commands will be in CLI. We also need management port to be connected to the TFTP server that hosts the needed software. In this practice, I use my laptop as the TFTP server and hosts the software there.
FTD Software and Boot Images
We will reimage the ASA to FTD 6.4, so we need to download the appropriate. The software download link is here.
We need to download at least these images:
- Firepower Threat Defense boot image (ftd-boot-9.12.1.6.lfbff)
- Firepower Threat Defense install package (ftd-6.4.0-102.pkg)
As for the ROMMON software, you can download it from here.
Remember, you need to download the software with the Cisco.com login and the service contract is required. Because I work at Cisco Partner, I am entitled to download the software.
Preparation on ASA CLI
At first, you need to know the ROMMON software version on your ASA. Perform the show module command on ASA CLI:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
ciscoasa# sh module Mod Card Type Model Serial No. ---- -------------------------------------------- ------------------ ----------- 1 ASA 5516-X with FirePOWER services, 8GE, AC, ASA5516 ############ sfr Unknown N/A ############ Mod MAC Address Range Hw Version Fw Version Sw Version ---- --------------------------------- ------------ ------------ --------------- 1 2c5a.####.e5aa to 2c5a.####.e5b2 1.1 1.1.8 9.8(4)12 sfr 2c5a.####.e5a9 to 2c5a.####.e5a9 N/A N/A Mod SSM Application Name Status SSM Application Version ---- ------------------------------ ---------------- -------------------------- sfr Unknown No Image Present Not Applicable Mod Status Data Plane Status Compatibility ---- ------------------ --------------------- ------------- 1 Up Sys Not Applicable sfr Unresponsive Not Applicable |
We should check the memory of the ASA with show disk0 command
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
ciscoasa# sh disk0: --#-- --length-- -----date/time------ path 41 111312736 Nov 20 2019 06:31:58 asa984-12-lfbff-k8.SPA 42 63 Sep 24 2021 08:13:42 .boot_string 11 4096 Nov 20 2019 06:35:36 log 24 4096 Nov 20 2019 06:36:42 crypto_archive 25 4096 Nov 20 2019 06:36:44 coredumpinfo 26 59 Nov 20 2019 06:36:44 coredumpinfo/coredump.cfg 43 26975568 Dec 13 2019 07:00:28 asdm-782-151.bin 44 39032347 Dec 13 2019 09:36:14 anyconnect-win-3.1.14018-k9.pkg 45 4096 Jan 01 1980 00:00:00 FSCK0000.REC 46 28672 Jan 01 1980 00:00:00 FSCK0001.REC 47 4096 Jan 01 1980 00:00:00 FSCK0002.REC 48 28672 Jan 01 1980 00:00:00 FSCK0003.REC 49 4096 Jan 01 1980 00:00:00 FSCK0004.REC 50 32738244 Feb 22 2021 07:50:26 asdm-792-152.bin 7365472256 bytes total (7154499584 bytes free) |
As we can see that the ROMMON is already up to date to version 1.1.8. Do not forget to record your activation key.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
ciscoasa(config)# show activation-key Serial Number: ######## Running Permanent Activation Key: ######## ######## ######## ######## ######## The Running Activation Key feature: 500 AnyConnect Premium sessions exceed the limit on the platform, reduced to 300 AnyConnect Premium sessions. Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual Carrier : Disabled perpetual AnyConnect Premium Peers : 300 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 300 perpetual Total VPN Peers : 300 perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco VPN Phone : Enabled perpetual Advanced Endpoint Assessment : Enabled perpetual Shared License : Disabled perpetual Total TLS Proxy Sessions : 1000 perpetual Botnet Traffic Filter : Disabled perpetual Cluster : Enabled perpetual Cluster Members : 2 perpetual VPN Load Balancing : Enabled perpetual The flash permanent activation key is the SAME as the running permanent key. |
Now, we can start the reimaging process
Reimaging Process
Reload the ASA, and press ESC to interrupt the boot and enter ROMMON mode
Enter these parameters to connect the ROMMON and the laptop
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
rommon 2 > address 10.0.0.1 rommon 3 > netmask 255.255.255.0 rommon 4 > gateway 10.0.0.2 rommon 5 > server 10.0.0.2 rommon 6 > ping 10.0.0.2 Sending 10, 32-byte ICMP Echoes to 10.0.0.2 timeout is 4 seconds !!!!!!!!!! Success rate is 100 percent (10/10) rommon 7 > file ftd-boot-9.12.1.6.lfbff rommon 8 > sync rommon 9 > tftpdnld ADDRESS: 10.0.0.1 NETMASK: 255.255.255.0 GATEWAY: 10.0.0.2 SERVER: 10.0.0.2 IMAGE: ftd-boot-9.12.1.6.lfbff MACADDR: 2c:5a:0f:79:e5:aa VERBOSITY: Progress RETRY: 40 PKTTIMEOUT: 7200 BLKSIZE: 1460 CHECKSUM: Yes PORT: GbE/1 PHYMODE: Auto Detect Receiving ftd-boot-9.12.1.6.lfbff from 10.0.0.2!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! File reception completed. Boot buffer bigbuf=348bd018 Boot image size = 146806912 (0x8c01880) bytes [image size] 146806912 [MD5 signaure] d3594f86fb102d24e3185dec0807e2a7 LFBFF signature verified. INIT: version 2.88 booting Starting udev Configuring network interfaces... done. Populating dev cache Detected PID ASA5516. Found device serial number JAD21030B5J. Found USB flash drive /dev/sdb Found hard drive(s): /dev/sda fsck from util-linux 2.26.2 fsck.fat 3.0.28 (2015-05-16) 0x41: Dirty bit is set. Fs was not properly unmounted and some data may be corrupt. Automatically removing dirty bit. Performing changes. /dev/sdb1: 66 files, 51505/1798211 clusters |
There was an error because of ungraceful system shutdowns, so it would check the file system first.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
******************************************************************************** WARNING: File system on Disk0 has been damaged due to ungraceful system shutdowns. Please wait while additional file system checks are being performed. Shutdown the system gracefully using the 'reboot' CLI before powering down. ******************************************************************************** Please do not power off - Running additional file system repairs ... Filesystem has been successfully repaired. Launching boot CLI ... Configuring network interface using static IP |
Then, the FPR will boot up, enter setup command, and setting the necessary parameters for Management interface as below, to establish temporary connectivity to the TFTP server so that you can download and install the system software package.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
ciscoasa-boot>setup Welcome to Cisco FTD Setup [hit Ctrl-C to abort] Default values are inside [] Enter a hostname [ciscoasa]: ciscoasa Do you want to configure IPv4 address on management interface?(y/n) [Y]: y Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: n Enter an IPv4 address [10.0.0.1]: 10.0.0.200 Enter the netmask [255.255.255.0]: 255.255.255.0 Enter the gateway [10.0.0.2]: 10.0.0.2 Do you want to configure static IPv6 address on management interface?(y/n) [N]: N Stateless autoconfiguration will be enabled for IPv6 addresses. Enter the primary DNS server IP address [10.0.0.2]: 10.0.0.2 Do you want to configure Secondary DNS Server? (y/n) [n]: n Do you want to configure Local Domain Name? (y/n) [n]: n Do you want to configure Search domains? (y/n) [n]: n Do you want to enable the NTP service? [N]: N Please review the final configuration: Hostname: ciscoasa Management Interface Configuration IPv4 Configuration: static IP Address: 10.0.0.200 Netmask: 255.255.255.0 Gateway: 10.0.0.2 IPv6 Configuration: Stateless autoconfiguration DNS Configuration: DNS Server: 10.0.0.2 NTP configuration: Disabled CAUTION: You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly. We suggest you use static addressing instead. Apply the changes?(y,n) [Y]: y Configuration saved successfully! Applying... Restarting network services... Done. Press ENTER to continue... ciscoasa-boot> ciscoasa-boot> ciscoasa-boot>ping 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=128 time=0.523 ms 64 bytes from 10.0.0.2: icmp_seq=2 ttl=128 time=0.332 ms ^C --- 10.0.0.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.332/0.427/0.523/0.097 ms |
Then perform command system install noconfirm <url> to download the FTD system software install package
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
ciscoasa-boot>system install noconfirm http://10.0.0.201/ftd-6.4.0-102.pkg ######################## WARNING ############################ # The content of disk0: will be erased during installation! # ############################################################# Do you want to continue? [y/N] y Erasing disk0 ... Verifying Downloading Extracting Package Detail Description: Cisco ASA-FTD 6.4.0-102 System Install Requires reboot: Yes Do you want to continue with upgrade? [y]: y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state. Starting upgrade process ... Populating new system image Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. |
In my case, it took around 45 minutes to reboot the FTD. After reboot, you will be in FTD CLI.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
System initialization in progress. Please stand by. You must change the password for 'admin' to continue. Enter new password: Confirm new password: You must configure the network to continue. You must configure at least one of IPv4 or IPv6. Do you want to configure IPv4? (y/n) [y]: Do you want to configure IPv6? (y/n) [n]: n Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Enter an IPv4 address for the management interface [192.168.45.45]: 10.0.0.1 Enter an IPv4 netmask for the management interface [255.255.255.0]: Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect. DHCP Server Disabled The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable For HTTP Proxy configuration, run 'configure network http-proxy' Manage the device locally? (yes/no) [yes]: Configuring firewall mode to routed Update policy deployment information - add device configuration Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense. > > show network ===============[ System Information ]=============== Hostname : firepower DNS Servers : 208.67.222.222 208.67.220.220 Management port : 8305 IPv4 Default route Gateway : data-interfaces ======================[ br1 ]======================= State : Enabled Channels : Management & Events Mode : Non-Autonegotiation MDI/MDIX : Auto/MDIX MTU : 1500 MAC Address : 2C:5A:0F:79:E5:A9 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 10.0.0.1 Netmask : 255.255.255.0 Broadcast : 10.0.0.255 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled |
I have an issue after reimaging that I cannot ping from my laptop to the FTD management interface (br1) and vice versa. I will write a post about that matter after this.
Hope this helps.
Anjali
September 21, 2023 - 3:43 pm
thanks this cleared all my doubt .. however i have one question
I see you have mentioned
system install noconfirm http://10.0.0.201/ftd-6.4.0-102.pkg
10.0.0.201 –> this is your tftp server corect
Ilhampst
December 26, 2023 - 5:04 pm
Yes, correct