Reimage the Cisco ASA or Firepower Threat Defense …. Note YoucannotupgradetheROMMONimageafteryoureimagetoFirepowerThreatDefense. Before You …

Cisco ASA and Firepower Threat DefenseReimage Guide

First Published: 2016-05-10

Last Modified: 2018-04-17

Cisco ASA and Firepower Threat Defense Reimage Guide

Console Port Access RequiredTo perform the reimage, you must connect your computer to the console port.

For the Firepower 2100, ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X, you might need to use a thirdparty serial-to-USB cable to make the connection. Other models include a Mini USB Type B console port,so you can use any mini USB cable. For Windows, you may need to install a USB-serial driver fromsoftware.cisco.com. See the hardware guide for more information about console port options and driverrequirements: http://www.cisco.com/go/asa5500x-install

Use a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

Supported ModelsThe following models support either ASA software or Firepower Threat Defense Software. For ASA andFirepower Threat Defense version support, see the ASA compatibility guide or Firepower compatibility guide.

• ASA 5506-X

• ASA 5506W-X

• ASA 5506H-X

• ASA 5508-X

• ASA 5512-X

• ASA 5515-X

• ASA 5516-X

• ASA 5525-X

• ASA 5545-X

• ASA 5555-X

• ISA 3000

• Firepower 2100

Cisco ASA and Firepower Threat Defense Reimage Guide 1

http://www.cisco.com/go/asa5500x-install

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

The Firepower 4100 and 9300 also support either the ASA or Firepower Threat Defense, but they areinstalled as logical devices; see the FXOS configuration guides for more information.

Note

For the Firepower Threat Defense on the ASA 5512-X through 5555-X, you must install a Cisco solidstate drive (SSD). For more information, see the ASA 5500-X hardware guide. For the ASA, the SSD isalso required to use the ASA FirePOWER module. (The SSD is standard on the ASA 5506-X, 5508-X,and 5516-X.)

Note

Reimage the ASA 5500-X or ISA 3000Manymodels in the ASA 5500-X or ISA 3000 series support either Firepower Threat Defense or ASA software.

• Supported Models, on page 1

• Download Software, on page 2

• Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X), on page 5

• Reimage from ASA to Firepower Threat Defense, on page 6

• Reimage from Firepower Threat Defense to ASA, on page 9

Download SoftwareObtain Firepower Threat Defense software, or ASA, ASDM, and ASA FirePOWER module software. Theprocedures in this document require you to put software on a TFTP server for the initial download. Otherimages can be downloaded from other server types, such as HTTP or FTP. For the exact software packageand server type, see the procedures.

A Cisco.com login and Cisco service contract are required.Note

Cisco ASA and Firepower Threat Defense Reimage Guide2

Cisco ASA and Firepower Threat Defense Reimage GuideReimage the ASA 5500-X or ISA 3000

http://www.cisco.com/go/asa5500x-install

Table 1: Firepower Threat Defense Software

PackagesDownload LocationFirepower ThreatDefense Model

You will also see patch filesending in .sh; the patchupgrade process is not coveredin this document.

NoteSee: http://www.cisco.com/go/asa-firepower-sw.

ASA 5506-X, ASA5508-X, and ASA5516-X

The boot image has a filename likeftd-boot-9.6.2.0.lfbff.

Boot image

Choose your model > Firepower ThreatDefense Software > version.

The system software install packagehas a filename like ftd-6.1.0-330.pkg.

System software install package



NoteSee: http://www.cisco.com/go/asa-firepower-sw.

ASA 5512-X throughASA 5555-X

The boot image has a filename likeftd-boot-9.6.2.0.cdisk.

Boot image



System software install package



NoteSee: http://www.cisco.com/go/isa3000-software

ISA 3000

The boot image has a filename likeftd-boot-9.9.2.0.lfbff.





Cisco ASA and Firepower Threat Defense Reimage GuideDownload Software

http://www.cisco.com/go/asa-firepower-sw




http://www.cisco.com/go/isa3000-software


Table 2: ASA Software

PackagesDownload LocationASA Model

http://www.cisco.com/go/asa-firepower-swASA 5506-X, ASA 5508-X,and ASA 5516-X

The ASA software file has a filename likeasa962-lfbff-k8.SPA.

ASA Software

Choose yourmodel >Adaptive SecurityAppliance(ASA) Software > version.

The ASDM software file has a filename likeasdm-762.bin.

ASDM Software

Choose yourmodel >Adaptive SecurityAppliance(ASA) Device Manager > version.

The API software file has a filename likeasa-restapi-132-lfbff-k8.SPA. To install theREST API, see the API quick start guide

REST API Software

Choose yourmodel >Adaptive SecurityApplianceREST API Plugin > version.

The ROMMON software file has a filename likeasa5500-firmware-1108.SPA.

ROMMON Software

Choose your model > ASA Rommon Software >version.

http://www.cisco.com/go/asa-softwareASA 5512-X through ASA5555-X

The ASA software file has a filename likeasa962-smp-k8.bin.

ASA Software

Choose your model > Software on Chassis >Adaptive Security Appliance (ASA) Software >version.


ASDM Software

Choose your model > Software on Chassis >Adaptive Security Appliance (ASA) DeviceManager > version.

The API software file has a filename likeasa-restapi-132-lfbff-k8.SPA. To install theREST API, see the API quick start guide

REST API Software

Choose your model > Software on Chassis >Adaptive Security Appliance REST API Plugin> version.

For APIC 1.2(7) and later, choose either thePolicy Orchestration with Fabric Insertion, orthe Fabric Insertion-only package. The devicepackage software file has a filename likeasa-device-pkg-1.2.7.10.zip. To install the ASAdevice package, see the “Importing a DevicePackage” chapter of the Cisco APIC Layer 4 toLayer 7 Services Deployment Guide.

ASADevice Package forCiscoApplication PolicyInfrastructure Controller (APIC)

Choose your model > Software on Chassis >ASAfor Application Centric Infrastructure (ACI)Device Packages > version.


Cisco ASA and Firepower Threat Defense Reimage GuideDownload Software


http://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html

http://www.cisco.com/go/asa-software


http://www.cisco.com/c/en/us/support/cloud-systems-management/application-policy-infrastructure-controller-apic/tsd-products-support-series-home.html

http://www.cisco.com/c/en/us/support/cloud-systems-management/application-policy-infrastructure-controller-apic/tsd-products-support-series-home.html


http://www.cisco.com/go/isa3000-softwareISA 3000

The ASA software file has a filename likeasa962-lfbff-k8.SPA.

ASA Software

Choose yourmodel >Adaptive SecurityAppliance(ASA) Software > version.


ASDM Software

Choose yourmodel >Adaptive SecurityAppliance(ASA) Device Manager > version.

The API software file has a filename likeasa-restapi-132-lfbff-k8.SPA. To install theREST API, see the API quick start guide.

REST API Software

Choose yourmodel >Adaptive SecurityApplianceREST API Plugin > version.

Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X)Follow these steps to upgrade the ROMMON image for the ASA 5506-X series, ASA 5508-X, and ASA5516-X. The ROMMON version on your system must be 1.1.8 or greater.

You cannot upgrade the ROMMON image after you reimage to Firepower Threat Defense.Note

Before You Begin

You can only upgrade to a new version; you cannot downgrade. To see your current version, enter the showmodule command and look at the Fw Version in the output for Mod 1 in the MAC Address Range table:

ciscoasa# show module[...]Mod MAC Address Range Hw Version Fw Version Sw Version---- --------------------------------- ------------ ------------ ---------------

1 7426.aceb.ccea to 7426.aceb.ccf2 0.3 1.1.5 9.4(1)sfr 7426.aceb.cce9 to 7426.aceb.cce9 N/A N/A

Step 1 Obtain the new ROMMON image from Cisco.com, and put it on a server to copy to the ASA. This procedure shows aTFTP copy.Download the image from:

https://software.cisco.com/download/type.html?mdfid=286283326&flowid=77251

Step 2 Copy the ROMMON image to the ASA flash memory:copy tftp://server_ip/asa5500-firmware-xxxx.SPA disk0:asa5500-firmware-xxxx.SPA

Step 3 Upgrade the ROMMON image:upgrade rommon disk0:asa5500-firmware-xxxx.SPA


Cisco ASA and Firepower Threat Defense Reimage GuideUpgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X)



https://software.cisco.com/download/type.html?mdfid=286283326&flowid=77251

Example:

ciscoasa# upgrade rommon disk0:asa5500-firmware-1108.SPAVerifying file integrity of disk0:/asa5500-firmware-1108.SPA

Computed Hash SHA2: d824bdeecee1308fc64427367fa559e9eefe8f182491652ee4c05e6e751f7a4f5cdea28540cf60acde3ab9b65ff55a9f4e0cfb84b9e2317a856580576612f4af

Embedded Hash SHA2: d824bdeecee1308fc64427367fa559e9eefe8f182491652ee4c05e6e751f7a4f5cdea28540cf60acde3ab9b65ff55a9f4e0cfb84b9e2317a856580576612f4af

Digital signature successfully validatedFile Name : disk0:/asa5500-firmware-1108.SPAImage type : Release

Signer InformationCommon Name : abraxasOrganization Unit : NCS_Kenton_ASAOrganization Name : CiscoSystems

Certificate Serial Number : 553156F4Hash Algorithm : SHA2 512Signature Algorithm : 2048-bit RSAKey Version : A

Verification successful.Proceed with reload? [confirm]

Step 4 Confirm to reload the ASA when you are prompted.The ASA upgrades the ROMMON image, and then reloads the ASA OS.

Reimage from ASA to Firepower Threat DefenseTo reimage the ASA to Firepower Threat Defense software, you must access the ROMMON prompt. InROMMON, you must use TFTP on the Management interface to download the Firepower Threat Defenseboot image; only TFTP is supported. The boot image can then download the Firepower Threat Defense systemsoftware install package using HTTP or FTP. The TFTP download can take a long time; ensure that you havea stable connection between the ASA and the TFTP server to avoid packet loss.

Before You Begin

To ease the process of reimaging back to an ASA, do the following:

1 Perform a complete system backup using the backup command.

See the configuration guide for more information, and other backup techniques.

2 Copy and save the current activation key(s) so you can reinstall your licenses using the show activation-keycommand.

Step 1 Download the Firepower Threat Defense boot image (see Download Software, on page 2) to a TFTP server accessibleby the ASA on the Management interface.


Cisco ASA and Firepower Threat Defense Reimage GuideReimage from ASA to Firepower Threat Defense

For the ASA 5506-X, 5508-X, 5516-X, ISA 3000: You must use the Management 1/1 port to download the image. Forthe other models, you can use any interface.

Step 2 Download the Firepower Threat Defense system software install package (see Download Software, on page 2) to anHTTP or FTP server accessible by the ASA on the Management interface.

Step 3 From the console port, reload the ASA:reload

Example:

ciscoasa# reload

Step 4 Press Esc during the bootup when prompted to reach the ROMMON prompt.Pay close attention to the monitor.

Example:

[...]Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011

Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot in 7 seconds.

Press Esc at this point.

If you see the following message, then you waited too long, and must reload the ASA again after it finishes booting:

Launching BootLoader...Boot configuration file contains 2 entries.[...]

Step 5 Set the network settings, and load the boot image using the following ROMMON commands:a) interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Management interface ID. Other models

always use the Management 1/1 interface.b) address—Management interface IP addressc) server—TFTP server IP addressd) gateway—If the server is on the same network, set this IP address to be the same as the TFTP server IP addresse) file—TFTP file path and namef) set—(Optional) View the network settings. You can also use the ping command to verify connectivity to the serverg) sync—(Optional) Save the network settingsh) tftpdnld—Load the boot image

Example:Example for the ASA 5555-X:

rommon #0> interface gigabitethernet0/0rommon #1> address 10.86.118.4rommon #2> server 10.86.118.21rommon #3> gateway 10.86.118.21



rommon #4> file ftd-boot-latest.cdiskrommon #5> setROMMON Variable Settings:ADDRESS=10.86.118.3SERVER=10.86.118.21GATEWAY=10.86.118.21PORT=GigabitEthernet0/0VLAN=untaggedIMAGE=ftd-boot-latest.cdiskCONFIG=LINKTIMEOUT=20PKTTIMEOUT=4RETRY=20

rommon #6> sync

Updating NVRAM Parameters...

rommon #7> tftpdnld

Example for the ASA 5506-X:

rommon #0> address 10.86.118.4rommon #1> server 10.86.118.21rommon #2> gateway 10.86.118.21rommon #3> file ftd-boot-latest.lfbffrommon #4> setROMMON Variable Settings:ADDRESS=10.86.118.3SERVER=10.86.118.21GATEWAY=10.86.118.21VLAN=untaggedIMAGE=ftd-boot-latest.lfbffCONFIG=LINKTIMEOUT=20PKTTIMEOUT=4RETRY=20

rommon #5> sync


rommon #6> tftpdnld

The Firepower Threat Defense boot image downloads and boots up to the boot CLI.

Step 6 Type setup, and configure network settings for the Management interface to establish temporary connectivity to theHTTP or FTP server so that you can download and install the system software package. For example:

• Hostname: ftd1

• IPv4 address: 10.86.118.4

• Netmask: 255.255.252.0

• Gateway: 10.86.116.1

• DNS servers: 10.86.116.5

• Ntp server: ntp.example.com

Step 7 Download the Firepower Threat Defense system software install package. This step shows an HTTP installation.system install [noconfirm] url



Example:

> system install noconfirm http://10.86.118.21/ftd-6.0.1-949.pkg

Include the noconfirm option if you do not want to respond to confirmation messages.

Step 8 When installation is complete, choose Yes when the device reboot option is displayed.Reboot takes upwards of 30 minutes, and could take much longer. Upon reboot, you will be in the Firepower ThreatDefense CLI.

Step 9 You can use either Firepower Device Manager or Firepower Management Center to manage your device. See the QuickStart Guide for your model and your manager to continue setup: http://www.cisco.com/go/ftd-asa-quick

Reimage from Firepower Threat Defense to ASATo reimage the Firepower Threat Defense to ASA software, you must access the ROMMON prompt. InROMMON, you must erase the disks, and then use TFTP on the Management interface to download the ASAimage; only TFTP is supported. After you reload the ASA, you can configure basic settings and then load theFirePOWER module software.

Before You Begin

• Ensure that you have a stable connection between the ASA and the TFTP server to avoid packet loss.

Step 1 If you are managing the Firepower Threat Defense device from the Firepower Management Center, delete the devicefrom the Management Center.

Step 2 If you are managing the Firepower Threat Defense device using Firepower Device Manager, be sure to unregister thedevice from the Smart Software Licensing server, either from the Firepower DeviceManager or from the Smart SoftwareLicensing server.

Step 3 Download the ASA image (see Download Software, on page 2) to a TFTP server accessible by the Firepower ThreatDefense device on the Management interface.For the ASA 5506-X, 5508-X, 5516-X, ISA 3000: You must use the Management 1/1 port to download the image. Forthe other models, you can use any interface.

Step 4 At the console port, reboot the Firepower Threat Defense device.

Example:

> rebootThis command will reboot the system. Continue?Please enter 'YES' or 'NO': yes

Enter yes to reboot.

Step 5 Press Esc during the bootup when prompted to reach the ROMMON prompt.Pay close attention to the monitor.


Cisco ASA and Firepower Threat Defense Reimage GuideReimage from Firepower Threat Defense to ASA

http://www.cisco.com/go/ftd-asa-quick

Example:

[...]Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011

Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot in 7 seconds.

Press Esc at this point.

If you see the following message, then you waited too long, and must reboot the Firepower Threat Defense device againafter it finishes booting:

Launching BootLoader...Boot configuration file contains 2 entries.[...]

Step 6 Erase all disk(s) on the Firepower Threat Defense device. The internal flash is called disk0. If you have an external USBdrive, it is disk1.

Example:

Example:rommon #0> erase disk0:

About to erase the selected device, this will eraseall files including configuration, and images.Continue with erase? y/n [n]: y

Erasing Disk0:.......................[...]

This step erases Firepower Threat Defense files so that the ASA does not try to load an incorrect configuration file,which causes numerous errors.

Step 7 Set the network settings, and load the ASA image using the following ROMMON commands.interface interface_id

address management_ip_address

server tftp_ip_address

gateway gateway_ip_address

filepath/filename

set

sync

tftpdnld

The ASA image downloads and boots up to the CLI.

See the following information:



• interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other modelsalways use the Management 1/1 interface.

• gateway—Sets the gateway address to be the same as the server IP address if they’re on the same network.

• set—Shows the network settings. You can also use the ping command to verify connectivity to the server.

• sync—Saves the network settings.

• tftpdnld—Loads the boot image..

Example:Example for the ASA 5555-X:

rommon #2> interface gigabitethernet0/0rommon #3> address 10.86.118.4rommon #4> server 10.86.118.21rommon #5> gateway 10.86.118.21rommon #6> file asalatest-smp-k8.binrommon #7> setROMMON Variable Settings:ADDRESS=10.86.118.3SERVER=10.86.118.21GATEWAY=10.86.118.21PORT=GigabitEthernet0/0VLAN=untaggedIMAGE=asalatest-smp-k8.binCONFIG=LINKTIMEOUT=20PKTTIMEOUT=4RETRY=20

rommon #8> sync


rommon #9> tftpdnld

Example for the ASA 5506-X:

rommon #2> address 10.86.118.4rommon #3> server 10.86.118.21rommon #4> gateway 10.86.118.21rommon #5> file asalatest-lfbff-k8.SPArommon #6> setROMMON Variable Settings:ADDRESS=10.86.118.3SERVER=10.86.118.21GATEWAY=10.86.118.21VLAN=untaggedIMAGE=asalatest-lfbff-k8.SPACONFIG=LINKTIMEOUT=20PKTTIMEOUT=4RETRY=20

rommon #7> sync


rommon #8> tftpdnld

Step 8 Configure network settings and prepare the disks.



When the ASA first boots up, it does not have any configuration on it. you can either follow the interactive prompts toconfigure the Management interface for ASDM access, or you can paste a saved configuration or, if you do not have asaved configuration, the recommended configuration (below).

If you do not have a saved configuration, we suggest pasting the recommended configuration if you are planning to usethe ASA FirePOWER module. The ASA FirePOWER module is managed on the Management interface and needs toreach the internet for updates. The simple, recommended network deployment includes an inside switch that lets youconnect Management (for FirePOWERmanagement only), an inside interface (for ASAmanagement and inside traffic),and your management PC to the same inside network. See the quick start guide for more information about the networkdeployment:

• http://www.cisco.com/go/asa5506x-quick



a) At the ASA console prompt, you are prompted to provide some configuration for the Management interface.

Pre-configure Firewall now through interactive prompts [yes]?

If you want to paste a configuration or create the recommended configuration for a simple network deployment, thenenter no and continue with the procedure.

If you want to configure the Management interface so you can connect to ASDM, enter yes, and follow the prompts.

b) At the console prompt, access privileged EXEC mode.enable

The following prompt appears:

Password:

c) Press Enter. By default, the password is blank.d) Access global configuration mode.

configure terminal

e) If you did not use the interactive prompts, copy and paste your configuration at the prompt.If you do not have a saved configuration, and you want to use the simple configuration described in the quick startguide, copy the following configuration at the prompt, changing the IP addresses and interface IDs as appropriate.If you did use the prompts, but want to use this configuration instead, clear the configuration first with the clearconfigure all command.

interface gigabitethernetn/nnameif outsideip address dhcp setrouteno shutdown

interface gigabitethernetn/nnameif insideip address ip_address netmasksecurity-level 100no shutdown

interface managementn/nno shutdown



http://www.cisco.com/go/asa5506x-quick



object network obj_anysubnet 0 0nat (any,outside) dynamic interface

http server enablehttp inside_network netmask insidedhcpd address inside_ip_address_start-inside_ip_address_end insidedhcpd auto_config outsidedhcpd enable insidelogging asdm informational

For the ASA 5506W-X, add the following for the wifi interface:

same-security-traffic permit inter-interfaceinterface GigabitEthernet 1/9security-level 100nameif wifiip address ip_address netmaskno shutdownhttp wifi_network netmask wifidhcpd address wifi_ip_address_start-wifi_ip_address_end wifidhcpd enable wifi

f) Reformat the disks:format disk0:

format disk1:

The internal flash is called disk0. If you have an external USB drive, it is disk1. If you do not reformat the disks,then when you try to copy the ASA image, you see the following error:

%Error copying ftp://10.86.89.125/asa971-smp-k8.bin (Not enough space on device)

g) Save the new configuration:write memory

Step 9 Install the ASA and ASDM images.Booting the ASA from ROMMON mode does not preserve the system image across reloads; you must still downloadthe image to flash memory. You also need to download ASDM to flash memory.

a) Download the ASA and ASDM images (see Download Software, on page 2) to a server accessible by the ASA.The ASA supports many server types. See the copy command for more information: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368.

b) Copy the ASA image to the ASA flash memory. This step shows an FTP copy.copy ftp://user:password@server_ip/asa_file disk0:asa_file

Example:

ciscoasa# copy ftp://admin:[email protected]/asa961-smp-k8.bin disk0:asa961-smp-k8.bin

c) Copy the ASDM image to the ASA flash memory. This step shows an FTP copy.copy ftp://user:password@server_ip/asdm_file disk0:asdm_file



http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368

Example:

ciscoasa# copy ftp://admin:[email protected]/asdm-761.bin disk0:asdm-761.bin

d) Reload the ASA:reload

The ASA reloads using the image in disk0.

Step 10 (Optional) Install the ASA FirePOWER module software.You need to install the ASA FirePOWER boot image, partition the SSD, and install the system software according tothis procedure.

a) Copy the boot image to the ASA. Do not transfer the system software; it is downloaded later to the SSD. This stepshows an FTP copy.copy ftp://user:password@server_ip/firepower_boot_file disk0:firepower_boot_file

Example:

ciscoasa# copy ftp://admin:[email protected]/asasfr-5500x-boot-6.0.1.imgdisk0:/asasfr-5500x-boot-6.0.1.img

b) Download the ASA FirePOWER services system software install package from Cisco.com to an HTTP, HTTPS, orFTP server accessible from the Management interface. Do not download it to disk0 on the ASA.

c) Set the ASA FirePOWER module boot image location in ASA disk0:sw-module module sfr recover configure image disk0:file_path

Example:

ciscoasa# sw-module module sfr recover configure image disk0:asasfr-5500x-boot-6.0.1.img

d) Load the ASA FirePOWER boot image:sw-module module sfr recover boot

Example:

ciscoasa# sw-module module sfr recover boot

Module sfr will be recovered. This may erase all configuration and all dataon that device and attempt to download/install a new image for it. This may takeseveral minutes.

Recover module sfr? [confirm] yRecover issued for module sfr.

e) Wait a few minutes for the ASA FirePOWERmodule to boot up, and then open a console session to the now-runningASA FirePOWER boot image. You might need to press Enter after opening the session to get to the login prompt.The default username is admin and the default password is Admin123.

Example:

ciscoasa# session sfr consoleOpening console session with module sfr.Connected to module sfr. Escape character sequence is 'CTRL-^X'.



asasfr login: adminPassword: Admin123

If the module boot has not completed, the session command will fail with a message about not being able to connectover ttyS1. Wait and try again.

a) Configure the system so that you can install the system software install package.setup

You are prompted for the following. Note that the management address and gateway, and DNS information, are thekey settings to configure.

• Host name—Up to 65 alphanumeric characters, no spaces. Hyphens are allowed.

• Network address—You can set static IPv4 or IPv6 addresses, or use DHCP (for IPv4) or IPv6 statelessautoconfiguration.

• DNS information—Youmust identify at least one DNS server, and you can also set the domain name and searchdomain.

• NTP information—You can enable NTP and configure the NTP servers, for setting system time.

Example:

asasfr-boot> setup

Welcome to Cisco FirePOWER Services Setup[hit Ctrl-C to abort]

Default values are inside []

a) Install the system software install package:system install [noconfirm] url

Include the noconfirm option if you do not want to respond to confirmation messages. Use an HTTP, HTTPS, orFTP URL; if a username and password are required, you will be prompted to supply them. This file is large and cantake a long time to download, depending on your network.

When installation is complete, the system reboots. The time required for application component installation and forthe ASA FirePOWER services to start differs substantially: high-end platforms can take 10 or more minutes, butlow-end platforms can take 60-80 minutes or longer. (The showmodule sfr output should show all processes as Up.)

Example:

asasfr-boot> system installhttp://admin:[email protected]/packages/asasfr-sys-6.0.1-58.pkgVerifyingDownloadingExtractingPackage Detail

Description: Cisco ASA-FirePOWER 6.0.1-58 System InstallRequires reboot: Yes

Do you want to continue with upgrade? [y]: yWarning: Please do not interrupt the process or turn off the system.Doing so might leave system in unusable state.

UpgradingStarting upgrade process ...Populating new system image



Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. [type Enter]Broadcast message from root (ttyS1) (Mon Feb 17 19:28:38 2016):

The system is going down for reboot NOW!Console session with module sfr terminated.

a) If you need to install a patch release, you can do so later from your manager: ASDM or the Firepower ManagementCenter.

Step 11 Obtain a Strong Encryption license and other licenses for an existing ASA for which you did not save the activation key:see http://www.cisco.com/go/license. In theManage > Licenses section you can re-download your licenses.To use ASDM (and many other features), you need to install the Strong Encryption (3DES/AES) license. If you savedyour license activation key from this ASA before you previously reimaged to the Firepower Threat Defense device, youcan re-install the activation key. If you did not save the activation key but own licenses for this ASA, you can re-downloadthe license. For a new ASA, you will need to request new ASA licenses.

Step 12 Obtain licenses for a new ASA.a) Obtain the serial number for your ASA by entering the following command:

show version | grep Serial

This serial number is different from the chassis serial number printed on the outside of your hardware. The chassisserial number is used for technical support, but not for licensing.

b) See http://www.cisco.com/go/license, and click Get Other Licenses.

Figure 1: Get Other Licenses



http://www.cisco.com/go/license


c) Choose IPS, Crypto, Other.

Figure 2: IPS, Crypto, Other

d) In the Search by Keyword field, enter asa, and select Cisco ASA 3DES/AES License.

Figure 3: Cisco ASA 3DES/AES License

e) Select your Smart Account, Virtual Account, enter the ASA Serial Number, and click Next.

Figure 4: Smart Account, Virtual Account, and Serial Number



f) Your Send To email address and End User name are auto-filled; enter additional email addresses if needed. Checkthe I Agree check box, and click Submit.

Figure 5: Submit

g) You will then receive an email with the activation key, but you can also download the key right away from theManage > Licenses area.

h) If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, seehttp://www.cisco.com/go/ccw. After you purchase a license, you will receive an email with a Product AuthorizationKey (PAK) that you can enter on http://www.cisco.com/go/license. For the AnyConnect licenses, you receive amulti-use PAK that you can apply to multiple ASAs that use the same pool of user sessions. The resulting activationkey includes all features you have registered so far for permanent licenses, including the 3DES/AES license. Fortime-based licenses, each license has a separate activation key.

Step 13 Apply the activation key.activation-key key

Example:

ciscoasa(config)# activation-key 7c1aff4f e4d7db95 d5e191a4 d5b43c08 0d29c996Validating activation key. This may take a few minutes...Failed to retrieve permanent activation key.Both Running and Flash permanent activation key was updated with the requested key.

Because this ASA did not yet have an activation key installed, you see the “Failed to retrieve permanent activation key.”message. You can ignore this message.

You can only install one permanent key, and multiple time-based keys. If you enter a new permanent key, it overwritesthe already installed one. If you ordered additional licenses after you installed the 3DES/AES license, the combinedactivation key includes all licenses plus the 3DES/AES license, so you can overwrite the 3DES/AES-only key.

Step 14 The ASA FirePOWER module uses a separate licensing mechanism from the ASA. No licenses are pre-installed, butdepending on your order, the box might include a PAK on a printout that lets you obtain a license activation key for thefollowing licenses:



http://www.cisco.com/go/ccw



• Control and Protection. Control is also known as “Application Visibility and Control (AVC)” or “Apps”. Protectionis also known as “IPS”. In addition to the activation key for these licenses, you also need “right-to-use” subscriptionsfor automated updates for these features.

The Control (AVC) updates are included with a Cisco support contract.

The Protection (IPS) updates require you to purchase the IPS subscription from http://www.cisco.com/go/ccw.This subscription includes entitlement to Rule, Engine, Vulnerability, and Geolocation updates. Note: Thisright-to-use subscription does not generate or require a PAK/license activation key for the ASA FirePOWERmodule; it just provides the right to use the updates.

If you did not buy an ASA 5500-X that included the ASA FirePOWER services, then you can purchase an upgradebundle to obtain the necessary licenses. See the Cisco ASA with FirePOWER Services Ordering Guide for moreinformation.

Other licenses that you can purchase include the following:

• Advanced Malware Protection (AMP)

• URL Filtering

These licenses do generate a PAK/license activation key for the ASA FirePOWER module. See the Cisco ASA withFirePOWER Services Ordering Guide for ordering information. See also the Cisco Firepower System Feature Licenses.

To install the Control and Protection licenses and other optional licenses, see the ASA quick start guide for your model.

Reimage the Firepower 2100 SeriesThe Firepower 2100 series supports either Firepower Threat Defense or ASA software.

• Download Software, on page 19

• Reimage from ASA to Firepower Threat Defense, on page 20

• Reimage from Firepower Threat Defense to ASA, on page 25

Download SoftwareObtain Firepower Threat Defense software or ASA software. The procedures in this document require youto put software on a TFTP server for the initial download. Other images can be downloaded from other servertypes, such as HTTP or FTP. For the exact software package and server type, see the procedures.

A Cisco.com login and Cisco service contract are required.Note


Cisco ASA and Firepower Threat Defense Reimage GuideReimage the Firepower 2100 Series


http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.html

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-licenseroadmap.html

Table 3: Firepower Threat Defense Software

PackagesDownload LocationFirepower ThreatDefense Model

See: https://www.cisco.com/go/ftd-software

Firepower 2100 series

The package has a filename likecisco-ftd-fp2k.6.2.2.SPA.

Firepower Threat Defense package


Table 4: ASA Software


See: https://www.cisco.com/go/asa-firepower-sw

Firepower 2100 series

The package has a filename likecisco-asa-fp2k.9.8.2.SPA. This packageincludes ASA, ASDM, FXOS, and theFirepower Chassis Manager.

ASA package

Choose yourmodel >Adaptive SecurityAppliance (ASA) Software > version.

The ASDM software file has a filenamelike asdm-782.bin.

ASDM software (upgrade)

To upgrade to a later version of ASDMusing your current ASDM or the ASACLI, choose your model > AdaptiveSecurity Appliance (ASA) DeviceManager > version.

Reimage from ASA to Firepower Threat DefenseTo reimage the ASA on the Firepower 2100 to Firepower Threat Defense software, you must access theROMMON prompt. In ROMMON, you must erase the disks, and then use TFTP on the Management 1/1interface to load FXOS from the Firepower Threat Defense package; only TFTP is supported. After initiallybooting FXOS, you then configure network settings, download the Firepower Threat Defense package (froma server of your choice), and then reboot again.

Step 1 Unregister the ASA from the Smart Software Licensing server, either from the ASA CLI/ASDM or from the SmartSoftware Licensing server.

Step 2 Download the Firepower Threat Defense image (see Download Software, on page 19) to a TFTP server accessible bythe ASA on the Management 1/1 interface.

Step 3 At the console port, log in to FXOS as admin, and reformat the system.connect local-mgmt



https://www.cisco.com/go/ftd-software

https://www.cisco.com/go/ftd-software

https://www.cisco.com/go/asa-firepower-sw

https://www.cisco.com/go/asa-firepower-sw

format everything

firepower-2110# connect local-mgmtfirepower-2110(local-mgmt)# format everythingAll configuration and bootable images will be lost.Do you still want to format? (yes/no):yes

Enter yes, and the Firepower 2100 reboots.

Step 4 Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.

Example:

*******************************************************************************Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARECopyright (c) 1994-2017 by Cisco Systems, Inc.Compiled Thu 04/06/2017 12:16:16.21 by builder*******************************************************************************

Current image running: Boot ROM0Last reset cause: ResetRequestDIMM_1/1 : PresentDIMM_2/1 : Present

Platform FPR-2130 with 32768 MBytes of main memoryBIOS has been successfully locked !!MAC Address: 0c:75:bd:08:c9:80

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.

Press Esc at this point. If you miss the interrupt prompt, the Firepower 2100 attempts to reboot 3 times; because thereis no image on the device, only ROMMON is available.

Step 5 Set the network settings for Management 1/1, and load FXOS (part of the Firepower Threat Defense package) using thefollowing ROMMON commands.address management_ip_address

netmask subnet_mask



filepath/filename

set

sync

tftp -b

The FXOS image downloads and boots up to the CLI.


• gateway—Set the gateway address to be the same as the server IP address if they’re on the same network.



• tftp -b—Loads FXOS.



Example:

rommon 1> address 10.86.118.4rommon 2> netmask 255.255.252.0rommon 3> server 10.86.118.21rommon 4> gateway 10.86.118.21rommon 5> file cisco-ftd-fp2k.6.2.2.SPArommon 6> setROMMON Variable Settings:ADDRESS=10.86.118.4NETMASK=255.255.252.0GATEWAY=10.86.118.21SERVER=10.86.118.21IMAGE=cisco-ftd-fp2k.6.2.2.SPACONFIG=PS1="rommon ! > "

rommon 7> syncrommon 8> tftp -bEnable boot bundle: tftp_reqsize = 268435456

ADDRESS: 10.86.118.4NETMASK: 255.255.252.0GATEWAY: 10.86.118.21SERVER: 10.86.118.21IMAGE: cisco-asa-fp2k.9.8.2.SPA

MACADDR: d4:2c:44:0c:26:00VERBOSITY: Progress

RETRY: 40PKTTIMEOUT: 7200

BLKSIZE: 1460CHECKSUM: Yes

PORT: GbE/1PHYMODE: Auto Detect

link upReceiving cisco-ftd-fp2k.6.2.2.SPA from 10.86.118.21!!!!!!!![…]

Step 6 Log in to FXOS using the default username: admin and password: Admin123.After the device boots up into FXOS, the Management IP address that you set in ROMMON is erased and set to thedefault: 192.168.45.45. You will need to set the correct IP address and other related settings for your network in FXOSbefore you can download the Firepower Threat Defense package from the server.

Step 7 Disable the DHCP server.scope system

scope services

disable dhcp-server

commit-buffer

Before you can change the management IP address, you must disable the DHCP server.

Example:

firepower-2110# scope systemfirepower-2110 /system # scope servicesfirepower-2110 /system/services # disable dhcp-serverfirepower-2110 /system/services* # commit-buffer

Step 8 Configure an IPv4 management IP address, and optionally the gateway.



scope fabric-interconnect a

set out-of-band static ip ip_address netmask network_mask gw gateway_ip_address

commit-buffer

To keep the currently-set gateway (by default 0.0.0.0, which represents the Firepower Threat Defense data interfaces),omit the gw keyword. If your download server is not on the local Management 1/1 network, then change the gatewayIP address; the Firepower Threat Defense data interfaces do not exist yet, so you cannot reach any remote servers withthe default setting.

Example:

firepower-2110# scope fabric-interconnect afirepower-2110 /fabric-interconnect #firepower-2100 /fabric-interconnect # set out-of-band ip 10.86.118.4 netmask 255.255.255.0Warning: When committed, this change may disconnect the current CLI sessionfirepower-2100 /fabric-interconnect* # commit-bufferfirepower-2100 /fabric-interconnect #

Step 9 Download and boot the Firepower Threat Defense package.a) Download the package.

scope firmware

download image url

show download-task

You can download the package from the same TFTP server you used earlier, or another server reachable onManagement 1/1.

Example:

firepower-2110# scope firmwarefirepower-2110 /firmware # download image tftp://10.86.118.21/cisco-ftd-fp2k.6.2.2.SPAPlease use the command 'show download-task' or 'show download-task detail' to check downloadprogress.firepower-2110 /firmware # show download-taskDownload task:

File Name Protocol Server Port Userid State--------- -------- --------------- ---------- --------------- -----cisco-ftd-fp2k.6.2.2.SPA

Tftp 10.88.29.21 0 Downloaded

b) When the package finishes downloading (Downloaded state), boot the package.show package

scope auto-install

install security-pack version version

In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installsthe Firepower Threat Defense image and reboots.

Example:

firepower 2110 /firmware # show packageName Package-Vers--------------------------------------------- ------------cisco-ftd-fp2k.6.2.2.SPA 6.2.2



firepower 2110 /firmware # scope auto-installfirepower 2110 /firmware/auto-install # install security-pack version 6.2.2The system is currently installed with security software package not set, which has:

- The platform version: not setIf you proceed with the upgrade 6.2.2, it will do the following:

- upgrade to the new platform version 2.2.2.52- install with CSP ftd version 6.2.2

During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes

This operation upgrades firmware and software on Security Platform ComponentsHere is the checklist of things that are recommended before starting Auto-Install(1) Review current critical/major faults(2) Initiate a configuration backup

Attention:If you proceed the system will be re-imaged. All existing configuration will be lost,and the default configuration applied.

Do you want to proceed? (yes/no):yes

Triggered the install of software package version 6.2.2Install started. This will take several minutes.For monitoring the upgrade progress, please enter 'show' or 'show detail' command.

Step 10 Wait for the chassis to finish rebooting (5-10 minutes), and log in to FXOS using the default username: admin andpassword: Admin123.Although FXOS is up, you still need to wait for the Firepower Threat Defense to come up (30 minutes). Wait until yousee the following messages:

[…]User enable_1 logged in to firepowerLogins over the last 1 days: 1.Failed logins since the last login: 0.Type help or '?' for a list of available commands.firepower> Aug 26 01:31:48 firepower port-manager: Alert: Ethernet1/2 link changed to DOWNAug 26 01:31:48 firepower port-manager: Alert: Ethernet1/1 link changed to DOWN

firepower#

After the rest of the Firepower Threat Defense startup messages show, you can return to the FXOS prompt.

Step 11 Connect to the Firepower Threat Defense CLI.connect ftd

Step 12 You are prompted to accept the EULA; press Enter, and then the Space bar at theMore prompt until you see:

Please enter 'YES' or press <ENTER> to AGREE to the EULA:

Enter yes.

Step 13 You are prompted to change the password and perform the initial setup. See the Firepower DeviceManager or FirepowerManagement Center quick start guide to configure your system.



https://www.cisco.com/go/fdm-fp2100-quick

https://www.cisco.com/go/fmc-fp2100-quick


Reimage from Firepower Threat Defense to ASATo reimage the Firepower Threat Defense on the Firepower 2100 to ASA software, you must access theROMMON prompt. In ROMMON, you must erase the disks, and then use TFTP on the Management 1/1interface to load FXOS from the ASA package; only TFTP is supported. After initially booting FXOS, youthen configure network settings, download the ASA package (from a server of your choice), and then rebootagain.

Step 1 If you are managing the Firepower Threat Defense device from the Firepower Management Center, delete the devicefrom the Management Center.

Step 2 If you are managing the Firepower Threat Defense device using Firepower Device Manager, be sure to unregister thedevice from the Smart Software Licensing server, either from the Firepower DeviceManager or from the Smart SoftwareLicensing server.

Step 3 Download the ASA image (see Download Software, on page 19) to a TFTP server accessible by the Firepower ThreatDefense device on the Management 1/1 interface.

Step 4 At the console port, log in to FXOS as admin, and reformat the system.connect local-mgmt

format everything

firepower-2110# connect local-mgmtfirepower-2110(local-mgmt)# format everythingAll configuration and bootable images will be lost.Do you still want to format? (yes/no):yes

Enter yes, and the Firepower 2100 reboots.

Step 5 Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.

Example:

*******************************************************************************Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARECopyright (c) 1994-2017 by Cisco Systems, Inc.Compiled Thu 04/06/2017 12:16:16.21 by builder*******************************************************************************

Current image running: Boot ROM0Last reset cause: ResetRequestDIMM_1/1 : PresentDIMM_2/1 : Present

Platform FPR-2130 with 32768 MBytes of main memoryBIOS has been successfully locked !!MAC Address: 0c:75:bd:08:c9:80

Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.

Press Esc at this point. If you miss the interrupt prompt, the Firepower 2100 attempts to reboot 3 times; because thereis no image on the device, only ROMMON is available.

Step 6 Set the network settings for Management 1/1, and load FXOS (part of the ASA package) using the following ROMMONcommands.



address management_ip_address

netmask subnet_mask



filepath/filename

set

sync

tftp -b

The FXOS image downloads and boots up to the CLI.


• gateway—Sets the gateway address to be the same as the server IP address if they’re on the same network.



• tftp -b—Loads FXOS.

Example:

rommon 1> address 10.86.118.4rommon 2> netmask 255.255.252.0rommon 3> server 10.86.118.21rommon 4> gateway 10.86.118.21rommon 5> file cisco-asa-fp2k.9.8.2.SPArommon 6> setROMMON Variable Settings:ADDRESS=10.86.118.4NETMASK=255.255.252.0GATEWAY=10.86.118.21SERVER=10.86.118.21IMAGE=cisco-asa-fp2k.9.8.2.SPACONFIG=PS1="rommon ! > "

rommon 7> syncrommon 8> tftp -bEnable boot bundle: tftp_reqsize = 268435456

ADDRESS: 10.86.118.4NETMASK: 255.255.252.0GATEWAY: 10.86.118.21SERVER: 10.86.118.21IMAGE: cisco-asa-fp2k.9.8.2.SPA

MACADDR: d4:2c:44:0c:26:00VERBOSITY: Progress

RETRY: 40PKTTIMEOUT: 7200

BLKSIZE: 1460CHECKSUM: Yes

PORT: GbE/1PHYMODE: Auto Detect

link upReceiving cisco-asa-fp2k.9.8.2.SPA from 10.86.118.21!!!!!!!!



[…]

Step 7 Log in to FXOS using the default username: admin and password: Admin123.After the device boots up into FXOS, the Management IP address that you set in ROMMON is erased and set to thedefault: 192.168.45.45. You will need to set the correct IP address and other related settings for your network in FXOSbefore you can download the ASA package from the server.

Step 8 Disable the DHCP server.scope system

scope services

disable dhcp-server

commit-buffer

Before you can change the management IP address, you must disable the DHCP server. You can reenable DHCP usingnew client IP addresses after you change the management IP address.

Example:

firepower-2110# scope systemfirepower-2110 /system # scope servicesfirepower-2110 /system/services # disable dhcp-serverfirepower-2110 /system/services* # commit-buffer

Step 9 Configure an IPv4 management IP address, and optionally the gateway.scope fabric-interconnect a

set out-of-band static ip ip_address netmask network_mask gw gateway_ip_address

To keep the currently-set gateway (by default 0.0.0.0, which represents the ASA data interfaces), omit the gw keyword.If your download server is not on the local Management 1/1 network, then change the gateway IP address; the ASA datainterfaces do not exist yet, so you cannot reach any remote servers with the default setting.

Example:

firepower-2110# scope fabric-interconnect afirepower-2110 /fabric-interconnect #firepower-2110 /fabric-interconnect # set out-of-band static ip 10.86.118.4 netmask 255.255.255.0Warning: When committed, this change may disconnect the current CLI sessionfirepower-2110 /fabric-interconnect* #

Step 10 Delete and add new access lists for HTTPS, SSH, and SNMP to allow management connections from the new network.a) Set the scope for system/services.

scope system

scope services

Example:

firepower-2110# scope systemfirepower-2110 /system # scope services

b) View the current access lists.show ip-block



Example:

firepower-2110 /system/services # show ip-block

Permitted IP Block:IP Address Prefix Length Protocol--------------- ------------- --------192.168.45.0 24 https192.168.45.0 24 ssh

firepower-2140 /system/services #

c) Add new access lists.For IPv4:

enter ip-block ip_address prefix [http | snmp | ssh]

For IPv6:

enter ipv6-block ipv6_address prefix [https | snmp | ssh]

For IPv4, enter 0.0.0.0 and a prefix of 0 to allow all networks. For IPv6, enter :: and a prefix of 0 to allow all networks.You can also add access lists in the Firepower Chassis Manager at Platform Settings > Access List.

Example:

firepower-2110 /system/services # enter ip-block 192.168.4.0 24 httpsfirepower-2110 /system/services/ip-block* # exitfirepower-2110 /system/services* # enter ip-block 192.168.4.0 24 sshfirepower-2110 /system/services/ip-block* # exitfirepower-2110 /system/services* #

a) Delete the old access lists.For IPv4:

delete ip-block ip_address prefix [http | snmp | ssh]

For IPv6:

delete ipv6-block ipv6_address prefix [https | snmp | ssh]

Example:

firepower-2110 /system/services # delete ip-block 192.168.45.0 24 httpsfirepower-2110 /system/services* # delete ip-block 192.168.45.0 24 sshfirepower-2110 /system/services* #

Step 11 (Optional) Reenable the IPv4 DHCP server.scope system

scope services

enable dhcp-server start_ip_address end_ip_address

Example:

firepower-2110# scope systemfirepower-2110 /system # scope services



firepower-2110 /system/services # enable dhcp-server 10.86.118.10 10.86.118.20

Step 12 Save the configuration.commit-buffer

Example:

firepower-2110 /system/services* # commit-buffer

Step 13 Download and boot the ASA package.a) Download the package.

scope firmware

download image url

show download-task

You can download the package from the same TFTP server you used earlier, or another server reachable onManagement 1/1.

Example:

firepower-2110# scope firmwarefirepower-2110 /firmware # download image tftp://10.86.118.21/cisco-asa-fp2k.9.8.2.SPAPlease use the command 'show download-task' or 'show download-task detail' to check downloadprogress.firepower-2110 /firmware # show download-taskDownload task:

File Name Protocol Server Port Userid State--------- -------- --------------- ---------- --------------- -----cisco-asa-fp2k.9.8.2.SPA

Tftp 10.88.29.21 0 Downloaded

b) When the package finishes downloading (Downloaded state), boot the package.show package

scope auto-install

install security-pack version version

In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installsthe ASA image and reboots.

Example:

firepower 2110 /firmware # show packageName Package-Vers--------------------------------------------- ------------cisco-asa-fp2k.9.8.2.SPA 9.8.2firepower 2110 /firmware # scope auto-installfirepower 2110 /firmware/auto-install # install security-pack version 9.8.2The system is currently installed with security software package not set, which has:

- The platform version: not setIf you proceed with the upgrade 9.8.2, it will do the following:

- upgrade to the new platform version 2.2.2.52- install with CSP asa version 9.8.2

During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes

This operation upgrades firmware and software on Security Platform Components



Here is the checklist of things that are recommended before starting Auto-Install(1) Review current critical/major faults(2) Initiate a configuration backup

Attention:If you proceed the system will be re-imaged. All existing configuration will be lost,and the default configuration applied.

Do you want to proceed? (yes/no):yes

Triggered the install of software package version 9.8.2Install started. This will take several minutes.For monitoring the upgrade progress, please enter 'show' or 'show detail' command.

Step 14 Wait for the chassis to finish rebooting (5-10 minutes), and log in to FXOS using the default username: admin andpassword: Admin123.Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the followingmessages:

firepower-2110#Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG=''Verifying signature for cisco-asa.9.8.2 ...Verifying signature for cisco-asa.9.8.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG=''Cisco ASA starting ...Registering to process manager ...Cisco ASA started successfully.[…]

After the rest of the ASA startup messages show, you can return to the FXOS prompt.

Step 15 If you changed the FXOS Management 1/1 address in this procedure, you should change the ASA address to be on thecorrect network. The default ASA Management 1/1 interface IP address is 192.168.45.1.a) From the console, connect to the ASA CLI and access global configuration mode.

connect asa

enable

configure terminal

The enable password is blank by default.

Example:

firepower-2110# connect asaAttaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.Type help or '?' for a list of available commands.ciscoasa> enablePassword: <blank>ciscoasa# configure terminalciscoasa(config)#

b) Change the Management 1/1 IP address.interface management1/1

ip address ip_address mask



Example:

ciscoasa(config)# interface management1/1ciscoasa(config-ifc)# ip address 10.86.118.4 255.255.255.0

c) Change the network that can access ASDM.no http 192.168.45.0 255.255.255.0 management

http ip_address maskmanagement

Example:

ciscoasa(config)# no http 192.168.45.0 255.255.255.0 managementciscoasa(config)# http 10.86.118.0 255.255.255.0 management

d) Save the configuration.write memory

e) To return to the FXOS console, enter Ctrl+a, d.

Step 16 See the ASA for Firepower 2100 Series Getting Started Guide to configure your system.

What’s Next?

Firepower Threat Defense

See the quick start guide for your model and management application:

• Firepower Device Manager for the ASA 5506-X

• Firepower Management Center for the ASA 5506-X

• Firepower Device Manager for the ASA 5508-X and 5516-X

• Firepower Management Center for the ASA 5506-X and 5516-X

• Firepower Device Manager for the ASA 5512-X through 5555-X

• Firepower Management Center for the ASA 5512-X through 5555-X

• Firepower Device Manager for the Firepower 2100

• Firepower Management Center for the Firepower 2100

ASA

See the quick start guide for your model:

• ASA for the ASA 5506-X

• ASA for the ASA 5508-X and 5516-X

• ASA for the ASA 5512-X through 5555-X


Cisco ASA and Firepower Threat Defense Reimage GuideWhat’s Next?

https://www.cisco.com/go/asa-fp2100-quick

http://www.cisco.com/go/fdm-asa5506x-quick

http://www.cisco.com/go/fmc-asa5506x-quick

https://www.cisco.com/go/fdm-asa5508x-quick


http://www.cisco.com/go/fdm-asa5555x-quick


https://www.cisco.com/go/fdm-fp2100-quick





• ASA for the Firepower 2100


Cisco ASA and Firepower Threat Defense Reimage GuideWhat’s Next?

https://www.cisco.com/go/asa-fp2100-quick

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respectiveowners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 2018 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/go/trademarks

Documents

Reimage the Cisco ASA or Firepower Threat Defense …. Note YoucannotupgradetheROMMONimageafteryoureimagetoFirepowerThreatDefense. Before You …