Download
Share
Print this page
Cisco ASA 5506H-X Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Security System
  5. ASA 5506H-X
  6. Manual

Cisco ASA 5506H-X Manual

Hide thumbs Also See for ASA 5506H-X:

Advertisement

Quick Links

Download this manual
Cisco ASA and Firepower Threat Defense
Reimage Guide
Cisco ASA and Firepower Threat Defense Reimage Guide
This guide describes how to reimage between ASA and Firepower Threat Defense (FTD), and also how to
perform a reimage for FTD using a new image version; this method is distinct from an upgrade, and sets the
FTD to a factory default state. For ASA reimaging, see the ASA general operations configuration guide, where
you can use multiple methods to reimage the ASA.
Supported Models
The following models support either ASA software or FTD Software. For ASA and FTD version support, see
the
ASA compatibility guide
• Firepower 1000
• Firepower 2100
• ASA 5506-X, 5506W-X, and 5506H-X (FTD 6.2.3 and earlier)
• ASA 5508-X
• ASA 5512-X (FTD 6.2.3 and earlier; ASA 9.12 and earlier)
• ASA 5515-X (FTD 6.4 and earlier; ASA 9.12 and earlier)
• ASA 5516-X
• ASA 5525-X
• ASA 5545-X
• ASA 5555-X
• ISA 3000
Note
The Firepower 4100 and 9300 also support either the ASA or FTD, but they are installed as logical devices;
see the FXOS configuration guides for more information.
Note
For the FTD on the ASA 5512-X through 5555-X, you must install a Cisco solid state drive (SSD). For more
information, see the
FirePOWER module. (The SSD is standard on the ASA 5506-X, 5508-X, and 5516-X.)
or
Firepower compatibility
ASA 5500-X hardware
guide. For the ASA, the SSD is also required to use the ASA
Cisco ASA and Firepower Threat Defense Reimage Guide
guide.
1

Advertisement

loading
Need help?

Need help?

Do you have a question about the ASA 5506H-X and is the answer not in the manual?

Questions and answers

Related Manuals for Cisco ASA 5506H-X

Summary of Contents for Cisco ASA 5506H-X

  • Page 1 The Firepower 4100 and 9300 also support either the ASA or FTD, but they are installed as logical devices; see the FXOS configuration guides for more information. Note For the FTD on the ASA 5512-X through 5555-X, you must install a Cisco solid state drive (SSD). For more information, see the ASA 5500-X hardware guide.
  • Page 2 TFTP server for the initial download. Other images can be downloaded from other server types, such as HTTP or FTP. For the exact software package and server type, see the procedures. Note A Cisco.com login and Cisco service contract are required. Table 1: Firepower Threat Defense Software FTD Model...
  • Page 3 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: Firepower 1000 or 2100 Appliance Mode Table 2: ASA Software ASA Model Download Location Packages Firepower 1000 series See: https://www.cisco.com/go/asa-firepower-sw ASA package The package has a filename like cisco-asa-fp1k.9.13.1.SPA. This package Choose your model >...
  • Page 4 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: Firepower 1000 or 2100 Appliance Mode Procedure Step 1 Connect to the ASA CLI. Step 2 Unregister the ASA from the Smart Software Licensing server, either from the ASA CLI/ASDM or from the Smart Software Licensing server.
  • Page 5 Cisco FPR Series Security Appliance firepower login: admin Password: Successful login attempts for user 'admin' : 1 Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved. [...] User enable_1 logged in to firepower Logins over the last 1 days: 1.
  • Page 6 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: Firepower 2100 Platform Mode ASA→FTD: Firepower 2100 Platform Mode This task lets you reimage the Firepower 2100 in Platform mode to FTD. Note After performing this procedure, the FXOS admin password is reset to Admin123.
  • Page 7 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: Firepower 2100 Platform Mode • scp://username@server/[path/]image_name • sftp://username@server/[path/]image_name • tftp://server[:port]/[path/]image_name • usbA:/path/filename Example: firepower-2110 /firmware # download image scp://admin@10.88.29.181/cisco-ftd-fp2k.6.3.0-1.SPA Password: Please use the command 'show download-task' or 'show download-task detail' to check download progress.
  • Page 8 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: Firepower 2100 Platform Mode If you see the below error, you may have entered the package name, instead of the package Note version: Invalid software pack Please contact technical support for help...
  • Page 9 FTD→ASA: Firepower 1000 or 2100 firepower login: admin Password: Successful login attempts for user 'admin' : 1 Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved. [...] User enable_1 logged in to firepower Logins over the last 1 days: 1.
  • Page 10 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→ASA: Firepower 1000 or 2100 scope firmware Example: firepower-2110# scope firmware firepower-2110 /firmware# b) Download the package. download image url Specify the URL for the file being imported using one of the following: •...
  • Page 11 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→ASA: Firepower 1000 or 2100 firepower-2110 /firmware # b) Install the package. Caution This step erases your configuration. scope auto-install install security-pack version version In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the image and reboots.This process, including reloading, can take approximately 30 minutes.

  • Page 12: Troubleshooting

    Successful login attempts for user 'admin' : 1 Cisco Firepower Extensible Operating System (FX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2009-2018, Cisco Systems, Inc. All rights reserved. [...] User enable_1 logged in to ciscoasa Logins over the last 1 days: 1.

  • Page 13: Console Port Access Required

    Other models include a Mini USB Type B console port, so you can use any mini USB cable. For Windows, you may need to install a USB-serial driver from software.cisco.com. See the hardware guide for more information about console port options and driver requirements: http://www.cisco.com/go/asa5500x-install...
  • Page 14 Cisco ASA and Firepower Threat Defense Reimage Guide Download Software Firepower Threat Defense Model Download Location Packages ASA 5512-X through See: Note You will also see patch files ending in .sh; the patch ASA 5555-X http://www.cisco.com/go/asa-firepower-sw. upgrade process is not covered in this document.
  • Page 15 Cisco ASA and Firepower Threat Defense Reimage Guide Download Software Table 4: ASA Software ASA Model Download Location Packages ASA 5506-X, ASA 5508-X, http://www.cisco.com/go/asa-firepower-sw and ASA 5516-X ASA Software The ASA software file has a filename like asa962-lfbff-k8.SPA. Choose your model > Adaptive Security Appliance (ASA) Software >...
  • Page 16 Before you begin Obtain the new ROMMON image from Cisco.com, and put it on a server to copy to the ASA. The ASA supports FTP, TFTP, SCP, HTTP(S), and SMB servers. Download the image from: •...
  • Page 17 Cisco ASA and Firepower Threat Defense Reimage Guide Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X, ISA 3000) > system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands.
  • Page 18 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: ASA 5500-X or ISA 3000 Proceed with reload? [confirm] Step 5 Confirm to reload the ASA when you are prompted. The ASA upgrades the ROMMON image, and then reloads the operating system.
  • Page 19 ASA→FTD: ASA 5500-X or ISA 3000 [...] Booting from ROMMON Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011 Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt Use BREAK or ESC to interrupt boot.
  • Page 20 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: ASA 5500-X or ISA 3000 rommon 4 > gateway 10.86.118.1 rommon 5 > file ftd-boot-latest.cdisk rommon 6 > set ROMMON Variable Settings: ADDRESS=10.86.118.3 NETMASK=255.255.255.0 SERVER=10.86.118.21 GATEWAY=10.86.118.21 PORT=GigabitEthernet0/0 VLAN=untagged IMAGE=ftd-boot-latest.cdisk CONFIG= LINKTIMEOUT=20...
  • Page 21 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: ASA 5500-X or ISA 3000 If you have a DHCP server, the FTD automatically sets the network configuration. See the following Note sample startup messages when using DHCP: Configuring network interface using DHCP Bringing up network interface.
  • Page 22 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: ASA 5500-X or ISA 3000 to change, if it does change, the system will stop functioning correctly. We suggest you use static addressing instead. Apply the changes?(y,n) [Y]: y Configuration saved successfully! Applying...
  • Page 23 Cisco ASA and Firepower Threat Defense Reimage Guide ASA→FTD: ASA 5500-X or ISA 3000 Example: View the network interface configuration: firepower-boot>show interface eth0 Link encap:Ethernet HWaddr 00:a0:c9:00:00:00 inet addr:10.123.123.123 Bcast:10.123.123.255 Mask:255.255.255.0 inet6 addr: fe80::2a0:c9ff:fe00:0/64 Scope:Link inet6 addr: 2001:420:270d:1310:2a0:c9ff:fe00:0/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1...
  • Page 24 Thu Sep 24 19:53:44 UTC 2015: Begin installation ... Found hard drive(s): /dev/sda Erasing files from flash ... You can also view the upgrade.log, pyos.log, and commandd.log under /var/log/cisco with the same command for boot CLI related issues. Step 10 You can use either Firepower Device Manager or Firepower Management Center to manage your device.
  • Page 25 Example: [...] Booting from ROMMON Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011 Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
  • Page 26 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→ASA: ASA 5500-X or ISA 3000 [...] Step 6 Erase all disk(s) on the FTD. The internal flash is called disk0. If you have an external USB drive, it is disk1. Example: Example: rommon #0>...
  • Page 27 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→ASA: ASA 5500-X or ISA 3000 rommon 7 > file asalatest-smp-k8.bin rommon 8 > set ROMMON Variable Settings: ADDRESS=10.86.118.3 NETMASK=255.255.255.0 SERVER=10.86.118.21 GATEWAY=10.86.118.21 PORT=GigabitEthernet0/0 VLAN=untagged IMAGE=asalatest-smp-k8.bin CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 rommon 9 > sync Updating NVRAM Parameters...

  • Page 28: Configure Terminal

    Cisco ASA and Firepower Threat Defense Reimage Guide FTD→ASA: ASA 5500-X or ISA 3000 When the ASA first boots up, it does not have any configuration on it. you can either follow the interactive prompts to configure the Management interface for ASDM access, or you can paste a saved configuration or, if you do not have a saved configuration, the recommended configuration (below).

  • Page 29: Write Memory

    Cisco ASA and Firepower Threat Defense Reimage Guide FTD→ASA: ASA 5500-X or ISA 3000 no shutdown object network obj_any subnet 0 0 nat (any,outside) dynamic interface http server enable http inside_network netmask inside dhcpd address inside_ip_address_start-inside_ip_address_end inside dhcpd auto_config outside...
  • Page 30 Example: ciscoasa# copy ftp://admin:test@10.86.118.21/asasfr-5500x-boot-6.0.1.img disk0:/asasfr-5500x-boot-6.0.1.img b) Download the ASA FirePOWER services system software install package from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the Management interface. Do not download it to disk0 on the ASA. c) Set the ASA FirePOWER module boot image location in ASA disk0:...
  • Page 31 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→ASA: ASA 5500-X or ISA 3000 ciscoasa# session sfr console Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. asasfr login: admin Password: Admin123 If the module boot has not completed, the session command will fail with a message about not being able to connect over ttyS1.
  • Page 32 Step 11 Obtain a Strong Encryption license and other licenses for an existing ASA for which you did not save the activation key: see http://www.cisco.com/go/license. In the Manage > Licenses section you can re-download your licenses. To use ASDM (and many other features), you need to install the Strong Encryption (3DES/AES) license. If you saved your license activation key from this ASA before you previously reimaged to the Firepower Threat Defense device, you can re-install the activation key.
  • Page 33 FTD→ASA: ASA 5500-X or ISA 3000 Figure 2: IPS, Crypto, Other d) In the Search by Keyword field, enter asa, and select Cisco ASA 3DES/AES License. Figure 3: Cisco ASA 3DES/AES License e) Select your Smart Account, Virtual Account, enter the ASA Serial Number, and click Next.
  • Page 34 If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, see http://www.cisco.com/go/ccw. After you purchase a license, you will receive an email with a Product Authorization Key (PAK) that you can enter on http://www.cisco.com/go/license. For the AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same pool of user sessions.
  • Page 35 ASA FirePOWER module; it just provides the right to use the updates. If you did not buy an ASA 5500-X that included the ASA FirePOWER services, then you can purchase an upgrade bundle to obtain the necessary licenses. See the Cisco ASA with FirePOWER Services Ordering Guide for more information.
  • Page 36 Example: [...] Booting from ROMMON Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011 Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
  • Page 37 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→FTD: ASA 5500-X or ISA 3000 server tftp_ip_address gateway gateway_ip_address file path/filename sync tftpdnld The Firepower Threat Defense boot image downloads and boots up to the boot CLI. Note If you did not erase the disk in the previous step, then you need to press Esc to enter the boot CLI: ============================================== Use ESC to interrupt boot and launch boot CLI.
  • Page 38 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→FTD: ASA 5500-X or ISA 3000 VERBOSITY: Progress RETRY: 40 PKTTIMEOUT: 7200 BLKSIZE: 1460 CHECKSUM: Yes PORT: GbE/1 PHYMODE: Auto Detect IP: Detected unsupported IP packet fragmentation. Try reducing TFTP_BLKSIZE. IP: Retrying with a TFTP block size of 512..
  • Page 39 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→FTD: ASA 5500-X or ISA 3000 If you have a DHCP server, the FTD automatically sets the network configuration. See the following Note sample startup messages when using DHCP: Configuring network interface using DHCP Bringing up network interface.
  • Page 40 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→FTD: ASA 5500-X or ISA 3000 to change, if it does change, the system will stop functioning correctly. We suggest you use static addressing instead. Apply the changes?(y,n) [Y]: y Configuration saved successfully! Applying...
  • Page 41 Cisco ASA and Firepower Threat Defense Reimage Guide FTD→FTD: ASA 5500-X or ISA 3000 Example: View the network interface configuration: firepower-boot>show interface eth0 Link encap:Ethernet HWaddr 00:a0:c9:00:00:00 inet addr:10.123.123.123 Bcast:10.123.123.255 Mask:255.255.255.0 inet6 addr: fe80::2a0:c9ff:fe00:0/64 Scope:Link inet6 addr: 2001:420:270d:1310:2a0:c9ff:fe00:0/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1...
  • Page 42 Thu Sep 24 19:53:44 UTC 2015: Begin installation ... Found hard drive(s): /dev/sda Erasing files from flash ... You can also view the upgrade.log, pyos.log, and commandd.log under /var/log/cisco with the same command for boot CLI related issues. Step 13 You can use either Firepower Device Manager or Firepower Management Center to manage your device.

  • Page 43: What's Next

    Cisco ASA and Firepower Threat Defense Reimage Guide What s Next? What s Next? Firepower Threat Defense See the quick start guide for your model and management application: • Firepower Device Manager for the ASA 5506-X • Firepower Management Center for the ASA 5506-X •...
  • Page 44 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

This manual is also suitable for:

Firepower 2100Asa 5506-xAsa 5506w-xFirepower 1000Asa 5508-xAsa 5512-x ... Show all