Cisco Asa 55 series Quick start guide

Cisco ASA and Firepower Threat Defense

Reimage Guide

Cisco ASA and Firepower Threat Defense Reimage Guide

This guide describes how to reimage between ASA and Firepower Threat Defense (FTD), and also how to

perform a reimage for FTD using a new image version; this method is distinct from an upgrade, and sets the

FTD to a factory default state. For ASA reimaging, see the ASA general operations configuration guide, where

you can use multiple methods to reimage the ASA.

Supported Models

The following models support either ASA software or Firepower Threat Defense Software. For ASA and

Firepower Threat Defense version support, see the ASA compatibility guide or Firepower compatibility guide.

• ASA 5506-X

• ASA 5506W-X

• ASA 5506H-X

• ASA 5508-X

• ASA 5512-X

• ASA 5515-X

• ASA 5516-X

• ASA 5525-X

• ASA 5545-X

• ASA 5555-X

• ISA 3000

• Firepower 2100

The Firepower 4100 and 9300 also support either the ASA or Firepower Threat Defense, but they are installed

as logical devices; see the FXOS configuration guides for more information.

Note

Cisco ASA and Firepower Threat Defense Reimage Guide

For the Firepower Threat Defense on the ASA 5512-X through 5555-X, you must install a Cisco solid state

drive (SSD). For more information, see the ASA 5500-X hardware guide. For the ASA, the SSD is also

required to use the ASA FirePOWER module. (The SSD is standard on the ASA 5506-X, 5508-X, and 5516-X.)

Note

Reimage the ASA 5500-X or ISA 3000

Many models in the ASA 5500-X or ISA 3000 series support either Firepower Threat Defense or ASA software.

•Supported Models, on page 1

•Download Software, on page 2

•Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X), on page 5

•Reimage from ASA to Firepower Threat Defense, on page 6

•Reimage from Firepower Threat Defense to ASA, on page 13

Console Port Access Required

To perform the reimage, you must connect your computer to the console port.

For the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X, you might need to use a third party serial-to-USB

cable to make the connection. Other models include a Mini USB Type B console port, so you can use any

mini USB cable. For Windows, you may need to install a USB-serial driver from software.cisco.com. See the

hardware guide for more information about console port options and driver requirements:

http://www.cisco.com/go/asa5500x-install

Use a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

Download Software

Obtain Firepower Threat Defense software, or ASA, ASDM, and ASA FirePOWER module software. The

procedures in this document require you to put software on a TFTP server for the initial download. Other

images can be downloaded from other server types, such as HTTP or FTP. For the exact software package

and server type, see the procedures.

A Cisco.com login and Cisco service contract are required.

Note

The Firepower Threat Defense boot image and system package are version-specific and model-specific. Verify

that you have the correct boot image and system package for your platform. A mismatch between the boot

image and system package can cause boot failure. A mismatch would be using an older boot image with a

newer system package.

Attention

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage the ASA 5500-X or ISA 3000

Table 1: Firepower Threat Defense Software

PackagesDownload Location

Firepower Threat

Defense Model

You will also see patch files

ending in .sh; the patch

upgrade process is not

covered in this document.

Note

See:

http://www.cisco.com/go/asa-firepower-sw.

ASA 5506-X, ASA

5508-X, and ASA

5516-X

The boot image has a filename like

ftd-boot-9.6.2.0.lfbff.

Boot image

Choose your model >Firepower Threat

Defense Software >version.

The system software install package has

a filename like ftd-6.1.0-330.pkg.

System software install package

Choose your model >Firepower Threat

Defense Software >version.

You will also see patch files

ending in .sh; the patch

upgrade process is not

covered in this document.

Note

See:

http://www.cisco.com/go/asa-firepower-sw.

ASA 5512-X through

ASA 5555-X

The boot image has a filename like

ftd-boot-9.6.2.0.cdisk.

Boot image

Choose your model >Firepower Threat

Defense Software >version.

The system software install package has

a filename like ftd-6.1.0-330.pkg.

System software install package

Choose your model >Firepower Threat

Defense Software >version.

You will also see patch files

ending in .sh; the patch

upgrade process is not

covered in this document.

Note

See: http://www.cisco.com/go/

isa3000-software

ISA 3000

The boot image has a filename like

ftd-boot-9.9.2.0.lfbff.

Boot image

Choose your model >Firepower Threat

Defense Software >version.

The system software install package has

a filename like ftd-6.2.3-330.pkg.

System software install package

Choose your model >Firepower Threat

Defense Software >version.

Cisco ASA and Firepower Threat Defense Reimage Guide

Download Software

Table 2: ASA Software

PackagesDownload LocationASA Model

http://www.cisco.com/go/asa-firepower-swASA 5506-X, ASA 5508-X,

and ASA 5516-X

The ASA software file has a filename like

asa962-lfbff-k8.SPA.

ASA Software

Choose your model >Adaptive Security Appliance

(ASA) Software >version.

The ASDM software file has a filename like

asdm-762.bin.

ASDM Software

Choose your model >Adaptive Security Appliance

(ASA) Device Manager >version.

The API software file has a filename like

asa-restapi-132-lfbff-k8.SPA. To install the

REST API, see the API quick start guide

REST API Software

Choose your model >Adaptive Security Appliance

REST API Plugin >version.

The ROMMON software file has a filename like

asa5500-firmware-1108.SPA.

ROMMON Software

Choose your model >ASA Rommon Software >

version.

http://www.cisco.com/go/asa-softwareASA 5512-X through ASA

5555-X

The ASA software file has a filename like

asa962-smp-k8.bin.

ASA Software

Choose your model >Software on Chassis >

Adaptive Security Appliance (ASA) Software >

version.

The ASDM software file has a filename like

asdm-762.bin.

ASDM Software

Choose your model >Software on Chassis >

Adaptive Security Appliance (ASA) Device

Manager >version.

The API software file has a filename like

asa-restapi-132-lfbff-k8.SPA. To install the

REST API, see the API quick start guide

REST API Software

Choose your model >Software on Chassis >

Adaptive Security Appliance REST API Plugin

>version.

For APIC 1.2(7) and later, choose either the

Policy Orchestration with Fabric Insertion, or

the Fabric Insertion-only package. The device

package software file has a filename like

asa-device-pkg-1.2.7.10.zip. To install the ASA

device package, see the “Importing a Device

Package” chapter of the Cisco APIC Layer 4 to

Layer 7 Services Deployment Guide.

ASA Device Package for Cisco Application Policy

Infrastructure Controller (APIC)

Choose your model >Software on Chassis >ASA

for Application Centric Infrastructure (ACI)

Device Packages >version.

Cisco ASA and Firepower Threat Defense Reimage Guide

Download Software

PackagesDownload LocationASA Model

http://www.cisco.com/go/isa3000-softwareISA 3000

The ASA software file has a filename like

asa962-lfbff-k8.SPA.

ASA Software

Choose your model >Adaptive Security Appliance

(ASA) Software >version.

The ASDM software file has a filename like

asdm-762.bin.

ASDM Software

Choose your model >Adaptive Security Appliance

(ASA) Device Manager >version.

The API software file has a filename like

asa-restapi-132-lfbff-k8.SPA. To install the

REST API, see the API quick start guide.

REST API Software

Choose your model >Adaptive Security Appliance

REST API Plugin >version.

Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X)

Follow these steps to upgrade the ROMMON image for the ASA 5506-X series, ASA 5508-X, and ASA

5516-X. The ROMMON version on your system must be 1.1.8 or greater.

You cannot upgrade the ROMMON image after you reimage to Firepower Threat Defense.

Note

Before you begin

You can only upgrade to a new version; you cannot downgrade. To see your current version, enter the show

module command and look at the Fw Version in the output for Mod 1 in the MAC Address Range table:

ciscoasa# show module

[...]

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------

1 7426.aceb.ccea to 7426.aceb.ccf2 0.3 1.1.5 9.4(1)

sfr 7426.aceb.cce9 to 7426.aceb.cce9 N/A N/A

Procedure

Step 1 Obtain the new ROMMON image from Cisco.com, and put it on a server to copy to the ASA. This procedure

shows a TFTP copy.

Download the image from:

https://software.cisco.com/download/type.html?mdfid=286283326&flowid=77251

Step 2 Copy the ROMMON image to the ASA flash memory:

copy tftp://server_ip/asa5500-firmware-xxxx.SPA disk0:asa5500-firmware-xxxx.SPA

Cisco ASA and Firepower Threat Defense Reimage Guide

Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X)

Step 3 Upgrade the ROMMON image:

upgrade rommon disk0:asa5500-firmware-xxxx.SPA

Example:

ciscoasa# upgrade rommon disk0:asa5500-firmware-1108.SPA

Verifying file integrity of disk0:/asa5500-firmware-1108.SPA

Computed Hash SHA2: d824bdeecee1308fc64427367fa559e9

eefe8f182491652ee4c05e6e751f7a4f

5cdea28540cf60acde3ab9b65ff55a9f

4e0cfb84b9e2317a856580576612f4af

Embedded Hash SHA2: d824bdeecee1308fc64427367fa559e9

eefe8f182491652ee4c05e6e751f7a4f

5cdea28540cf60acde3ab9b65ff55a9f

4e0cfb84b9e2317a856580576612f4af

Digital signature successfully validated

File Name : disk0:/asa5500-firmware-1108.SPA

Image type : Release

Signer Information

Common Name : abraxas

Organization Unit : NCS_Kenton_ASA

Organization Name : CiscoSystems

Certificate Serial Number : 553156F4

Hash Algorithm : SHA2 512

Signature Algorithm : 2048-bit RSA

Key Version : A

Verification successful.

Proceed with reload? [confirm]

Step 4 Confirm to reload the ASA when you are prompted.

The ASA upgrades the ROMMON image, and then reloads the ASA OS.

Reimage from ASA to Firepower Threat Defense

To reimage the ASA to FTD software, you must access the ROMMON prompt. In ROMMON, you must use

TFTP on the Management interface to download the FTD boot image; only TFTP is supported. The boot

image can then download the FTD system software install package using HTTP or FTP. The TFTP download

can take a long time; ensure that you have a stable connection between the ASA and the TFTP server to avoid

packet loss.

Before you begin

To ease the process of reimaging back to an ASA, do the following:

1. Perform a complete system backup using the backup command.

See the configuration guide for more information, and other backup techniques.

2. Copy and save the current activation key(s) so you can reinstall your licenses using the show activation-key

command.

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from ASA to Firepower Threat Defense

3. For the ISA 3000, disable hardware bypass when using the Firepower Management Center; this feature

is only available using Firepower Device Manager in version 6.3 and later.

Procedure

Step 1 Download the FTD boot image (see Download Software, on page 2) to a TFTP server accessible by the

ASA on the Management interface.

For the ASA 5506-X, 5508-X, 5516-X, ISA 3000: You must use the Management 1/1 port to download the

image. For the other models, you can use any interface.

Step 2 Download the FTD system software install package (see Download Software, on page 2) to an HTTP or

FTP server accessible by the ASA on the Management interface.

Step 3 From the console port, reload the ASA:

reload

Example:

ciscoasa# reload

Step 4 Press Esc during the bootup when prompted to reach the ROMMON prompt.

Pay close attention to the monitor.

Example:

[...]

Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011

Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 7 seconds.

Press Esc at this point.

If you see the following message, then you waited too long, and must reload the ASA again after it finishes

booting:

Launching BootLoader...

Boot configuration file contains 2 entries.

[...]

Step 5 Set the network settings, and load the boot image using the following ROMMON commands:

interface interface_id

address management_ip_address

netmask subnet_mask

server tftp_ip_address

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from ASA to Firepower Threat Defense

gateway gateway_ip_address

filepath/filename

set

sync

tftpdnld

The FTD boot image downloads and boots up to the boot CLI.

See the following information:

•interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other

models always use the Management 1/1 interface.

•set—Shows the network settings. You can also use the ping command to verify connectivity to the server.

•sync—Saves the network settings.

•tftpdnld—Loads the boot image..

Example:

Example for the ASA 5555-X:

rommon 0 > interface gigabitethernet0/0

rommon 1 > address 10.86.118.4

rommon 2 > netmask 255.255.255.0

rommon 3 > server 10.86.118.21

rommon 4 > gateway 10.86.118.1

rommon 5 > file ftd-boot-latest.cdisk

rommon 6 > set

ROMMON Variable Settings:

ADDRESS=10.86.118.3

NETMASK=255.255.255.0

SERVER=10.86.118.21

GATEWAY=10.86.118.21

PORT=GigabitEthernet0/0

VLAN=untagged

IMAGE=ftd-boot-latest.cdisk

CONFIG=

LINKTIMEOUT=20

PKTTIMEOUT=4

RETRY=20

rommon 7 > sync

Updating NVRAM Parameters...

rommon 8 > tftpdnld

Example for the ASA 5506-X:

rommon 0 > address 10.86.118.4

rommon 1 > netmask 255.255.255.0

rommon 2 > server 10.86.118.21

rommon 3 > gateway 10.86.118.21

rommon 4 > file ftd-boot-latest.lfbff

rommon 5 > set

ROMMON Variable Settings:

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from ASA to Firepower Threat Defense

ADDRESS=10.86.118.3

NETMASK=255.255.255.0

SERVER=10.86.118.21

GATEWAY=10.86.118.21

VLAN=untagged

IMAGE=ftd-boot-latest.lfbff

CONFIG=

LINKTIMEOUT=20

PKTTIMEOUT=4

RETRY=20

rommon 6 > sync

Updating NVRAM Parameters...

rommon 7 > tftpdnld

Ping to troubleshoot connectivity to the server:

rommon 1 > ping 10.123.123.2

Sending 10, 32-byte ICMP Echoes to 10.123.123.2 timeout is 4 seconds

!!!!!!!!!!

Success rate is 100 percent (10/10)

rommon 2 >

Step 6 Enter setup, and configure network settings for the Management interface to establish temporary connectivity

to the HTTP or FTP server so that you can download and install the system software package.

If you have a DHCP server, the FTD automatically sets the network configuration. See the following

sample startup messages when using DHCP:

Configuring network interface using DHCP

Bringing up network interface.

Depending on your network, this might take a couple of minutes when using DHCP...

ifup: interface lo already configured

Using IPv4 address: 10.123.123.123

Using IPv6 address: fe80::2a0:c9ff:fe00:0

Using DNS server: 64.102.6.247

Using DNS server: 173.36.131.10

Using default gateway: 10.123.123.1

Note

Example:

Cisco FTD Boot 6.3.0

Type ? for list of commands

firepower-boot>

firepower-boot>setup

Welcome to Cisco FTD Setup

[hit Ctrl-C to abort]

Default values are inside []

Enter a hostname [firepower]: example.cisco.com

Do you want to configure IPv4 address on management interface?(y/n) [Y]: y

Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [Y]:

Enter an IPv4 address: 10.123.123.123

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from ASA to Firepower Threat Defense

Enter the netmask: 255.255.255.0

Enter the gateway: 10.123.123.1

Do you want to configure static IPv6 address on management interface?(y/n) [N]: n

Stateless autoconfiguration will be enabled for IPv6 addresses.

Enter the primary DNS server IP address [64.102.6.247]: 10.123.123.2

Do you want to configure Secondary DNS Server? (y/n) [y]: n

Any previously configured secondary DNS servers will be removed.

Do you want to configure Local Domain Name? (y/n) [n]: n

Do you want to configure Search domains? (y/n) [y]: n

Any previously configured search domains will be removed.

Do you want to enable the NTP service? [N]: n

Please review the final configuration:

Hostname: example.cisco.com

Management Interface Configuration

IPv4 Configuration: static

IP Address: 10.123.123.123

Netmask: 255.255.255.0

Gateway: 10.123.123.1

IPv6 Configuration: Stateless autoconfiguration

DNS Configuration:

DNS Server:

10.123.123.2

NTP configuration: Disabled

CAUTION:

You have selected IPv6 stateless autoconfiguration, which assigns a global address

based on network prefix and a device identifier. Although this address is unlikely

to change, if it does change, the system will stop functioning correctly.

We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: y

Configuration saved successfully!

Applying...

Restarting network services...

Done.

Press ENTER to continue...

firepower-boot>

Step 7 Download the FTD system software install package. This step shows an HTTP installation.

system install [noconfirm]url

Include the noconfirm option if you do not want to respond to confirmation messages.

Example:

> system install noconfirm http://10.86.118.21/ftd-6.0.1-949.pkg

You are prompted to erase the internal flash drive. Enter y.

######################## WARNING ############################

# The content of disk0: will be erased during installation! #

#############################################################

Do you want to continue? [y/N] y

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from ASA to Firepower Threat Defense

The installation process erases the flash drive and downloads the system image. You are prompted to continue

with the installation. Enter y.

Erasing disk0 ...

Verifying

Downloading

Extracting

Package Detail

Description: Cisco ASA-NGFW 6.3.0 System Install

Requires reboot: Yes

Do you want to continue with upgrade? [y]: y

When the installation finishes, press Enter to reboot the device.

Warning: Please do not interrupt the process or turn off the system.

Doing so might leave system in unusable state.

Starting upgrade process ...

Populating new system image

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.

The reboot takes upwards of 30 minutes, and could take much longer. Upon reboot, you will be in the Firepower

Threat Defense CLI.

Step 8 To troubleshoot network connectivity, see the following examples.

Example:

View the network interface configuration:

firepower-boot>show interface

eth0 Link encap:Ethernet HWaddr 00:a0:c9:00:00:00

inet addr:10.123.123.123 Bcast:10.123.123.255 Mask:255.255.255.0

inet6 addr: fe80::2a0:c9ff:fe00:0/64 Scope:Link

inet6 addr: 2001:420:270d:1310:2a0:c9ff:fe00:0/64 Scope:Global

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:522369 errors:0 dropped:0 overruns:0 frame:0

TX packets:2473 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:42120849 (40.1 MiB) TX bytes:170295 (166.3 KiB)

...

Ping a server:

firepower-boot>ping www.example.com

PING www.example.com (10.125.29.106) 56(84) bytes of data.

64 bytes from qg-in-f106.1e100.net (74.125.29.106): icmp_seq=1 ttl=42 time=28.8 ms

64 bytes from qg-in-f106.1e100.net (74.125.29.106): icmp_seq=2 ttl=42 time=28.1 ms

64 bytes from qg-in-f106.1e100.net (74.125.29.106): icmp_seq=3 ttl=42 time=28.1 ms

64 bytes from qg-in-f106.1e100.net (74.125.29.106): icmp_seq=4 ttl=42 time=29.0 ms

--- www.example.com ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3003ms

rtt min/avg/max/mdev = 28.159/28.549/29.022/0.437 ms

firepower-boot>

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from ASA to Firepower Threat Defense

Traceroute to test network connectivity:

firepower-boot>traceroute -n 10.100.100.1

traceroute to 10.100.100.1 (10.100.100.1), 30 hops max, 60 byte packets

1 10.123.123.1 0.937 ms 1.078 ms 1.154 ms^C

firepower-boot>

Step 9 To troubleshoot installation failures, see the following examples.

Example:

"Timed out" error

At the downloading stage, if the file server is not reachable, it will fail due to a time out.

...

Erasing disk0 ...

Verifying

timed out

Upgrade aborted

firepower-boot>

In this case, make sure the file server is reachable from the ASA. You can verify by pinging the file server.

"Package not found" error

If the file server is reachable, but the file path or name is wrong, the installation fails with a "Package not

found" error:

...

Erasing disk0 ...

Verifying

Package not found. Please correct the URL, which should include the full path including

package name.

Upgrade aborted.

firepower-boot>

In this case, make sure the FTD package file path and name is correct.

Installation failed with unknown error

When the installation occurs after the system software has been downloaded, the cause is generally displayed

as "Installation failed with unknown error". When this error happens, you can troubleshoot the failure by

viewing the installation log:

firepower-boot>support view logs

===View Logs===

============================

Directory: /var/log

----------sub-dirs----------

cisco

-----------files------------

2015-09-24 19:56:33.150011 | 102668 | install.log

2015-09-24 19:46:28.400002 | 292292 | lastlog

2015-09-24 19:45:15.510001 | 250 | ntp.log

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from ASA to Firepower Threat Defense

2015-09-24 19:46:28.400002 | 5760 | wtmp

([b] to go back or [s] to select a file to view, [Ctrl+C] to exit)

Type a sub-dir name to list its contents: s

Type the name of the file to view ([b] to go back, [Ctrl+C] to exit)

> install.log

Thu Sep 24 19:53:44 UTC 2015: Begin installation ...

Found hard drive(s): /dev/sda

Erasing files from flash ...

...

You can also view the upgrade.log, pyos.log, and commandd.log under /var/log/cisco with the same command

for boot CLI related issues.

Step 10 You can use either Firepower Device Manager or Firepower Management Center to manage your device. See

the Quick Start Guide for your model and your manager to continue setup:

http://www.cisco.com/go/ftd-asa-quick

Reimage from Firepower Threat Defense to ASA

To reimage the FTD to ASA software, you must access the ROMMON prompt. In ROMMON, you must

erase the disks, and then use TFTP on the Management interface to download the ASA image; only TFTP is

supported. After you reload the ASA, you can configure basic settings and then load the FirePOWER module

software.

Before you begin

• Ensure that you have a stable connection between the ASA and the TFTP server to avoid packet loss.

Procedure

Step 1 If you are managing the FTD from the Firepower Management Center, delete the device from the FMC.

Step 2 If you are managing the FTD using Firepower Device Manager, be sure to unregister the device from the

Smart Software Licensing server, either from the FDM or from the Smart Software Licensing server.

Step 3 Download the ASA image (see Download Software, on page 2) to a TFTP server accessible by the FTD on

the Management interface.

For the ASA 5506-X, 5508-X, 5516-X, ISA 3000: You must use the Management 1/1 port to download the

image. For the other models, you can use any interface.

Step 4 At the console port, reboot the Firepower Threat Defense device.

reboot

Enter yes to reboot.

Example:

>reboot

This command will reboot the system. Continue?

Please enter 'YES' or 'NO': yes

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

Step 5 Press Esc during the bootup when prompted to reach the ROMMON prompt.

Pay close attention to the monitor.

Example:

[...]

Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011

Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 7 seconds.

Press Esc at this point.

If you see the following message, then you waited too long, and must reboot the FTD again after it finishes

booting:

Launching BootLoader...

Boot configuration file contains 2 entries.

[...]

Step 6 Erase all disk(s) on the FTD. The internal flash is called disk0. If you have an external USB drive, it is disk1.

Example:

rommon #0> erase disk0:

About to erase the selected device, this will erase

all files including configuration, and images.

Continue with erase? y/n [n]: y

Erasing Disk0:

.......................

[...]

This step erases FTD files so that the ASA does not try to load an incorrect configuration file, which causes

numerous errors.

Step 7 Set the network settings, and load the ASA image using the following ROMMON commands.

interface interface_id

address management_ip_address

netmask subnet_mask

server tftp_ip_address

gateway gateway_ip_address

filepath/filename

set

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

sync

tftpdnld

The ASA image downloads and boots up to the CLI.

See the following information:

•interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other

models always use the Management 1/1 interface.

•set—Shows the network settings. You can also use the ping command to verify connectivity to the server.

•sync—Saves the network settings.

•tftpdnld—Loads the boot image..

Example:

Example for the ASA 5555-X:

rommon 2 > interface gigabitethernet0/0

rommon 3 > address 10.86.118.4

rommon 4 > netmask 255.255.255.0

rommon 5 > server 10.86.118.21

rommon 6 > gateway 10.86.118.1

rommon 7 > file asalatest-smp-k8.bin

rommon 8 > set

ROMMON Variable Settings:

ADDRESS=10.86.118.3

NETMASK=255.255.255.0

SERVER=10.86.118.21

GATEWAY=10.86.118.21

PORT=GigabitEthernet0/0

VLAN=untagged

IMAGE=asalatest-smp-k8.bin

CONFIG=

LINKTIMEOUT=20

PKTTIMEOUT=4

RETRY=20

rommon 9 > sync

Updating NVRAM Parameters...

rommon 10 > tftpdnld

Example for the ASA 5506-X:

rommon 2 > address 10.86.118.4

rommon 3 > netmask 255.255.255.0

rommon 4 > server 10.86.118.21

rommon 5 > gateway 10.86.118.21

rommon 6 > file asalatest-lfbff-k8.SPA

rommon 7 > set

ROMMON Variable Settings:

ADDRESS=10.86.118.3

NETMASK=255.255.255.0

SERVER=10.86.118.21

GATEWAY=10.86.118.21

VLAN=untagged

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

IMAGE=asalatest-lfbff-k8.SPA

CONFIG=

LINKTIMEOUT=20

PKTTIMEOUT=4

RETRY=20

rommon 8 > sync

Updating NVRAM Parameters...

rommon 9 > tftpdnld

Example:

Ping to troubleshoot connectivity to the server:

rommon 1 > ping 10.123.123.2

Sending 10, 32-byte ICMP Echoes to 10.123.123.2 timeout is 4 seconds

!!!!!!!!!!

Success rate is 100 percent (10/10)

rommon 2 >

Step 8 Configure network settings and prepare the disks.

When the ASA first boots up, it does not have any configuration on it. you can either follow the interactive

prompts to configure the Management interface for ASDM access, or you can paste a saved configuration or,

if you do not have a saved configuration, the recommended configuration (below).

If you do not have a saved configuration, we suggest pasting the recommended configuration if you are

planning to use the ASA FirePOWER module. The ASA FirePOWER module is managed on the Management

interface and needs to reach the internet for updates. The simple, recommended network deployment includes

an inside switch that lets you connect Management (for FirePOWER management only), an inside interface

(for ASA management and inside traffic), and your management PC to the same inside network. See the quick

start guide for more information about the network deployment:

•http://www.cisco.com/go/asa5506x-quick

•http://www.cisco.com/go/asa5508x-quick

•http://www.cisco.com/go/asa5500x-quick

a) At the ASA console prompt, you are prompted to provide some configuration for the Management interface.

Pre-configure Firewall now through interactive prompts [yes]?

If you want to paste a configuration or create the recommended configuration for a simple network

deployment, then enter no and continue with the procedure.

If you want to configure the Management interface so you can connect to ASDM, enter yes, and follow

the prompts.

b) At the console prompt, access privileged EXEC mode.

enable

The following prompt appears:

Password:

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

c) Press Enter. By default, the password is blank.

d) Access global configuration mode.

configure terminal

e) If you did not use the interactive prompts, copy and paste your configuration at the prompt.

If you do not have a saved configuration, and you want to use the simple configuration described in the

quick start guide, copy the following configuration at the prompt, changing the IP addresses and interface

IDs as appropriate. If you did use the prompts, but want to use this configuration instead, clear the

configuration first with the clear configure all command.

interface gigabitethernetn/n

nameif outside

ip address dhcp setroute

no shutdown

interface gigabitethernetn/n

nameif inside

ip address ip_address netmask

security-level 100

no shutdown

interface managementn/n

no shutdown

object network obj_any

subnet 0 0

nat (any,outside) dynamic interface

http server enable

http inside_network netmask inside

dhcpd address inside_ip_address_start-inside_ip_address_end inside

dhcpd auto_config outside

dhcpd enable inside

logging asdm informational

For the ASA 5506W-X, add the following for the wifi interface:

same-security-traffic permit inter-interface

interface GigabitEthernet 1/9

security-level 100

nameif wifi

ip address ip_address netmask

no shutdown

http wifi_network netmask wifi

dhcpd address wifi_ip_address_start-wifi_ip_address_end wifi

dhcpd enable wifi

f) Reformat the disks:

format disk0:

format disk1:

The internal flash is called disk0. If you have an external USB drive, it is disk1. If you do not reformat

the disks, then when you try to copy the ASA image, you see the following error:

%Error copying ftp://10.86.89.125/asa971-smp-k8.bin (Not enough space on device)

g) Save the new configuration:

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

write memory

Step 9 Install the ASA and ASDM images.

Booting the ASA from ROMMON mode does not preserve the system image across reloads; you must still

download the image to flash memory. You also need to download ASDM to flash memory.

a) Download the ASA and ASDM images (see Download Software, on page 2) to a server accessible by

the ASA. The ASA supports many server types. See the copy command for more information:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368.

b) Copy the ASA image to the ASA flash memory. This step shows an FTP copy.

copy ftp://user:password@server_ip/asa_file disk0:asa_file

Example:

ciscoasa# copy ftp://admin:[email protected]/asa961-smp-k8.bin disk0:asa961-smp-k8.bin

c) Copy the ASDM image to the ASA flash memory. This step shows an FTP copy.

copy ftp://user:password@server_ip/asdm_file disk0:asdm_file

Example:

ciscoasa# copy ftp://admin:[email protected]/asdm-761.bin disk0:asdm-761.bin

d) Reload the ASA:

reload

The ASA reloads using the image in disk0.

Step 10 (Optional) Install the ASA FirePOWER module software.

You need to install the ASA FirePOWER boot image, partition the SSD, and install the system software

according to this procedure.

a) Copy the boot image to the ASA. Do not transfer the system software; it is downloaded later to the SSD.

This step shows an FTP copy.

copy ftp://user:password@server_ip/firepower_boot_file disk0:firepower_boot_file

Example:

ciscoasa# copy ftp://admin:[email protected]/asasfr-5500x-boot-6.0.1.img

disk0:/asasfr-5500x-boot-6.0.1.img

b) Download the ASA FirePOWER services system software install package from Cisco.com to an HTTP,

HTTPS, or FTP server accessible from the Management interface. Do not download it to disk0 on the

ASA.

c) Set the ASA FirePOWER module boot image location in ASA disk0:

sw-module module sfr recover configure image disk0:file_path

Example:

ciscoasa# sw-module module sfr recover configure image disk0:asasfr-5500x-boot-6.0.1.img

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

d) Load the ASA FirePOWER boot image:

sw-module module sfr recover boot

Example:

ciscoasa# sw-module module sfr recover boot

Module sfr will be recovered. This may erase all configuration and all data

on that device and attempt to download/install a new image for it. This may take

several minutes.

Recover module sfr? [confirm] y

Recover issued for module sfr.

e) Wait a few minutes for the ASA FirePOWER module to boot up, and then open a console session to the

now-running ASA FirePOWER boot image. You might need to press Enter after opening the session to

get to the login prompt. The default username is admin and the default password is Admin123.

Example:

ciscoasa# session sfr console

Opening console session with module sfr.

Connected to module sfr. Escape character sequence is 'CTRL-^X'.

asasfr login: admin

Password: Admin123

If the module boot has not completed, the session command will fail with a message about not being able

to connect over ttyS1. Wait and try again.

a) Configure the system so that you can install the system software install package.

setup

You are prompted for the following. Note that the management address and gateway, and DNS information,

are the key settings to configure.

• Host name—Up to 65 alphanumeric characters, no spaces. Hyphens are allowed.

•Network address—You can set static IPv4 or IPv6 addresses, or use DHCP (for IPv4) or IPv6 stateless

autoconfiguration.

• DNS information—You must identify at least one DNS server, and you can also set the domain name

and search domain.

• NTP information—You can enable NTP and configure the NTP servers, for setting system time.

Example:

asasfr-boot> setup

Welcome to Cisco FirePOWER Services Setup

[hit Ctrl-C to abort]

Default values are inside []

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

a) Install the system software install package:

system install [noconfirm]url

Include the noconfirm option if you do not want to respond to confirmation messages. Use an HTTP,

HTTPS, or FTP URL; if a username and password are required, you will be prompted to supply them.

This file is large and can take a long time to download, depending on your network.

When installation is complete, the system reboots. The time required for application component installation

and for the ASA FirePOWER services to start differs substantially: high-end platforms can take 10 or

more minutes, but low-end platforms can take 60-80 minutes or longer. (The show module sfr output

should show all processes as Up.)

Example:

asasfr-boot> system install

http://admin:[email protected]/packages/asasfr-sys-6.0.1-58.pkg

Verifying

Downloading

Extracting

Package Detail

Description: Cisco ASA-FirePOWER 6.0.1-58 System Install

Requires reboot: Yes

Do you want to continue with upgrade? [y]: y

Warning: Please do not interrupt the process or turn off the system.

Doing so might leave system in unusable state.

Upgrading

Starting upgrade process ...

Populating new system image

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. [type

Enter]

Broadcast message from root (ttyS1) (Mon Feb 17 19:28:38 2016):

The system is going down for reboot NOW!

Console session with module sfr terminated.

a) If you need to install a patch release, you can do so later from your manager: ASDM or the Firepower

Management Center.

Step 11 Obtain a Strong Encryption license and other licenses for an existing ASA for which you did not save the

activation key: see http://www.cisco.com/go/license. In the Manage >Licenses section you can re-download

your licenses.

To use ASDM (and many other features), you need to install the Strong Encryption (3DES/AES) license. If

you saved your license activation key from this ASA before you previously reimaged to the Firepower Threat

Defense device, you can re-install the activation key. If you did not save the activation key but own licenses

for this ASA, you can re-download the license. For a new ASA, you will need to request new ASA licenses.

Step 12 Obtain licenses for a new ASA.

a) Obtain the serial number for your ASA by entering the following command:

show version | grep Serial

This serial number is different from the chassis serial number printed on the outside of your hardware.

The chassis serial number is used for technical support, but not for licensing.

Cisco ASA and Firepower Threat Defense Reimage Guide

Reimage from Firepower Threat Defense to ASA

This manual suits for next models

Other Cisco Security System manuals

Cisco

Cisco ISA550 User manual

Cisco

Cisco Codec C Series User manual

Cisco

Cisco Firepower 2100 Series Manual

Cisco

Cisco M5 User manual

Cisco

Cisco Telepresence MX200 Instruction Manual

Cisco

Cisco C395 Manual

Cisco

Cisco NCS 4000 Series User manual

Cisco

Cisco 4116 - EtherFast Switch Guide

Cisco

Cisco MS410-16 User manual

Cisco

Cisco IronPort S670 User manual

Cisco

Cisco Meraki MX67 User manual

Cisco

Cisco MEDVIEW-C-30XS-A01 User manual

Cisco

Cisco 500 Series User manual

Cisco

Cisco PIX 501 - Security Appliance User manual

Cisco

Cisco PIX-515-RPS - PIX 515-R - Firewall User manual

Cisco

Cisco ASA 5506W-X Manual

Cisco

Cisco C195 Quick start guide

Cisco

Cisco MARS Instructions for use

Cisco

Cisco WVC200 - Wireless-G PTZ Internet Camera Instruction Manual

Cisco

Cisco Firepower 1100 Series User manual

Cisco

Cisco Small Business Pro SA 500 Series User manual

Cisco

Cisco 6400E User manual

Cisco

Cisco ISA 3000 Operator's manual

Cisco

Cisco ISA 3000 User manual

Popular Security System manuals by other brands

Wearable Health Solutions

Wearable Health Solutions iHelp+ 3G owner's manual

Sony

Sony NHS-3020 installation manual

Renkforce

Renkforce KW-9270 operating instructions

DSC

DSC PC1000 instruction manual

Whelen Engineering Company

Whelen Engineering Company B6LED Series installation guide

CEOPA

CEOPA CE-V15E user manual

Clas Ohlson

Clas Ohlson ST801 instruction manual

golmar

golmar iPG+ CE-ART 7/G+ Installer manual

Lince

Lince 1805SMART/E Technical manual

Checkpoint

Checkpoint NS40 user manual

Serene

Serene CA-SOS user manual

Zoeller

Zoeller 10-2614 APAK quick start guide

Eminent

Eminent EM8775 Quick install

R.W. BECKETT

R.W. BECKETT GENISYS 52040 installation instructions

Zicom

Zicom Z.HA.HO.GSM.ATOUCH.KIT user manual

Fortress Technologies

Fortress Technologies Ani Wi-Fi manual

Eaton

Eaton EVT-300 Driver Instructions

Metra Electronics

Metra Electronics Spyclops PRO MTH1309 quick start guide

Cisco ASA 55 Series Quick start guide

Popular Security System manuals by other brands