Running ASA on Firepower 2100: An End-to-End Guide
This process shows you step by step how to run the tried and tested ASA appliance on a Firepower 2100 series chassis out of the box. Note that no special hardware (SSD, etc) is needed on the Firepower 2100 series devices to support this configuration.
A quick housekeeping aside: To anyone who reads this article and believes that one is giving up security by replacing FTD with ASA, I strongly contend that you're probably wrong about that. Also, if from reading this it sounds as though I'm being harsh toward Cisco and their Firepower product team's top-level decision making, it's only because it actually is that terrible. </sarcastic rant>
On that note, let's get started!
A quick housekeeping aside: To anyone who reads this article and believes that one is giving up security by replacing FTD with ASA, I strongly contend that you're probably wrong about that. Also, if from reading this it sounds as though I'm being harsh toward Cisco and their Firepower product team's top-level decision making, it's only because it actually is that terrible. </sarcastic rant>
On that note, let's get started!
Concepts and Key Terms
Cisco's Firepower isn't actually a product in and of itself but a suite of products and subcomponents. For those uninitiated with the breakdown, it's important to understand what those components are for this procedure.
- FXOS (Firepower eXtensible OS) - More or less a Cisco-proprietary hypervisor that runs atop Cisco Firepower 2K, 4K and 9K chassis'. FXOS manages the applications/VMs which run on it, including handling physical network assignments. In terms of user interface it consists of two components:
- FXOS CLI - Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
- FXOS Chassis Manager - A web-based GUI which provides visual representation of current chassis status and configuration of chassis features.
- FTD (Firepower Threat Defense) - a feature-starved, "NGFW" firewall VM that runs atop FXOS that's centrally managed via a central controller. Cisco is desperately pushing FTD to the be successor to the ASA (with only very modest success).
- ASA (Adaptive Security Appliance) - The old Cisco firewall we all know and love that Cisco would prefer we all just as soon forget about. Due mostly to customer demand (and for "platform migration ease"), Cisco's made the ASA firewall available to run as a VM on the FXOS chassis. Incidentally, ASA still runs behind the scenes as the core software for FTD but with FTD only making use of a fraction of the capable features that have been developed for ASA.
- FMC (Firepower Management Console) - An extremely expensive controller appliance with clunky, already out-dated UI software that is forced down our throats by Cisco enforcing central management for all of your FTD deployments. It's currently impossible to run most FTD instances without using FMC. Think Cisco MARS 2.0.
- FDM (Firepower Device Manager) - Rumored to replace the FMC central controller requirement due to customer
outragedemand, this is a web-based, on-device management UI for FTD. At the time of this writing, the FDM only supports the Firepower 2100 series chassis and has very few features available.
When a Cisco Firepower 2100 appliance is shipped, it's loaded with the FTD image. However Cisco also allows customers to completely remove FTD and run ASA in its place, which is what this document shows you how to do.
Cabling Diagram
It's necessary that the devices be connected on port 'Management 1/1' be to a local network with outbound access to the Internet. This allows you to connect to the device from your local workstation, connect the appliance to a TFTP server and allows it to access the internet for licensing purposes.
Procedure
Step 1 - Erase FTD
At the console port, log in to FXOS as admin, and reformat the system.
firepower-2110# connect local-mgmt
firepower-2110(local-mgmt)# format everything
All configuration and bootable images will be lost.
Do you still want to format? (yes/no):
Step 2 - Break into ROMMON
Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.
Example:
*******************************************************************************
Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARE
Copyright (c) 1994-2017 by Cisco Systems, Inc.
Compiled Thu 04/06/2017 12:16:16.21 by builder
*******************************************************************************
Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present
Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Press Esc at this point. If you miss the interrupt prompt, the Firepower 2100 attempts to reboot 3 times; because there is no image on the device, only ROMMON is available.
Step 3 - Boot ASA Software over TFTP
Set the network settings for Management 1/1, and load FXOS (part of the Firepower Threat Defense package) using the following ROMMON commands.
The FXOS image downloads and boots up to the CLI.
See the following information:
- gateway —Set the gateway address to be the same as the server IP address if they’re on the same network.
- set —Shows the network settings. You can also use the ping command to verify connectivity to the server.
- sync —Saves the network settings.
- tftp -b —Loads FXOS.
Example:
rommon 1> address 10.70.128.32
rommon 2> netmask 255.255.240.0
rommon 3> server 10.70.33.222
rommon 4> gateway 10.70.128.1
rommon 5> file cisco-asa-fp2k.9.8.3.8.SPA
rommon 6> set
ROMMON Variable Settings:
ADDRESS=10.70.128.32
NETMASK=255.255.240.0
GATEWAY=10.70.128.1
SERVER=10.70.33.222
IMAGE=cisco-asa-fp2k.9.8.3.8.SPA
CONFIG=
PS1="rommon ! > "
rommon 7> sync
rommon 8> tftp -b
Enable boot bundle: tftp_reqsize = 268435456
ADDRESS: 10.70.128.32
NETMASK: 255.255.240.0
GATEWAY: 10.70.128.1
SERVER: 10.70.33.222
IMAGE: cisco-asa-fp2k.9.8.3.8.SPA
MACADDR: d4:2c:44:0c:26:00
VERBOSITY: Progress
RETRY: 40
PKTTIMEOUT: 7200
BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
PHYMODE: Auto Detect
link up
Receiving cisco-asa-fp2k.9.8.3.8.SPA from 10.70.33.222!!!!!!!!
[…]
Step 4 - Bootstrap FXOS
Log in to FXOS using the default username: admin and the default password. Note that after the device boots up into FXOS, the Management IP address that you set in ROMMON is erased and set to the default: 192.168.45.45. You will need to set the correct IP address and other related settings for your network in FXOS before you can download the Firepower Threat Defense package from the server. As mentioned before, FXOS is essentially a hypervisor chassis manager that runs the ASA VM. As such it needs to be configured for management and secured as a separate host.
Set the scope for system/services
Example:
firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110# scope system
firepower-2110 /system # scope services
View the current management-plane access lists
Example:
firepower-2110 /system/services # show ip-block
Permitted IP Block:
IP Address Prefix Length Protocol
--------------- ------------- --------
192.168.45.0 24 https
192.168.45.0 24 ssh
firepower-2140 /system/services #
firepower-2110 /system/services # show ip-block
Permitted IP Block:
IP Address Prefix Length Protocol
--------------- ------------- --------
192.168.45.0 24 https
192.168.45.0 24 ssh
firepower-2140 /system/services #
Add new access lists for your source network
Example:
firepower-2110 /system/services # enter ip-block 10.0.0.0 8 https
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* # enter ip-block 10.0.0.0 8 ssh
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* #
firepower-2110 /system/services # enter ip-block 10.0.0.0 8 https
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* # enter ip-block 10.0.0.0 8 ssh
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* #
Delete the old access lists
Example:
firepower-2110 /system/services # delete ip-block 192.168.45.0 24 https
firepower-2110 /system/services* # delete ip-block 192.168.45.0 24 ssh
firepower-2110 /system/services* #
firepower-2110 /system/services # delete ip-block 192.168.45.0 24 https
firepower-2110 /system/services* # delete ip-block 192.168.45.0 24 ssh
firepower-2110 /system/services* #
Disable the DHCP Server
Example:
firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110 /system/services # disable dhcp-server
firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110 /system/services # disable dhcp-server
Configure an IPv4 management IP address and the gateway. This will allow you to login to the FXOS CLI remotely
Example:
firepower-2110*# scope fabric-interconnect a
firepower-2110 /fabric-interconnect* #
firepower-2100 /fabric-interconnect* # set out-of-band static ip 10.70.128.32 netmask 255.255.240.0
firepower-2100 /fabric-interconnect* # set out-of-band static ip 10.70.128.32 gw 10.70.128.1
firepower-2100 /fabric-interconnect* #
firepower-2110*# scope fabric-interconnect a
firepower-2110 /fabric-interconnect* #
firepower-2100 /fabric-interconnect* # set out-of-band static ip 10.70.128.32 netmask 255.255.240.0
firepower-2100 /fabric-interconnect* # set out-of-band static ip 10.70.128.32 gw 10.70.128.1
firepower-2100 /fabric-interconnect* #Enable the physical interfaces so that they're usable by VMs, then commit(save) all of these the configuration changes:
Example:
firepower-2130# scope eth-uplink
firepower-2130 /eth-uplink # scope fabric a
firepower-2130 /eth-uplink/fabric # scope interface e1/3
firepower-2130 /eth-uplink/fabric/interface # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/4
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/5
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/6
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/7
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/8
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/9
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/10
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/11
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/12
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/13
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/14
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/15
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/16
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # commit-buffer
Step 5 - Load the ASA Image
Download and boot the ASA package onto the device again. This loads the same file you previously used into the local storage. Note that TFTP, FTP, SCP and a few other protocols are available, however do not appear to work. The only known way to copy this file is via a thumb drive. Simply load the file into the root directory of a thumb drive, insert it into the Firepower 2100 chassis, then run the following.
Example:
firepower-2110# scope firmware
firepower-2110 /firmware # download image usbA:/cisco-asa-fp2k.9.8.3.8.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2130 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.3.8.SPA
Usb A 0 Downloading
When the package finishes downloading (Downloaded state), boot the package. In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the Firepower Threat Defense image and reboots.
firepower-2110# scope firmware
firepower-2110 /firmware # download image usbA:/cisco-asa-fp2k.9.8.3.8.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
Example:
firepower 2110 /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.3.8.SPA 9.8.3.8
firepower 2110 /firmware # scope auto-install
firepower-2130 /firmware/auto-install # install security-pack version 9.8.3.8
The system is currently installed with security software package not set, which has:
- The platform version: not set
If you proceed with the upgrade 9.8.3.8, it will do the following:
- upgrade to the new platform version 2.2.2.97
- install with CSP asa version 9.8.3.8
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):yes
Triggered the install of software package version 9.8.3.8
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-2130 /firmware/auto-install # show detail
Firmware Auto-Install:
Package-Vers: 9.8.3.8
Oper State: Scheduled
Installation Time: 2019-02-22T22:50:53.775
Upgrade State: Ready
Upgrade Status:
Validation Software Pack Status:
Firmware Upgrade Status:
Current Task:
firepower 2110 /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.3.8.SPA 9.8.3.8
firepower 2110 /firmware # scope auto-install
Step 6 - Login to ASA and Configure IP
Once the appliance restarts, login to the FXOS IP address once more.
Step 7 - License the ASA
This step will apply the necessary configuration to allow the device to reach and properly communicate with the Cisco cloud-based licensing servers.
Note: In order to license the ASA you'll first need to generate and obtain a token from Cisco smart licensing portal.
Example:
ciscoasa# conf t ciscoasa(config)# domain-name cool.corp ciscoasa(config)# dns domain-lookup management ciscoasa(config)# dns server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 8.8.8.8 ciscoasa(config-dns-server-group)# name-server 4.2.2.1 ciscoasa(config-dns-server-group)# domain-name cool.corp ciscoasa(config)# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b Root file signature verified. Trustpool import: attempted: 10 installed: 10 duplicates: 0 expired: 0 failed: 0 ciscoasa(config)# exit ciscoasa# license smart register idtoken xxxxxx ciscoasa# show license status
Smart Licensing is ENABLED
Registration: Status: REGISTERED Smart Account: Cool Corp, LLC Virtual Account: DEFAULT Export-Controlled Functionality: Allowed Initial Registration: SUCCEEDED on Feb 23 01:31:07 2019 UTC Last Renewal Attempt: None Next Renewal Attempt: Aug 22 01:31:06 2019 UTC Registration Expires: Feb 23 01:26:02 2020 UTC
License Authorization: Status: AUTHORIZED on Feb 23 01:31:16 2019 UTC Last Communication Attempt: SUCCESS on Feb 23 01:31:16 2019 UTC Next Communication Attempt: Mar 25 01:31:15 2019 UTC Communication Deadline: May 24 01:25:14 2019 UTC
Step 8 - Bootstrap for Remote Login
Once local AAA, local username, enable secret and SSH are configured, you will then be able to login to the ASA via the management IP address assigned to it in step 7.
Example:
ciscoasa(config)# ssh 10.0.0.0 255.0.0.0 management ciscoasa(config)# ssh timeout 60 ciscoasa(config)# ssh version 2 ciscoasa(config)# ssh key-exchange group dh-group14-sha1 ciscoasa(config)# aaa authentication ssh LOCAL ciscoasa(config-dns-server-group)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait...
ciscoasa(config)# username netadmin password xxxx ciscoasa(config)# enable password xxxx