Running ASA on Firepower 2100: An End-to-End Guide

This process shows you step by step how to run the tried and tested ASA appliance on a Firepower 2100 series chassis out of the box. Note that no special hardware (SSD, etc) is needed on the Firepower 2100 series devices to support this configuration.

A quick housekeeping aside: To anyone who reads this article and believes that one is giving up security by replacing FTD with ASA, I strongly contend that you're probably wrong about that. Also, if from reading this it sounds as though I'm being harsh toward Cisco and their Firepower product team's top-level decision making, it's only because it actually is that terrible. </sarcastic rant>

On that note, let's get started!

Concepts and Key Terms

Cisco's Firepower isn't actually a product in and of itself but a suite of products and subcomponents. For those uninitiated with the breakdown, it's important to understand what those components are for this procedure.
  • FXOS (Firepower eXtensible OS) - More or less a Cisco-proprietary hypervisor that runs atop Cisco Firepower 2K, 4K and 9K chassis'. FXOS manages the applications/VMs which run on it, including handling physical network assignments. In terms of user interface it consists of two components:
    • FXOS CLI - Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
    • FXOS Chassis Manager - A web-based GUI which provides visual representation of current chassis status and configuration of chassis features.
  • FTD (Firepower Threat Defense) - a feature-starved, "NGFW" firewall VM that runs atop FXOS that's centrally managed via a central controller. Cisco is desperately pushing FTD to the be successor to the ASA (with only very modest success).
  • ASA (Adaptive Security Appliance) - The old Cisco firewall we all know and love that Cisco would prefer we all just as soon forget about. Due mostly to customer demand (and for "platform migration ease"), Cisco's made the ASA firewall available to run as a VM on the FXOS chassis. Incidentally, ASA still runs behind the scenes as the core software for FTD but with FTD only making use of a fraction of the capable features that have been developed for ASA.
  • FMC (Firepower Management Console) - An extremely expensive controller appliance with clunky, already out-dated UI software that is forced down our throats by Cisco enforcing central management for all of your FTD deployments. It's currently impossible to run most FTD instances without using FMC. Think Cisco MARS 2.0.
  • FDM (Firepower Device Manager) - Rumored to replace the FMC central controller requirement due to customer outrage demand, this is a web-based, on-device management UI for FTD. At the time of this writing, the FDM only supports the Firepower 2100 series chassis and has very few features available.
When a Cisco Firepower 2100 appliance is shipped, it's loaded with the FTD image. However Cisco also allows customers to completely remove FTD and run ASA in its place, which is what this document shows you how to do.

Cabling Diagram

It's necessary that the devices be connected on port 'Management 1/1' be to a local network with outbound access to the Internet. This allows you to connect to the device from your local workstation, connect the appliance to a TFTP server and allows it to access the internet for licensing purposes.


Step 1 - Erase FTD

At the console port, log in to FXOS as admin, and reformat the system.
firepower-2110# connect local-mgmt 
firepower-2110(local-mgmt)# format everything
All configuration and bootable images will be lost.
Do you still want to format? (yes/no):

Enter yes, and the Firepower 2100 reboots.

Step 2 - Break into ROMMON

Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.


Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARE
Copyright (c) 1994-2017  by Cisco Systems, Inc.
Compiled Thu 04/06/2017 12:16:16.21 by builder

Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present

Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Press Esc at this point. If you miss the interrupt prompt, the Firepower 2100 attempts to reboot 3 times; because there is no image on the device, only ROMMON is available.

Step 3 - Boot ASA Software over TFTP

Set the network settings for Management 1/1, and load FXOS (part of the Firepower Threat Defense package) using the following ROMMON commands.
The FXOS image downloads and boots up to the CLI.
See the following information:
  • gateway —Set the gateway address to be the same as the server IP address if they’re on the same network.
  • set —Shows the network settings. You can also use the ping command to verify connectivity to the server.
  • sync —Saves the network settings.
  • tftp -b —Loads FXOS.
rommon 1> address
rommon 2> netmask
rommon 3> server
rommon 4> gateway
rommon 5> file cisco-asa-fp2k.
rommon 6> set
ROMMON Variable Settings:
  PS1="rommon ! > "

rommon 7> sync
rommon 8> tftp -b
Enable boot bundle: tftp_reqsize = 268435456

               IMAGE: cisco-asa-fp2k.
             MACADDR: d4:2c:44:0c:26:00
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

link up
Receiving cisco-asa-fp2k. from!!!!!!!!

Step 4 - Bootstrap FXOS

Log in to FXOS using the default username: admin and the default password. Note that after the device boots up into FXOS, the Management IP address that you set in ROMMON is erased and set to the default: You will need to set the correct IP address and other related settings for your network in FXOS before you can download the Firepower Threat Defense package from the server. As mentioned before, FXOS is essentially a hypervisor chassis manager that runs the ASA VM. As such it needs to be configured for management and secured as a separate host.

Set the scope for system/services


firepower-2110# scope system
firepower-2110 /system # scope services

View the current management-plane access lists


firepower-2110 /system/services # show ip-block

Permitted IP Block:
    IP Address      Prefix Length Protocol
    --------------- ------------- --------               24 https               24 ssh
firepower-2140 /system/services #             

Add new access lists for your source network


firepower-2110 /system/services # enter ip-block 8 https
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* # enter ip-block 8 ssh
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* # 

Delete the old access lists


firepower-2110 /system/services # delete ip-block 24 https
firepower-2110 /system/services* # delete ip-block 24 ssh
firepower-2110 /system/services* # 

Disable the DHCP Server


 firepower-2110# scope system
 firepower-2110 /system # scope services
 firepower-2110 /system/services # disable dhcp-server

Configure an IPv4 management IP address and the gateway. This will allow you to login to the FXOS CLI remotely


firepower-2110*# scope fabric-interconnect a
firepower-2110 /fabric-interconnect* #
firepower-2100 /fabric-interconnect* # set out-of-band static ip netmask
firepower-2100 /fabric-interconnect* # set out-of-band static ip gw 
firepower-2100 /fabric-interconnect* #

Enable the physical interfaces so that they're usable by VMs, then commit(save) all of these the configuration changes:


firepower-2130# scope eth-uplink 
firepower-2130 /eth-uplink # scope fabric a
firepower-2130 /eth-uplink/fabric # scope interface e1/3
firepower-2130 /eth-uplink/fabric/interface # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/4
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/5
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/6
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/7
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/8
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/9
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/10
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/11
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/12
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/13
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/14
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/15
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/16
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # commit-buffer

Step 5 - Load the ASA Image

Download and boot the ASA package onto the device again. This loads the same file you previously used into the local storage. Note that TFTP, FTP, SCP and a few other protocols are available, however do not appear to work. The only known way to copy this file is via a thumb drive. Simply load the file into the root directory of a thumb drive, insert it into the Firepower 2100 chassis, then run the following.
firepower-2110# scope firmware
firepower-2110 /firmware # download image usbA:/cisco-asa-fp2k.
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2130 /firmware # show download-task
Download task:
 File Name Protocol Server Port Userid State
 --------- -------- --------------- ---------- --------------- -----
 Usb A 0 Downloading

When the package finishes downloading (Downloaded state), boot the package. In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the Firepower Threat Defense image and reboots.


firepower 2110 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
firepower 2110 /firmware # scope auto-install
firepower-2130 /firmware/auto-install # install security-pack version
The system is currently installed with security software package not set, which has:
 - The platform version: not set
If you proceed with the upgrade, it will do the following:
 - upgrade to the new platform version
 - install with CSP asa version
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):yes
Triggered the install of software package version
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-2130 /firmware/auto-install # show detail
Firmware Auto-Install:
 Oper State: Scheduled
 Installation Time: 2019-02-22T22:50:53.775
 Upgrade State: Ready
 Upgrade Status:
 Validation Software Pack Status:
 Firmware Upgrade Status:
 Current Task:

Step 6 - Login to ASA and Configure IP

Once the appliance restarts, login to the FXOS IP address once more.
  1. From the console, connect to the ASA CLI and access global configuration mode.


    firepower-2110# connect asa
    Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
    Type help or '?' for a list of available commands.
    ciscoasa> enable
    Password: <blank>
    ciscoasa# configure terminal
  2. Change the Management 1/1 IP address.


    ciscoasa(config)# interface management1/1
    ciscoasa(config-if)# ip address
    ciscoasa(config)# route management
    The Firepower FXOS management interface and ASA management interface have separate IP addresses, but share the same physical Management 1/1 interface. You can use the IP address configured above to SSH directly to the ASA VM.
  3. Save the configuration.write memory
    ciscoasa# write mem

Step 7 - License the ASA

This step will apply the necessary configuration to allow the device to reach and properly communicate with the Cisco cloud-based licensing servers.
Note: In order to license the ASA you'll first need to generate and obtain a token from Cisco smart licensing portal.


ciscoasa# conf t
ciscoasa(config)# domain-name cool.corp
ciscoasa(config)# dns domain-lookup management
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 
ciscoasa(config-dns-server-group)# name-server 
ciscoasa(config-dns-server-group)# domain-name cool.corp
ciscoasa(config)# crypto ca trustpool import url
Root file signature verified.
Trustpool import:
 attempted: 10
 installed: 10
 duplicates: 0
 expired: 0
 failed: 0
ciscoasa(config)# exit 
ciscoasa# license smart register idtoken xxxxxx
ciscoasa# show license status
Smart Licensing is ENABLED
 Smart Account: Cool Corp, LLC
 Virtual Account: DEFAULT
 Export-Controlled Functionality: Allowed
 Initial Registration: SUCCEEDED on Feb 23 01:31:07 2019 UTC
 Last Renewal Attempt: None
 Next Renewal Attempt: Aug 22 01:31:06 2019 UTC
 Registration Expires: Feb 23 01:26:02 2020 UTC
License Authorization: 
 Status: AUTHORIZED on Feb 23 01:31:16 2019 UTC
 Last Communication Attempt: SUCCESS on Feb 23 01:31:16 2019 UTC
 Next Communication Attempt: Mar 25 01:31:15 2019 UTC
 Communication Deadline: May 24 01:25:14 2019 UTC

Step 8 - Bootstrap for Remote Login

Once local AAA, local username, enable secret and SSH are configured, you will then be able to login to the ASA via the management IP address assigned to it in step 7.


ciscoasa(config)# ssh management
ciscoasa(config)# ssh timeout 60
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh key-exchange group dh-group14-sha1
ciscoasa(config)# aaa authentication ssh LOCAL
ciscoasa(config-dns-server-group)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)# username netadmin password xxxx
ciscoasa(config)# enable password xxxx

Popular posts from this blog

Configuring Cisco ASA for Route-Based VPN

Up and Rawring with TRex: Cisco's Open Traffic Generator

GCP Network Design: The Basics