Running ASA on Firepower 2100: An End-to-End Guide

This process shows you step by step how to run the tried and tested ASA appliance on a Firepower 2100 series chassis out of the box. Note that no special hardware (SSD, etc) is needed on the Firepower 2100 series devices to support this configuration.

A quick housekeeping aside: To anyone who reads this article and believes that one is giving up security by replacing FTD with ASA, I strongly contend that you're probably wrong about that. Also, if from reading this it sounds as though I'm being harsh toward Cisco and their Firepower product team's top-level decision making, it's only because it actually is that terrible. </sarcastic rant>

On that note, let's get started!

Concepts and Key Terms

Cisco's Firepower isn't actually a product in and of itself but a suite of products and subcomponents. For those uninitiated with the breakdown, it's important to understand what those components are for this procedure.
  • FXOS (Firepower eXtensible OS) - More or less a Cisco-proprietary hypervisor that runs atop Cisco Firepower 2K, 4K and 9K chassis'. FXOS manages the applications/VMs which run on it, including handling physical network assignments. In terms of user interface it consists of two components:
    • FXOS CLI - Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
    • FXOS Chassis Manager - A web-based GUI which provides visual representation of current chassis status and configuration of chassis features.
  • FTD (Firepower Threat Defense) - a feature-starved, "NGFW" firewall VM that runs atop FXOS that's centrally managed via a central controller. Cisco is desperately pushing FTD to the be successor to the ASA (with only very modest success).
  • ASA (Adaptive Security Appliance) - The old Cisco firewall we all know and love that Cisco would prefer we all just as soon forget about. Due mostly to customer demand (and for "platform migration ease"), Cisco's made the ASA firewall available to run as a VM on the FXOS chassis. Incidentally, ASA still runs behind the scenes as the core software for FTD but with FTD only making use of a fraction of the capable features that have been developed for ASA.
  • FMC (Firepower Management Console) - An extremely expensive controller appliance with clunky, already out-dated UI software that is forced down our throats by Cisco enforcing central management for all of your FTD deployments. It's currently impossible to run most FTD instances without using FMC. Think Cisco MARS 2.0.
  • FDM (Firepower Device Manager) - Rumored to replace the FMC central controller requirement due to customer outrage demand, this is a web-based, on-device management UI for FTD. At the time of this writing, the FDM only supports the Firepower 2100 series chassis and has very few features available.
When a Cisco Firepower 2100 appliance is shipped, it's loaded with the FTD image. However Cisco also allows customers to completely remove FTD and run ASA in its place, which is what this document shows you how to do.

Cabling Diagram

It's necessary that the devices be connected on port 'Management 1/1' be to a local network with outbound access to the Internet. This allows you to connect to the device from your local workstation, connect the appliance to a TFTP server and allows it to access the internet for licensing purposes.

Procedure

Step 1 - Erase FTD

At the console port, log in to FXOS as admin, and reformat the system.
firepower-2110# connect local-mgmt 
firepower-2110(local-mgmt)# format everything
All configuration and bootable images will be lost.
Do you still want to format? (yes/no):

Enter yes, and the Firepower 2100 reboots.

Step 2 - Break into ROMMON

Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.

Example:

*******************************************************************************
Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARE
Copyright (c) 1994-2017  by Cisco Systems, Inc.
Compiled Thu 04/06/2017 12:16:16.21 by builder
*******************************************************************************

Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present

Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Press Esc at this point. If you miss the interrupt prompt, the Firepower 2100 attempts to reboot 3 times; because there is no image on the device, only ROMMON is available.

Step 3 - Boot ASA Software over TFTP

Set the network settings for Management 1/1, and load FXOS (part of the Firepower Threat Defense package) using the following ROMMON commands.
The FXOS image downloads and boots up to the CLI.
See the following information:
  • gateway —Set the gateway address to be the same as the server IP address if they’re on the same network.
  • set —Shows the network settings. You can also use the ping command to verify connectivity to the server.
  • sync —Saves the network settings.
  • tftp -b —Loads FXOS.
Example:
rommon 1> address 10.70.128.32
rommon 2> netmask 255.255.240.0
rommon 3> server 10.70.33.222
rommon 4> gateway 10.70.128.1
rommon 5> file cisco-asa-fp2k.9.8.3.8.SPA
rommon 6> set
ROMMON Variable Settings:
  ADDRESS=10.70.128.32
  NETMASK=255.255.240.0
  GATEWAY=10.70.128.1
  SERVER=10.70.33.222
  IMAGE=cisco-asa-fp2k.9.8.3.8.SPA
  CONFIG=
  PS1="rommon ! > "

rommon 7> sync
rommon 8> tftp -b
Enable boot bundle: tftp_reqsize = 268435456

             ADDRESS: 10.70.128.32
             NETMASK: 255.255.240.0
             GATEWAY: 10.70.128.1
              SERVER: 10.70.33.222
               IMAGE: cisco-asa-fp2k.9.8.3.8.SPA
             MACADDR: d4:2c:44:0c:26:00
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

link up
Receiving cisco-asa-fp2k.9.8.3.8.SPA from 10.70.33.222!!!!!!!!
[…]

Step 4 - Bootstrap FXOS

Log in to FXOS using the default username: admin and the default password. Note that after the device boots up into FXOS, the Management IP address that you set in ROMMON is erased and set to the default: 192.168.45.45. You will need to set the correct IP address and other related settings for your network in FXOS before you can download the Firepower Threat Defense package from the server. As mentioned before, FXOS is essentially a hypervisor chassis manager that runs the ASA VM. As such it needs to be configured for management and secured as a separate host.

Set the scope for system/services

Example:

firepower-2110# scope system
firepower-2110 /system # scope services

View the current management-plane access lists

Example:

firepower-2110 /system/services # show ip-block

Permitted IP Block:
    IP Address      Prefix Length Protocol
    --------------- ------------- --------
    192.168.45.0               24 https
    192.168.45.0               24 ssh
firepower-2140 /system/services #

Add new access lists for your source network

Example:

firepower-2110 /system/services # enter ip-block 10.0.0.0 8 https
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* # enter ip-block 10.0.0.0 8 ssh
firepower-2110 /system/services/ip-block* # exit
firepower-2110 /system/services* #

Delete the old access lists

Example:

firepower-2110 /system/services # delete ip-block 192.168.45.0 24 https
firepower-2110 /system/services* # delete ip-block 192.168.45.0 24 ssh
firepower-2110 /system/services* #

Disable the DHCP Server

 Example:

 firepower-2110# scope system
 firepower-2110 /system # scope services
 firepower-2110 /system/services # disable dhcp-server

Configure an IPv4 management IP address and the gateway. This will allow you to login to the FXOS CLI remotely

Example:

firepower-2110*# scope fabric-interconnect a
firepower-2110 /fabric-interconnect* #
firepower-2100 /fabric-interconnect* # set out-of-band static ip 10.70.128.32 netmask 255.255.240.0
firepower-2100 /fabric-interconnect* # set out-of-band static ip 10.70.128.32 gw 10.70.128.1 
firepower-2100 /fabric-interconnect* #

Enable the physical interfaces so that they're usable by VMs, then commit(save) all of these the configuration changes:

Example:

firepower-2130# scope eth-uplink 
firepower-2130 /eth-uplink # scope fabric a
firepower-2130 /eth-uplink/fabric # scope interface e1/3
firepower-2130 /eth-uplink/fabric/interface # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/4
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/5
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/6
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/7
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/8
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/9
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/10
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/11
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/12
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/13
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/14
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/15
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # exit
firepower-2130 /eth-uplink/fabric* # scope interface e1/16
firepower-2130 /eth-uplink/fabric/interface* # enable
firepower-2130 /eth-uplink/fabric/interface* # commit-buffer

Step 5 - Load the ASA Image

Download and boot the ASA package onto the device again. This loads the same file you previously used into the local storage. Note that TFTP, FTP, SCP and a few other protocols are available, however do not appear to work. The only known way to copy this file is via a thumb drive. Simply load the file into the root directory of a thumb drive, insert it into the Firepower 2100 chassis, then run the following.
Example:
firepower-2110# scope firmware
firepower-2110 /firmware # download image usbA:/cisco-asa-fp2k.9.8.3.8.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2130 /firmware # show download-task
Download task:
 File Name Protocol Server Port Userid State
 --------- -------- --------------- ---------- --------------- -----
 cisco-asa-fp2k.9.8.3.8.SPA
 Usb A 0 Downloading

When the package finishes downloading (Downloaded state), boot the package. In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the Firepower Threat Defense image and reboots.

Example:

firepower 2110 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.3.8.SPA                    9.8.3.8
firepower 2110 /firmware # scope auto-install
firepower-2130 /firmware/auto-install # install security-pack version 9.8.3.8
The system is currently installed with security software package not set, which has:
 - The platform version: not set
If you proceed with the upgrade 9.8.3.8, it will do the following:
 - upgrade to the new platform version 2.2.2.97
 - install with CSP asa version 9.8.3.8
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):yes
Triggered the install of software package version 9.8.3.8
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-2130 /firmware/auto-install # show detail
Firmware Auto-Install:
 Package-Vers: 9.8.3.8
 Oper State: Scheduled
 Installation Time: 2019-02-22T22:50:53.775
 Upgrade State: Ready
 Upgrade Status:
 Validation Software Pack Status:
 Firmware Upgrade Status:
 Current Task:

Step 6 - Login to ASA and Configure IP

Once the appliance restarts, login to the FXOS IP address once more.
  1. From the console, connect to the ASA CLI and access global configuration mode.

    Example:

    firepower-2110# connect asa
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: <blank>
ciscoasa# configure terminal
ciscoasa(config)#
  2. Change the Management 1/1 IP address.

    Example:

    ciscoasa(config)# interface management1/1
ciscoasa(config-if)# ip address 10.70.128.33 255.255.240.0
ciscoasa(config)# route management 0.0.0.0 0.0.0.0 10.70.128.1
    The Firepower FXOS management interface and ASA management interface have separate IP addresses, but share the same physical Management 1/1 interface. You can use the IP address configured above to SSH directly to the ASA VM.
  3. Save the configuration.write memory
    ciscoasa# write mem

Step 7 - License the ASA

This step will apply the necessary configuration to allow the device to reach and properly communicate with the Cisco cloud-based licensing servers.
Note: In order to license the ASA you'll first need to generate and obtain a token from Cisco smart licensing portal.

Example:

ciscoasa# conf t
ciscoasa(config)# domain-name cool.corp
ciscoasa(config)# dns domain-lookup management
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 8.8.8.8 
ciscoasa(config-dns-server-group)# name-server 4.2.2.1 
ciscoasa(config-dns-server-group)# domain-name cool.corp
ciscoasa(config)# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b
Root file signature verified.
Trustpool import:
 attempted: 10
 installed: 10
 duplicates: 0
 expired: 0
 failed: 0
ciscoasa(config)# exit 
ciscoasa# license smart register idtoken xxxxxx
ciscoasa# show license status
Smart Licensing is ENABLED
Registration:
 Status: REGISTERED
 Smart Account: Cool Corp, LLC
 Virtual Account: DEFAULT
 Export-Controlled Functionality: Allowed
 Initial Registration: SUCCEEDED on Feb 23 01:31:07 2019 UTC
 Last Renewal Attempt: None
 Next Renewal Attempt: Aug 22 01:31:06 2019 UTC
 Registration Expires: Feb 23 01:26:02 2020 UTC
License Authorization: 
 Status: AUTHORIZED on Feb 23 01:31:16 2019 UTC
 Last Communication Attempt: SUCCESS on Feb 23 01:31:16 2019 UTC
 Next Communication Attempt: Mar 25 01:31:15 2019 UTC
 Communication Deadline: May 24 01:25:14 2019 UTC

Step 8 - Bootstrap for Remote Login

Once local AAA, local username, enable secret and SSH are configured, you will then be able to login to the ASA via the management IP address assigned to it in step 7.

Example:

ciscoasa(config)# ssh 10.0.0.0 255.0.0.0 management
ciscoasa(config)# ssh timeout 60
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh key-exchange group dh-group14-sha1
ciscoasa(config)# aaa authentication ssh LOCAL
ciscoasa(config-dns-server-group)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)# username netadmin password xxxx
ciscoasa(config)# enable password xxxx

Popular posts from this blog

Configuring Cisco ASA for Route-Based VPN

Image
Here I'll attempt to give an overview of Cisco ASA's implementation of the static virtual tunnel interface (aka "SVTI", or "VTI" for short), also known more simply as "route-based VPN", and how to configure it on Cisco ASA firewalls. Some benefits of using VTI is it that does away with the painful requirement of configuring all of those joyless static crypto map access-lists, meaning you no longer have to manually maintain all possible local-to-remote prefix security associations. IPSec VPN deployments ultimately become easier and with BGP you also satisfy HA requirements to public cloud connectors such as AWS and GCP. Guidelines Below are a snapshot of guidelines for using SVTI specific to the ASA platform (keep in mind that SVTI is not ASA or even Cisco-specific technology, each device will have a different implementation): You can use dynamic or static routes for traffic over the tunnel interface  The MTU for VTIs is automatically se
Read more

Up and Rawring with TRex: Cisco's Open Traffic Generator

Image
Network performance testing is hard. Historically it's required expensive [cost-prohibitive for < $BN enterprises] equipment starting at tens of thousands of dollars for what amounts to an overly complex traffic simulation appliance, then practically requiring a professional level certification just to operate it. Sound familiar at all? Personally I must admit that I've largely scoffed at the entire concept of simulated traffic testing, noble as it may be. I conceded that, as an engineer of a relatively budget-conscious organization, the only way to properly test something on the network was to simply put it into production, and then watch it from a safe distance whilst wearing a white lab coat and holding a pen and clipboard. Either it would perform admirably, or promptly catch fire and explode, indicating a yank-and-forget...or a step upgrade. Easy enough. That being said, it's just not everyday that a big name vendor offers a super useful tool completely free o
Read more

AWS: DX Public VIF w/ VPN Failover

Image
Here I'll provide a quick glimpse on how to setup a physical DirectConnect cross-connect to your AWS VPC with seamless VPN resiliency of VPN failover. First, you'll need to provision at least one DirectConnect (DX) connection to AWS. After you've done that, use the AWS portal create a new Public VIF on that connection(s): Click for full-size In reality, a VIF is really just a separate dot1q VLAN and BGP peering session within the physical link between you and AWS at the exchange facility. The difference between a Public and Private VIF is what addresses are received/announced by both ends. For instance, using a private VIF is similar to a VPN connection where you will receive private VPC subnet(s) and announce your remote network's local IP space toward it. With a public VIF however you'll instead receive all of AWS' public service endpoint prefixes, including EC2, S3, Dynamo DB, and VPN terminators. Side note: Depending on optional BGP communitie
Read more