I reimage a Firepower 1010 from ASA to FTD in a previous post. In this post, I'll demonstrate how to reimage an FTD appliance to run the classic ASA software. Note in ASA version 9.12 and earlier, only Platform mode (firepower# connect asa) is available while in ASA version 9.13 and later, Appliance mode (ciscoasa>) is the default.
I ran a TFTP server on my laptop using a static IP address 192.168.1.10/24. Below are the steps in the Firepower 1010 FTD to ASA conversion.
C:\Windows\System32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Windows\System32>ping
192.168.1.45 // FTD MANAGEMENT IP
Pinging 192.168.1.45 with 32 bytes of data:
Reply from 192.168.1.45: bytes=32 time<1ms TTL=64
Reply from 192.168.1.45: bytes=32 time<1ms TTL=64
Reply from 192.168.1.45: bytes=32 time=1ms TTL=64
Reply from 192.168.1.45: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.1.45:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Go to firmware mode using the scope firmware command.
Download the ASA package: cisco-asa-fp1k.9.14.1.SPA using the download image <ftp | scp | tftp> command.
> exit // EXIT FTD CLI
firepower# scope firmware
firepower /firmware # download image tftp://192.168.1.10/cisco-asa-fp1k.9.14.1.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
% Download-task cisco-asa-fp1k.9.14.1.SPA : transferring 264672 KB
% Download-task cisco-asa-fp1k.9.14.1.SPA : verifying image ...
% Download-task cisco-asa-fp1k.9.14.1.SPA : completed successfully.
You can view the download status using the show download-task command (or just monitor it on the TFTP program).
firepower /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp1k.9.14.1.SPA
Tftp 192.168.1.10 0 Downloaded
View the downloaded software package using the show package command.
firepower /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.14.1.SPA 9.14.1
cisco-ftd-fp1k.6.4.0-102.SPA 6.4.0-102
cisco-ftd-fp1k.6.5.0-115.SPA 6.5.0-115
fxos-k9-fp1k.2.6.1.133a.SPA 2.6.1.133a
Before installing the package, ensure to backup the current FTD software and configuration.
Go to auto-install mode using the scope auto-install command.
Use the install security-pack version command to install the ASA software package. Just copy the package version (9.14.1) from the show package output. You'll be asked to proceed twice (just type: yes).
firepower /firmware # scope auto-install
firepower /firmware/auto-install # install security-pack version 9.14.1
The system is currently installed with security software package 6.5.0-115, which has:
- The platform version: 2.7.1.107
- The CSP (ftd) version: 6.5.0.115
If you proceed with the upgrade 9.14.1, it will do the following:
- upgrade to the new platform version 2.8.1.105
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):yes
Triggered the install of software package version 9.14.1
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower /firmware/auto-install #
You can use the show or show detail commands to view the Upgrade State.
firepower /firmware/auto-install # show
Firmware Auto-Install:
Package-Vers Oper State Upgrade State
------------ ---------------------------- -------------
9.14.1 Scheduled Ready
firepower /firmware/auto-install # show detail
Firmware Auto-Install:
Package-Vers: 9.14.1
Oper State: Scheduled
Installation Time: 2020-09-27T08:07:22.583
Upgrade State: Ready
Upgrade Status:
Validation Software Pack Status:
Firmware Upgrade Status:
Current Task: Waiting for Deploy to begin(FSM-STAGE:sam:dme:FirmwareSystemDe
ploy:WaitForDeploy)
firepower /firmware/auto-install # show
Firmware Auto-Install:
Package-Vers Oper State Upgrade State
------------ ---------------------------- -------------
9.14.1 Scheduled Validating Images
firepower /firmware/auto-install # show
Firmware Auto-Install:
Package-Vers Oper State Upgrade State
------------ ---------------------------- -------------
9.14.1 Scheduled Upgrading System
The FTD device will auto reboot.
Brost message from root@firepower (Sun Sep 27 08:08:58 2020)
Stopping all devices.
device busy
Stopping OpenBSD Secure Shell server: sshd
stopped /usr/sbin/sshd (pid 12087)
done.
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1692)
acpid.
Stopping system message bus: dbus.
stopping mountd: done
stopping nfsd: done
Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 12392)
done
Stopping random number generator daemon.
Stopping internet superserver: xinetd.
stopping statd: done
no /etc/sysconfig/kdump.conf
Stopping rpcbind daemon...
not running.
Stopping fan control daemon: fancontrol... no process in pidfile '/var/run/fancontrol.pid' found; none killed
done.
Stopping sensors logging daemon: sensord... stopped /usr/sbin/sensord (pid 3584)
done.
Deconfiguring network interfaces... done.
ip6tables: Setting chains to policy ACCEPT: mangle filter [ OK ]
ip6tables: Flushing firewall rules: [ OK ]
ip6tables: Unloading modules: [ OK ]
iptables: Setting chains to policy ACCEPT: mangle filter raw [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
Sun Sep 27 08:09:02 UTC 2020
SSP-Security-Module is shutting down ...
Sun Sep 27 08:09:02 UTC 2020 SHUTDOWN WARNING: Beginning System Shutdown request for CSP Apps
Sun Sep 27 08:09:02 UTC 2020 SHUTDOWN WARNING: Continue System Shutdown request for CSP Apps
/bin/ls: cannot access /opt/cisco/config/heimdall/etc: No such file or directory
/bin/ls: cannot access /opt/cisco/csp/applications/configs: No such file or directory
ls: cannot access /opt/cisco/config/heimdall/etc: No such file or directory
Sun Sep 27 08:09:02 UTC 2020 SHUTDOWN WARNING: Nothing to do for Apps-Services-Down
Sun Sep 27 08:09:02 UTC 2020
FPR-1xxx platform rebooting ...
Note: SIGKILL_ALL will be triggered after after 0 + 2 secs ...
2020-09-27 08:09:02 logmonitor[19438]: syslog-ng not running. starting it.
Sun Sep 27 08:09:03 UTC 2020
Sending ALL processes the KILL signal ...
Sun Sep 27 08:09:04 UTC 2020
Deactivating swap...
Unmounting local filesystems...
Rebooting... [ 3434.905484] reboot: Restarting system
*******************************************************************************
Cisco System ROMMON, Version 1.0.08, RELEASE SOFTWARE
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled Mon 06/17/2019 15:54:21.43 by builder
*******************************************************************************
Current image running: Boot ROM1
Last reset cause: ResetRequest (0x00001000)
DIMM0 : Present
Platform FPR-1010 with 8192 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 5c:5a:c7:b8:ab:cd
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Located .boot_string
Image size 59 inode num 16, bks cnt 1 blk size 8*512
Attempt autoboot: "boot disk0:installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA" // FXOS WAS ALSO UPGRADED TO 2.8.1.105
Located installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA
Image size 176340928 inode num 114032, bks cnt 43052 blk size 8*512
######################################################################################
<OUTPUT TRUNCATED>
######################################################################################
+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
| |
| LFBFF signature authentication passed !!! |
| |
+-------------------------------------------------------------------+
LFBFF signature verified.
+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
| |
| LFBFF controller type check passed !!! |
| |
+-------------------------------------------------------------------+
Linux version: 4.1.21-WR8.0.0.25_standard (builders@sjc-releng12) #1 SMP Tue Mar 31 15:30:11 PDT 2020
kernel_image = 0x73beede8, kernel_size=0x5101f0
Image validated
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Primary SSD discovered
fsck from util-linux 2.26.2
[/sbin/fsck.ext3 (1) -- /dev/sda1] fsck.ext3 -a /dev/sda1
/dev/sda1: clean, 8885/488640 files, 758402/1953024 blocks
fsck(/dev/sda1) returned 0
fsck from util-linux 2.26.2
[/sbin/fsck.ext3 (1) -- /dev/sda2] fsck.ext3 -a /dev/sda2
/dev/sda2: clean, 12/61056 files, 8242/244224 blocks
fsck(/dev/sda2) returned 0
fsck from util-linux 2.26.2
[/sbin/fsck.ext3 (1) -- /dev/sda3] fsck.ext3 -a /dev/sda3
/dev/sda3: clean, 15/61056 files, 8244/244224 blocks
fsck(/dev/sda3) returned 0
fsck from util-linux 2.26.2
[/sbin/fsck.ext3 (1) -- /dev/sda4] fsck.ext3 -a /dev/sda4
/dev/sda4: clean, 12/1831424 files, 158992/7324160 blocks
fsck(/dev/sda4) returned 0
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
FIPS POST Test Script
NOTICE: The FIPS POST is not run because the FIPS feature is not enabled
Running postinst /etc/rpm-postinsts/100-dnsmasq...
Running postinst /etc/rpm-postinsts/101-dnsmasq...
INIT: Entering runlevel: 3
Starting system message bus: dbus.
Stopping all devices.
Starting all devices.
Processing /etc/c3xxx_dev0.conf
Checking status of all devices.
There is 1 QAT acceleration device(s) in the system:
qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 01:00.0, #accel: 3 #engines: 6 state: up
ip6tables: Applying firewall rules: [ OK ]
iptables: Applying firewall rules: [ OK ]
Starting OpenBSD Secure Shell server: sshd
generating ssh ed25519 key...
done.
Starting rpcbind daemon...done.
starting statd: done
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up with netlink and the input layer
acpid: 1 rule loaded
acpid: waiting for events: event logging is off
starting 8 nfsd kernel threads: done
starting mountd: done
Starting ntpd: done
Starting random number generator daemonUnable to open file: /dev/tpm0
.
Starting internet superserver: xinetd.
No makedumpfile found.
Starting fan control daemon: fancontrol... done.
INFO: in validating image ...
INFO: manager_validate_image: fxmgr_absfilename /mnt/boot/installables/switch/fxos-k9-manager.2.8.1.105.SPA
INFO: Validating image /mnt/boot/installables/switch/fxos-k9-manager.2.8.1.105.SPA signature ...
: File /mnt/boot/installables/switch/fxos-k9-manager.2.8.1.105.SPA size 26031392
Done!
Computed Hash SHA2: c0d5986007a5847a62a64e9cc43d5b32
1499d77d422f0136c8bee0838bb634a4
b59c32cc4d07a85c1a68fbb7a01a1b5b
604ed32857c3cbc1643e92ee60e9b4c9
Embedded Hash SHA2: c0d5986007a5847a62a64e9cc43d5b32
1499d77d422f0136c8bee0838bb634a4
b59c32cc4d07a85c1a68fbb7a01a1b5b
604ed32857c3cbc1643e92ee60e9b4c9
The digital signature of the file: fxos-k9-manager.2.8.1.105.SPA verified successfully
INFO: beginning of manager_install
INFO: manager_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-manager.2.8.1.105.SPA chmgr= update=false
INFO: Creating directory /tmp/fxmgr
INFO: /bin/tar -xvzf /tmp/fxmgr/fxos-kp-manager.2.8.1.105.tgz ...
INFO: manager_install: shutting down the old version ...
INFO: Terminating DME and all AGs ...
INFO: --
INFO: manager_install: Unlinking a old libraries ...
INFO: manager_install: Deleting the old manager image ...
INFO: manager_install: Installing the new image ...
INFO: deleting unnecessary xml file..!!
INFO: deleted unnecessary xml file..!!
INFO: manager_post_install ...
INFO: manager_post_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-manager.2.8.1.105.SPA chmgr= update=false
INFO: manager_post_install: Linking libraries ...
INFO: manager_post_install: Linking binaries ...
Completed system initial setup.
INFO: Trying to add iptables and ip6tables rules ...
INFO: Set up Application Diagnostic Interface ...
RTNETLINK answers: Network is unreachable
INFO: Configure management interface ...
Firepower 1xxx platform..
RTNETLINK answers: File exists
RTNETLINK answers: File exists
Assigning ip to eth0 in FPR-1xxx platform
INFO: Configure rmu interface ...
Bring up rmu and swp1-swp10 switch interfaces
create and bringup lldp sub-interface on lldp-swp7, lldp-swp8
create and bringup lacp and mgmt sub-interface on (lacp-swp1 to lacp-swp8), (mgmt-swp1 to mgmt-swp8)
Stopping rpcbind daemon...
done.
stopping mountd: done
stopping nfsd: .done
INFO: Configure system files ...
INFO: System Name is: firepower-1010
Starting sensors logging daemon: sensord... done.
INFO: console : ttyS0, speed : 9600
INFO: manager_startup: setting up fxmgr apache ...
INFO: manager_startup: Start manager httpd setup...
INFO: manager_startup: /opt/cisco/config/certstore/default.key not found on platform, re-generating files
INFO: manager_startup: reset httpd app config to default
httpdRegister INFO: [httpd.4011 -4 192.168.45.45 -n localhost]
httpdRegister INFO: Starting httpd setup/registration...
httpdRegister INFO: Completed httpd setup/registration!
INFO: httpdRegister [httpd.4011 script exit]
INFO: manager_startup: Completed manager httpd setup!
Starting crond: OK
INFO: System Disk /dev/sda present. Status: Operable.
firepower-1010 login:
Waiting for Application infrastructure to be ready...
Verifying the signature of the Application image...
Creating FXOS swap file ...
Sep 27 08:11:26 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][critical][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install
Sep 27 08:11:30 firepower-1010 port-manager: Alert: Internal1/2 link changed to UP
Sep 27 08:11:30 firepower-1010 port-manager: Alert: Internal1/1 link changed to UP
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.14.1__asa_001_JMX2324G1THQ7VFM51, FLAG=''
Sep 27 08:12:56 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][cleared][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install
Verifying signature for cisco-asa.9.14.1 ...
Verifying signature for cisco-asa.9.14.1 ... success
Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.14.1__asa_001_JMX2324G1THQ7VFM51, FLAG=''
Cisco ASA starting ...
ASA start done pre
ASA Clear status
Deleting previous CGroup Configuration ...
Registering to process manager ...
Cisco ASA started successfully.
IO Memory Nodes: 1
IO Memory Per Node: 549453824 bytes num_pages = 134144 page_size = 4096
Global Reserve Memory Per Node: 786432000 bytes Nodes=1
LCMB: got 1073741824 bytes on numa-id=0, phys=0x200000000, virt=0x7f3480000000
LCMB: HEAP-CACHE POOL got 784334848 bytes on numa-id=0, virt=0x7f34c9c00000
total_reserved_mem = 1073741824
total_heapcache_mem = 784334848
ERROR: fail to open /var/run/lina/meminfo_new
ERROR: fail to open /var/run/lina/meminfo_old
total mem 7092699423 system 8327299072 kernel 52874977 image 112961872
new 7092699423 old 662415696 reserve 1858076672 priv new 5287497728 priv old 0
Processor memory: 7092699423
POST started...
Compiled on Wed 01-Apr-20 13:10 PDT by builders
FPR-1010 platformPOST finished, result is 0 (hint: 1 means it failed)
Total SSMs found: 0
Total NICs found: 5
x550em_kr rev 0x11 10 Gigabit Ethernet, index 00 MAC: 00a0.c900.0000
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 03 MAC: 5c5a.c7b8.f781
en_vtun rev00 Backplane Tap Interface @ index 04 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
27Sep2020 08:14:14 Read error: Open failed. Error message: No such file or directory.
License mode file was not found. Assuming this is the initial bootup. Setting the license mode to Smart Licensing.
INFO: Unable to read firewall mode from flash
Writing default firewall mode (single) to flash
INFO: Unable to read cluster interface-mode from flash
Writing default mode "None" to flash
*** Intel QAT Crypto on-board accelerator detected
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
Cisco Adaptive Security Appliance Software Version 9.14(1)
pix_idb_create: Unable to get link capabilities 3
pix_idb_create: Unable to get link capabilities 4
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.14
Copyright (c) 1996-2020 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
RTNETLINK answers: File exists
RTNETLINK answers: File exists
config_fetcher: channel open failed
WARNING: MIGRATION - no startup configuration or configuration not found.
INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
INFO: Security level for "management" set to 0 by default.
INFO: Security level for "inside" set to 100 by default.
INFO: Security level for "outside" set to 0 by default.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
firepower-1010 login: admin (automatic login)
Successful login attempts for user 'admin' : 1
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
The FTD to ASA conversion completed around 7 minutes. The ASA 9.13 and above defaults to Appliance mode, which will automatically prompt: ciscoasa>
You'll initially configure the ASA enable password.
PW: Admin123
ciscoasa> enable // I'M ON ASA VERSION 9.14, SO FTD WILL BOOT IN APPLIANCE MODE
The enable password is not set. Please set it now.
Enter Password: ********
Repeat Password: ********
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
Below is the default ASA show run config or output.
ciscoasa# show run
: Saved
:
: Serial Number: JAD23211234
: Hardware: FPR-1010, 6764 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.14(1)
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
names
no mac-address auto
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
!
interface Ethernet1/8
switchport
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 311234
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
app-agent heartbeat interval 1000 retry-count 3
Cryptochecksum:feed9fc55c88c5914b85ee6d2112476e
: end
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.14(1)
SSP Operating System Version 2.8(1.105)
Device Manager Version 7.14(1)
Compiled on Wed 01-Apr-20 13:10 PDT by builders
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA"
Config file at boot was "startup-config"
ciscoasa up 5 mins 57 secs
Hardware: FPR-1010, 6764 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Number of accelerators: 6
1: Int: Internal-Data0/0 : address is 00a0.c900.0000, irq 10
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is 5c5a.c7b8.1234, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 60
Inside Hosts : Unlimited
Failover : Disabled
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled
Security Contexts : 0
Carrier : Disabled
AnyConnect Premium Peers : 75
AnyConnect Essentials : Disabled
Other VPN Peers : 75
Total VPN Peers : 75
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 160
Cluster : Disabled
Serial Number: JAD23211234
Configuration register is 0x1
Configuration last modified by enable_1 at 08:15:18.089 UTC Sun Sep 27 2020
ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Ethernet1/1 116.87.123.45 YES DHCP up up
Ethernet1/2 unassigned YES unset up up
Ethernet1/3 unassigned YES unset down down
Ethernet1/4 unassigned YES unset down down
Ethernet1/5 unassigned YES unset down down
Ethernet1/6 unassigned YES unset down down
Ethernet1/7 unassigned YES unset down down
Ethernet1/8 unassigned YES unset down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 192.168.45.1 YES CONFIG up up
ciscoasa# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 116.87.123.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 116.87.123.1, outside // OBTAIN VIA ISP DHCP
C 116.87.128.0 255.255.192.0 is directly connected, outside
L 116.87.189.193 255.255.255.255 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
I browsed to Google.com and used the usual ASA show xlate and show conn commands to verify my outbound traffic from my laptop 192.168.1.10/24.
ciscoasa# show xlate
31 in use, 36 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP PAT from any:192.168.1.10/1 to outside:116.87.123.45/1 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from any:192.168.1.10/9477 to outside:116.87.123.45/9477 flags ri idle 0:00:31 timeout 0:00:30
TCP PAT from any:192.168.1.10/9475 to outside:116.87.123.45/9475 flags ri idle 0:00:39 timeout 0:00:30
TCP PAT from any:192.168.1.10/9471 to outside:116.87.123.45/9471 flags ri idle 0:00:40 timeout 0:00:30
TCP PAT from any:192.168.1.10/9470 to outside:116.87.1123.45/9470 flags ri idle 0:00:43 timeout 0:00:30
TCP PAT from any:192.168.1.10/9469 to outside:116.87.123.45/9469 flags ri idle 0:00:43 timeout 0:00:30
TCP PAT from any:192.168.1.10/9468 to outside:116.87.123.45/9468 flags ri idle 0:00:44 timeout 0:00:30
TCP PAT from any:192.168.1.10/9467 to outside:116.87.123.45/9467 flags ri idle 0:00:44 timeout 0:00:30
TCP PAT from any:192.168.1.10/9466 to outside:116.87.123.45/9466 flags ri idle 0:00:44 timeout 0:00:30
<OUTPUT TRUNCATED>
ciscoasa# show conn
25 in use, 37 most used
TCP outside 54.91.181.41:8027 inside 192.168.1.10:9434, idle 0:01:48, bytes 140, flags UxO
TCP outside 172.217.194.94:443 inside 192.168.1.10:9462, idle 0:00:47, bytes 73811, flags UxIO
TCP outside 172.217.194.157:443 inside 192.168.1.10:9470, idle 0:00:51, bytes 7013, flags UxIO
TCP outside 40.100.29.18:443 inside 192.168.1.10:9402, idle 0:00:09, bytes 14812, flags UxIO
TCP outside 52.114.7.87:443 inside 192.168.1.10:9401, idle 0:00:24, bytes 9722, flags UxIO
UDP outside 172.20.80.21:161 inside 192.168.1.10:58273, idle 0:00:02, bytes 702, flags -
TCP outside 52.113.206.26:443 inside 192.168.1.10:9395, idle 0:00:24, bytes 10647, flags UxIO
TCP outside 172.217.160.4:443 inside 192.168.1.10:9461, idle 0:00:51, bytes 330727, flags UxIO
TCP outside 172.217.194.103:443 inside 192.168.1.10:9460, idle 0:00:53, bytes 5660, flags UxIO
TCP outside 74.125.24.84:443 inside 192.168.1.10:9469, idle 0:00:51, bytes 7230, flags UxIO
TCP outside 52.98.40.34:443 inside 192.168.1.10:9456, idle 0:00:55, bytes 646550, flags UxIO
<OUTPUT TRUNCATED>
I wasn't able to initially ping to the Internet so I added the ICMP inspection under the policy-map global_policy.
C:\Windows\System32>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ciscoasa# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_snmp
inspect snmp
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# end
C:\Windows\System32>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=3ms TTL=117
Reply from 8.8.8.8: bytes=32 time=3ms TTL=117
Reply from 8.8.8.8: bytes=32 time=4ms TTL=117
Reply from 8.8.8.8: bytes=32 time=3ms TTL=117
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 4ms, Average = 3ms
There's no FDM so you'll have to manage the FTD ASA software via the ASDM. I configured a local user for ASDM login.
ciscoasa# show run http
http server enable
http 192.168.45.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
ciscoasa#
ciscoasa# show run username
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)# username cisco password cisco123 privilege 15
I enabled ASA Syslog to view real-time logs by clicking Enable Logging.
Click the License tab to view License features enabeld on the ASA.
Click Firewall Dashboard to view Traffic stats and Access Rule hits.
The Configuration and Monitoring sections are still the same.
What do you do when the flash goes wrong the asa auto-install never kicks off and you can't connect to ASA because the "application is not installed" and you can no longer connect to ftd because the "application is not installed". I'm in this situation btw.
ReplyDeleteDid you use the correct firmware for the specific device/platform you're using? Best is to contact Cisco TAC and ask for RMA if device can't be recovered anymore.
Delete