Cisco Firepower 1000, Firepower 2100, ASA 5555-X, ISA 3000 Reimage Guide

Supported Models

The following models support either ASA software or FTD Software. For ASA and FTD version support, see the ASA compatibility guide or Firepower compatibility guide.

• Firepower 1000
• Firepower 2100
• ASA 5506-X, 5506W-X, and 5506H-X (FTD 6.2.3 and earlier)
• ASA 5508-X
• ASA 5512-X (FTD 6.2.3 and earlier; ASA 9.12 and earlier)
• ASA 5515-X (FTD 6.4 and earlier; ASA 9.12 and earlier)
• ASA 5516-X
• ASA 5525-X
• ASA 5545-X
• ASA 5555-X
• ISA 3000

Note
The Firepower 4100 and 9300 also support either the ASA or FTD, but they are installed as logical devices; see the FXOS configuration guides for more information.

Note
For the FTD on the ASA 5512-X through 5555-X, you must install a Cisco solid state drive (SSD). For more information, see the ASA 5500-X hardware guide. For the ASA, the SSD is also required to use the ASA FirePOWER module. (The SSD is standard on the ASA 5506-X, 5508-X, and 5516-X.)

Reimage the Firepower 1000 or 2100 Series

The Firepower 1000 and 2100 series support either FTD or ASA software.

• Download Software
• ASA→FTD: Firepower 1000 or 2100 Appliance Mode
• ASA→FTD: Firepower 2100 Platform Mode
• FTD→ASA: Firepower 1000 or 2100
• FTD→FTD: Firepower 1000 or 2100

Download Software

Obtain FTD software or ASA software. The procedures in this document require you to put software on a TFTP server for the initial download. Other images can be downloaded to other server types, such as HTTP or FTP. For the exact software package and server type, see the procedures.

Note
A Cisco.com login and Cisco service contract are required.

Table 1: Firepower Threat Defense Software

FTD Model	Download Location	Packages
Firepower 1000 series	See: https://www.cisco.com/go/ftd-software
	FTD package Choose your model > Firepower Threat Defense Software > version.	The package has a filename like cisco-ftd-fp1k.6.4.0.SPA.
Firepower 2100 series	See: https://www.cisco.com/go/ftd-software
	FTD package Choose your model > Firepower Threat Defense Software > version.	The package has a filename like cisco-ftd-fp2k.6.2.2.SPA.

Table 2: ASA Software

ASA Model	Download Location	Packages
Firepower 1000 series	See: https://www.cisco.com/go/asa-firepower-sw
	ASA package Choose your model > Adaptive Security Appliance (ASA) Software > version.	The package has a filename like cisco-asa-fp1k.9.13.1.SPA. This package includes ASA and ASDM.
	ASDM software (upgrade) To upgrade to a later version of ASDM using your current ASDM or the ASA CLI, choose your model > Adaptive Security Appliance (ASA) Device Manager > version.	The ASDM software file has a filename like asdm-7131.bin.
Firepower 2100 series	See: https://www.cisco.com/go/asa-firepower-sw
	ASA package Choose your model > Adaptive Security Appliance (ASA) Software > version.	The package has a filename like cisco-asa-fp2k.9.8.2.SPA. This package includes ASA, ASDM, FXOS, and the Firepower Chassis Manager.
	ASDM software (upgrade) To upgrade to a later version of ASDM using your current ASDM or the ASA CLI, choose your model > Adaptive Security Appliance (ASA) Device Manager > version.	The ASDM software file has a filename like asdm-782.bin.

Firepower 1000 or 2100 Appliance Mode from ASA to FTD

This task lets you reimage a Firepower 1000 or a Firepower 2100 in Appliance mode from ASA to FTD by booting an FTD image from the ASA software.

Before you begin

• Make sure the image you want to upload is available on an FTP, SCP, SFTP, or TFTP server, or a USB drive.
• You must use the ASA CLI for this procedure.
• (Firepower 2100) In 9.12 and earlier, only Platform mode is available. In 9.13 and later, Appliance mode is the default. If you upgrade a Platform mode device to 9.13 or later, then the ASA remains in Platform mode. Check the mode by using the show fxos mode command at the ASA CLI. The Firepower 1000 only supports Appliance mode.

If you have an ASA in Platform mode, you must use FXOS to reimage. See Firepower 2100 Platform Mode from ASA to FTD.

Procedure

1. Connect to the ASA CLI.
2. Unregister the ASA from the Smart Software Licensing server, either from the ASA CLI/ASDM or from the Smart Software Licensing server.
3. Download the FTD image to flash memory. This step shows an FTP copy.
   copy ftp://[[user[:password]@]server[/path]/ftd_image_name diskn:/[path/]ftd_image_name
   Example:
   
4. Boot the FTD image (the one you just uploaded).
   1. Access global configuration mode.
      configure terminal
      Example:
      
   2. Show the current boot image configured, if present.
      show running-config boot system
      Note that you may not have a boot system command present in your configuration; for example, if you installed the original ASA image from ROMMON, have a new device, or you removed the command manually.
      Example:
      
   3. If you have a boot system command configured, remove it so that you can enter the new boot image.
      no boot system diskn:/[path/]asa_image_name
      If you did not have a boot system command configured, skip this step.
      Example:
      
   4. Boot the FTD image.
      boot system diskn:/[path/]ftd_image_name
      You are prompted to reload.
      Example:
      
5. Wait for the chassis to finish rebooting.
   FXOS comes up first, but you still need to wait for the FTD to come up.
   After the application comes up and you connect to the application, you are prompted to accept the EULA and perform initial setup at the CLI. You can use either Firepower Device Manager or Firepower Management Center to manage your device. See the Quick Start Guide for your model and your manager to continue setup: http://www.cisco.com/go/ftd-asa-quick
   Example:
   

Firepower 2100 Platform Mode from ASA to FTD

This task lets you reimage the Firepower 2100 in Platform mode to FTD.

Note
After performing this procedure, the FXOS admin password is reset to Admin123.

Before you begin

• You must use the FXOS CLI for this procedure.
• In 9.12 and earlier, only Platform mode is available. In 9.13 and later, Appliance mode is the default. If you upgrade a Platform mode device to 9.13 or later, then the ASA remains in Platform mode. Check the mode in 9.13 or later by using the show fxos mode command at the ASA CLI.
  If you have an ASA in Appliance mode, you cannot access these FXOS commands; reimaging to the FTD takes place in the ASA OS. See Firepower 1000 or 2100 Appliance Mode from ASA to FTD .

Procedure

1. Make sure the image you want to upload is available on an FTP, SCP, SFTP, or TFTP server connected to the FXOS Management 1/1 interface, or a USB drive.
   To verify or change the FXOS Management 1/1 IP address, see the Firepower 2100 getting started guide.
2. Unregister the ASA from the Smart Software Licensing server, either from the ASA CLI/ASDM or from the Smart Software Licensing server.
3. Connect to the FXOS CLI, either the console port (preferred) or using SSH to the Management 1/1 interface. If you connect at the console port, you access the FXOS CLI immediately. Enter the FXOS login credentials. The default username is admin and the default password is Admin123.
   If you connect to the ASA management IP address using SSH, enter connect fxos to access FXOS. You can also SSH directly to the FXOS management IP address.
4. Download the package to the chassis.
   1. Enter firmware mode.
      scope firmware
      Example:
      
   2. Download the package.
      download image url
      Specify the URL for the file being imported using one of the following:
      • ftp://username@server/[path/]image_name
      • scp://username@server/[path/]image_name
      • sftp://username@server/[path/]image_name
      • tftp://server[:port]/[path/]image_name
      • usbA:/path/filename

Example:

3. Monitor the download process.
   show download-task
   Example:
   

5. When the new package finishes downloading (Downloaded state), boot the package.
   1. View and copy the version number of the new package.
      show package
      Example:
      
   2. Install the package.

This step erases your configuration.

scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the image and reboots. This process can take approximately 5 minutes.

Note
If you see the below error, you may have entered the package name, instead of the package version:

Example:

6. Wait for the chassis to finish rebooting.
   FXOS comes up first, but you still need to wait for the FTD to come up.
   After the application comes up and you connect to the application, you are prompted to accept the EULA and perform initial setup at the CLI. You can use either Firepower Device Manager or Firepower Management Center to manage your device. See the Quick Start Guide for your model and your manager to continue setup: http://www.cisco.com/go/ftd-asa-quick
   Example:
   
   

Firepower 1000 or 2100 from FTD to ASA

This task lets you reimage the Firepower 1000 or 2100 from FTD to ASA. By default, the ASA is in Appliance mode. After you reimage, you can change the ASA to Platform mode.

Note
After performing this procedure, the FXOS admin password is reset to Admin123.

Procedure

1. Make sure the image you want to upload is available on an FTP, SCP, SFTP, or TFTP server connected to the Management 1/1 interface, or a USB drive.
   For more information about the Management 1/1 interface settings, see the FTD show network and configure network commands in the FTD command reference.
2. Unlicense the FTD.
   • If you are managing the FTD from the Firepower Management Center, delete the device from the Management Center.
   • If you are managing the FTD using Firepower Device Manager, be sure to unregister the device from the Smart Software Licensing server, either from the Firepower Device Manager or from the Smart Software Licensing server.
3. Connect to the FXOS CLI, either the console port (preferred) or using SSH to the Management 1/1 interface. If you connect at the console port, you access the FXOS CLI immediately. Enter the FXOS login credentials. The default username is admin and the default password is Admin123.
   If you connect to the FTD management IP address using SSH, enter connect fxos to access FXOS.
4. Download the package to the chassis.
   1. Enter firmware mode.
      scope firmware
      Example:
      
   2. Download the package.
      download image url
      Specify the URL for the file being imported using one of the following:
      • ftp://username@server/[path/]image_name
      • scp://username@server/[path/]image_name
      • sftp://username@server/[path/]image_name
      • tftp://server[:port]/[path/]image_name
      • usbA:/path/filename

Example:

3. Monitor the download process.
   show download-task
   Example:
   

5. When the new package finishes downloading (Downloaded state), boot the package.
   1. View and copy the version number of the new package.
      show package
      Example:
      
      
   2. Install the package.

This step erases your configuration.

scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the image and reboots. This process, including reloading, can take approximately 30 minutes.

Note
If you see the below error, you may have entered the package name, instead of the package version:

Example:

6. Wait for the chassis to finish rebooting.
   ASA 9.13 and later (defaults to Appliance mode)
   The ASA starts up, and you access user EXEC mode at the CLI.
   Example:
   
   

ASA 9.12 and earlier (defaults to Platform mode)
FXOS comes up first, but you still need to wait for the ASA to come up.
After the application comes up and you connect to the application, you access user EXEC mode at the CLI.
Example:

Firepower 1000 or 2100 from FTD to FTD

The Firepower 1000 and 2100 offer multiple levels of reimaging, from erasing the configuration only, to replacing the image, to restoring the device to a factory default condition. For all of these procedures, see the troubleshooting guide.

Reimage the ASA 5500-X or ISA 3000

Many models in the ASA 5500-X or ISA 3000 series support either Firepower Threat Defense or ASA software.

• Console Port Access Required
• Download Software
• Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X, ISA 3000)
• ASA→FTD: ASA 5500-X or ISA 3000
• FTD→ASA: ASA 5500-X or ISA 3000
• FTD→FTD: ASA 5500-X or ISA 3000

Console Port Access Required

To perform the reimage, you must connect your computer to the console port.
For the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X, you might need to use a third party serial-to-USB cable to make the connection. Other models include a Mini USB Type B console port, so you can use any mini USB cable. For Windows, you may need to install a USB-serial driver from software.cisco.com. See the hardware guide for more information about console port options and driver requirements: http://www.cisco.com/go/asa5500x-install
Use a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

Download Software

Obtain Firepower Threat Defense software, or ASA, ASDM, and ASA FirePOWER module software. The procedures in this document require you to put software on a TFTP server for the initial download. Other images can be downloaded to other server types, such as HTTP or FTP. For the exact software package and server type, see the procedures.

Note
A Cisco.com login and Cisco service contract are required.

Attention
The Firepower Threat Defense boot image and system package are version-specific and model-specific. Verify that you have the correct boot image and system package for your platform. A mismatch between the boot image and system package can cause boot failure. A mismatch would be using an older boot image with a newer system package.

Table 3: Firepower Threat Defense Software

Firepower Threat Defense Model	Download Location	Packages
ASA 5506-X, ASA 5508-X, and ASA 5516-X	See: http://www.cisco.com/go/asa-firepower-sw.	Note You will also see patch files ending in.sh; the patch upgrade process is not covered in this document.
	Boot image Choose your model > Firepower Threat Defense Software > version.	The boot image has a filename like ftd-boot-9.6.2.0.lfbff.
	System software install package Choose your model > Firepower Threat Defense Software > version.	The system software install package has a filename like ftd-6.1.0-330.pkg.
ASA 5512-X through ASA 5555-X	See: http://www.cisco.com/go/asa-firepower-sw.	Note You will also see patch files ending in.sh; the patch upgrade process is not covered in this document.
	Boot image Choose your model > Firepower Threat Defense Software > version.	The boot image has a filename like ftd-boot-9.6.2.0.cdisk.
	System software install package Choose your model > Firepower Threat Defense Software > version.	The system software install package has a filename like ftd-6.1.0-330.pkg.
ISA 3000	See: http://www.cisco.com/go/isa3000-software	Note You will also see patch files ending in.sh; the patch upgrade process is not covered in this document.
	Boot image Choose your model > Firepower Threat Defense Software > version.	The boot image has a filename like ftd-boot-9.9.2.0.lfbff.
	System software install package Choose your model > Firepower Threat Defense Software > version.	The system software install package has a filename like ftd-6.2.3-330.pkg.

Table 4: ASA Software

ASA Model	Download Location	Packages
ASA 5506-X, ASA 5508-X, and ASA 5516-X	http://www.cisco.com/go/asa-firepower-sw
	ASA Software Choose your model > Adaptive Security Appliance (ASA) Software > version.	The ASA software file has a filename like asa962-lfbff-k8.SPA.
	ASDM Software Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.	The ASDM software file has a filename like asdm-762.bin.
	REST API Software Choose your model > Adaptive Security Appliance REST API Plugin > version.	The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide
	ROMMON Software Choose your model > ASA Rommon Software > version.	The ROMMON software file has a filename like asa5500-firmware-1108.SPA.
ASA 5512-X through ASA 5555-X	http://www.cisco.com/go/asa-software
	ASA Software Choose your model > Software on Chassis > Adaptive Security Appliance (ASA) Software > version.	The ASA software file has a filename like asa962-smp-k8.bin.
	ASDM Software Choose your model > Software on Chassis > Adaptive Security Appliance (ASA) Device Manager > version.	The ASDM software file has a filename like asdm-762.bin.
	REST API Software Choose your model > Software on Chassis > Adaptive Security Appliance REST API Plugin > version.	The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide
	ASA Device Package for Cisco Application Policy Infrastructure Controller (APIC) Choose your model > Software on Chassis > ASA for Application Centric Infrastructure (ACI) Device Packages > version.	For APIC 1.2(7) and later, choose either the Policy Orchestration with Fabric Insertion, or the Fabric Insertion-only package. The device package software file has a filename like asa-device-pkg-1.2.7.10.zip. To install the ASA device package, see the "Importing a Device Package" chapter of the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide.
ISA 3000	http://www.cisco.com/go/isa3000-software
	ASA Software Choose your model > Adaptive Security Appliance (ASA) Software > version.	The ASA software file has a filename like asa962-lfbff-k8.SPA.
	ASDM Software Choose your model > Adaptive Security Appliance (ASA) Device Manager > version.	The ASDM software file has a filename like asdm-762.bin.
	REST API Software Choose your model > Adaptive Security Appliance REST API Plugin > version.	The API software file has a filename like asa-restapi-132-lfbff-k8.SPA. To install the REST API, see the API quick start guide.

Upgrade the ROMMON Image

(ASA 5506-X, 5508-X, and 5516-X, ISA 3000)
Follow these steps to upgrade the ROMMON image for the ASA 5506-X series, ASA 5508-X, ASA 5516-X, and ISA 3000. For the ASA models, the ROMMON version on your system must be 1.1.8 or greater. We recommend that you upgrade to the latest version.
You can only upgrade to a new version; you cannot downgrade.

The ASA 5506-X, 5508-X, and 5516-X ROMMON upgrade for 1.1.15 and the ISA 3000 ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

Before you begin
Obtain the new ROMMON image from Cisco.com, and put it on a server to copy to the ASA. The ASA supports FTP, TFTP, SCP, HTTP(S), and SMB servers. Download the image from:

• ASA 5506-X, 5508-X, 5516-X: https://software.cisco.com/download/home/286283326/type
• ISA 3000: https://software.cisco.com/download/home/286288493/type

Procedure

1. For FTD software, enter the Diagnostic CLI, and then enter enable mode.
   system support diagnostic-cli
   enable
   Press enter without entering a password when prompted for a password.
   Example:
   
2. Copy the ROMMON image to the ASA flash memory. This procedure shows an FTP copy; enter copy? for the syntax for other server types.
   copy ftp://[username:password@]server_ip/asa5500-firmware-xxxx.SPA disk0:asa5500-firmware-xxxx.SPA
   For FTD software, make sure you have a data interface configured; the diagnostic CLI does not have access to the dedicated Management interface. Also due to CSCvn57678, the copy command may not work in the regular FTD CLI for your FTD version, so you cannot access the dedicated Management interface with that method.
3. To see your current version, enter the show module command and look at the Fw Version in the output for Mod 1 in the MAC Address Range table:
   
4. Upgrade the ROMMON image:
   upgrade rommon disk0:asa5500-firmware-xxxx.SPA
   Example:
   
5. Confirm to reload the ASA when you are prompted.
   The ASA upgrades the ROMMON image, and then reloads the operating system.

ASA 5500-X or ISA 3000 from ASA to FTD

To reimage the ASA to FTD software, you must access the ROMMON prompt. In ROMMON, you must use TFTP on the Management interface to download the FTD boot image; only TFTP is supported. The boot image can then download the FTD system software install package using HTTP or FTP. The TFTP download can take a long time; ensure that you have a stable connection between the ASA and the TFTP server to avoid packet loss.

Before you begin
To ease the process of reimaging back to an ASA, do the following:

1. Perform a complete system backup using the backup command.
   See the configuration guide for more information, and other backup techniques.
2. Copy and save the current activation key(s) so you can reinstall your licenses using the show activation-key command.
3. For the ISA 3000, disable hardware bypass when using the Firepower Management Center; this feature is only available using Firepower Device Manager in version 6.3 and later.

Procedure

1. Download the FTD boot image (see Download Software) to a TFTP server accessible by the ASA on the Management interface.
   For the ASA 5506-X, 5508-X, 5516-X, ISA 3000: You must use the Management 1/1 port to download the image. For the other models, you can use any interface.
2. Download the FTD system software install package (see Download Software) to an HTTP or FTP server accessible by the ASA on the Management interface.
3. From the console port, reload the ASA:
   reload
   Example:
   
4. Press Esc during the bootup when prompted to reach the ROMMON prompt.
   Pay close attention to the monitor.
   Example:
   

Press Esc at this point.
If you see the following message, then you waited too long, and must reload the ASA again after it finishes booting:

5. Set the network settings, and load the boot image using the following ROMMON commands:
   interface interface_id
   address management_ip_address
   netmask subnet_mask
   server tftp_ip_address
   gateway gateway_ip_address
   filepath/filename
   set
   sync
   tftpdnld
   The FTD boot image downloads and boots up to the boot CLI.
   See the following information:
   • interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other models always use the Management 1/1 interface.
   • set—Shows the network settings. You can also use the ping command to verify connectivity to the server.
   • sync—Saves the network settings.
   • tftpdnld—Loads the boot image..

Example:

6. Enter setup, and configure network settings for the Management interface to establish temporary connectivity to the HTTP or FTP server so that you can download and install the system software package.
   Note
   If you have a DHCP server, the FTD automatically sets the network configuration. See the following sample startup messages when using DHCP:
   

Example:

7. Download the FTD system software install package. This step shows an HTTP installation.
   system install [noconfirm] url
   Include the noconfirm option if you do not want to respond to confirmation messages.
   Example:
   

You are prompted to continue with the installation. Enter y.

The installation process erases the flash drive and downloads the system image. You are prompted to continue with the installation. Enter y.

When the installation finishes, press Enter to reboot the device.

The reboot takes upwards of 30 minutes, and could take much longer. Upon reboot, you will be in the Firepower Threat Defense CLI.

8. To troubleshoot network connectivity, see the following examples.
   Example:
   
9. To troubleshoot installation failures, see the following examples.
   Example:
   "Timed out" error
   At the downloading stage, if the file server is not reachable, it will fail due to a time out.
   

In this case, make sure the file server is reachable from the ASA. You can verify by pinging the file server.

"Package not found" error
If the file server is reachable, but the file path or name is wrong, the installation fails with a "Package not found" error:

In this case, make sure the FTD package file path and name is correct.

Installation failed with unknown error
When the installation occurs after the system software has been downloaded, the cause is generally displayed as "Installation failed with unknown error". When this error happens, you can troubleshoot the failure by viewing the installation log:

You can also view the upgrade.log, pyos.log, and commandd.log under /var/log/cisco with the same command for boot CLI related issues.

10. You can use either Firepower Device Manager or Firepower Management Center to manage your device. See the Quick Start Guide for your model and your manager to continue setup: http://www.cisco.com/go/ftd-asa-quick

ASA 5500-X or ISA 3000 from FTD to ASA

To reimage the FTD to ASA software, you must access the ROMMON prompt. In ROMMON, you must erase the disks, and then use TFTP on the Management interface to download the ASA image; only TFTP is supported. After you reload the ASA, you can configure basic settings and then load the FirePOWER module software.

Before you begin

• Ensure that you have a stable connection between the ASA and the TFTP server to avoid packet loss.

Procedure

1. If you are managing the FTD from the Firepower Management Center, delete the device from the FMC.
2. If you are managing the FTD using Firepower Device Manager, be sure to unregister the device from the Smart Software Licensing server, either from the FDM or from the Smart Software Licensing server.
3. Download the ASA image (see Download Software) to a TFTP server accessible by the FTD on the Management interface.
   For the ASA 5506-X, 5508-X, 5516-X, ISA 3000: You must use the Management 1/1 port to download the image. For the other models, you can use any interface.
4. At the console port, reboot the Firepower Threat Defense device.
   reboot
   Enter yes to reboot.
   Example:
   
5. Press Esc during the bootup when prompted to reach the ROMMON prompt.
   Pay close attention to the monitor.
   Example:
   

Press Esc at this point.
If you see the following message, then you waited too long, and must reboot the FTD again after it finishes booting:

6. Erase all disk(s) on the FTD. The internal flash is called disk0. If you have an external USB drive, it is disk1.
   Example:
   

This step erases FTD files so that the ASA does not try to load an incorrect configuration file, which causes numerous errors.

7. Set the network settings, and load the ASA image using the following ROMMON commands.
   interface interface_id
   address management_ip_address
   netmask subnet_mask
   server tftp_ip_address
   gateway gateway_ip_address
   filepath/filename
   set
   sync
   tftpdnld
   The ASA image downloads and boots up to the CLI.
   See the following information:
   • interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other models always use the Management 1/1 interface.
   • set—Shows the network settings. You can also use the ping command to verify connectivity to the server.
   • sync—Saves the network settings.
   • tftpdnld—Loads the boot image..

Example:

8. Configure network settings and prepare the disks.
   When the ASA first boots up, it does not have any configuration on it. you can either follow the interactive prompts to configure the Management interface for ASDM access, or you can paste a saved configuration or, if you do not have a saved configuration, the recommended configuration (below).
   If you do not have a saved configuration, we suggest pasting the recommended configuration if you are planning to use the ASA FirePOWERmodule. The ASA FirePOWERmoduleis managed on the Management interface and needs to reach the internet for updates. The simple, recommended network deployment includes an inside switch that lets you connect Management (for FirePOWER management only), an inside interface (for ASA management and inside traffic), and your management PC to the same inside network. See the quick start guide for more information about the network deployment:
   • http://www.cisco.com/go/asa5506x-quick
   • http://www.cisco.com/go/asa5508x-quick
   • http://www.cisco.com/go/asa5500x-quick
   1. At the ASA console prompt, you are prompted to provide some configuration for the Management interface.
      

If you want to paste a configuration or create the recommended configuration for a simple network deployment, then enter no and continue with the procedure.
If you want to configure the Management interface so you can connect to ASDM, enter yes, and follow the prompts.

2. At the console prompt, access privileged EXEC mode.
   enable
   The following prompt appears:
   
3. Press Enter. By default, the password is blank.
4. Access global configuration mode.
   configure terminal
5. If you did not use the interactive prompts, copy and paste your configuration at the prompt.
   If you do not have a saved configuration, and you want to use the simple configuration described in the quick start guide, copy the following configuration at the prompt, changing the IP addresses and interface IDs as appropriate. If you did use the prompts, but want to use this configuration instead, clear the configuration first with the clear configure all command.
   
   
6. Reformat the disks:
   format disk0:
   format disk1:
   The internal flash is called disk0. If you have an external USB drive, it is disk1. If you do not reformat the disks, then when you try to copy the ASA image, you see the following error:
   
7. Save the new configuration:
   write memory

9. Install the ASA and ASDM images.
   Booting the ASA from ROMMON mode does not preserve the system image across reloads; you must still download the image to flash memory. You also need to download ASDM to flash memory.
   1. Download the ASA and ASDM images (see Download Software) to a server accessible by the ASA. The ASA supports many server types. See the copy command for more information: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368.
   2. Copy the ASA image to the ASA flash memory. This step shows an FTP copy.
      copy ftp://user:password@server_ip/asa_file disk0:asa_file
      Example:
      
   3. Copy the ASDM image to the ASA flash memory. This step shows an FTP copy.
      copy ftp://user:password@server_ip/asdm_file disk0:asdm_file
      Example:
      
   4. Reload the ASA:
      reload
      The ASA reloads using the image in disk0.
10. (Optional) Install the ASA FirePOWER module software.
    You need to install the ASA FirePOWER boot image, partition the SSD, and install the system software according to this procedure.
    1. Copy the boot image to the ASA. Do not transfer the system software; it is downloaded later to the SSD. This step shows an FTP copy.
       copy ftp://user:password@server_ip/firepower_boot_file disk0:firepower_boot_file
       Example:
       
    2. Download the ASA FirePOWER services system software install package from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the Management interface. Do not download it to disk0 on the ASA.
    3. Set the ASA FirePOWER module boot image location in ASA disk0:
       sw-module module sfr recover configure image disk0:file_path
       Example:
       
    4. Load the ASA FirePOWER boot image:
       sw-module module sfr recover boot
       Example:
       
    5. Wait a few minutes for the ASA FirePOWER module to boot up, and then open a console session to the now-running ASA FirePOWER boot image. You might need to press Enter after opening the session to get to the login prompt. The default username is admin and the default password is Admin123.
       Example:
       

If the module boot has not completed, the session command will fail with a message about not being able to connect over ttyS1. Wait and try again.

1. Configure the system so that you can install the system software install package.
   setup
   You are prompted for the following. Note that the management address and gateway, and DNS information, are the key settings to configure.
   • Host name—Up to 65 alphanumeric characters, no spaces. Hyphens are allowed.
   • Network address—You can set static IPv4 or IPv6 addresses, or use DHCP (for IPv4) or IPv6 stateless auto configuration.
   • DNS information—You must identify at least one DNS server, and you can also set the domain name and search domain.
   • NTP information—You can enable NTP and configure the NTP servers, for setting system time.

Example:

1. Install the system software install package:
   system install [noconfirm] url
   Include the noconfirm option if you do not want to respond to confirmation messages. Use an HTTP, HTTPS, or FTP URL; if a username and password are required, you will be prompted to supply them. This file is large and can take a long time to download, depending on your network.
   When installation is complete, the system reboots. The time required for application component installation and for the ASA FirePOWER services to start differs substantially: high-end platforms can take 10 or more minutes, but low-end platforms can take 60-80 minutes or longer. (The show module sfr output should show all processes as Up.)
   Example:
   
   

1. If you need to install a patch release, you can do so later from your manager: ASDM or the Firepower Management Center.

11. Obtain a Strong Encryption license and other licenses for an existing ASA for which you did not save the activation key: see http://www.cisco.com/go/license. In the Manage > Licenses section you can re-download your licenses.
    To use ASDM (and many other features), you need to install the Strong Encryption (3DES/AES) license. If you saved your license activation key from this ASA before you previously reimaged to the Firepower Threat Defense device, you can re-install the activation key. If you did not save the activation key but own licenses for this ASA, you can re-download the license. For a new ASA, you will need to request new ASA licenses.
12. Obtain licenses for a new ASA
    1. Obtain the serial number for your ASA by entering the following command:
       show version | grep Serial
       This serial number is different from the chassis serial number printed on the outside of your hardware. The chassis serial number is used for technical support, but not for licensing.
    2. See http://www.cisco.com/go/license, and click Get Other Licenses. (See Figure 1)
       
    3. Choose IPS, Crypto, Other. (See Figure 2)
       
    4. In the Search by Keyword field, enter asa, and select Cisco ASA 3DES/AES License. (See Figure 3)
       
    5. Select your Smart Account, Virtual Account, enter the ASA Serial Number, and click Next. (See Figure 4)
       
    6. Your Send To email address and End User name are auto-filled; enter additional email addresses if needed.
       Check the I Agree check box, and click Submit. (See Figure 5)
       
    7. You will then receive an email with the activation key, but you can also download the key right away from the Manage > Licenses area.
    8. If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, see http://www.cisco.com/go/ccw. After you purchase a license, you will receive an email with a Product Authorization Key (PAK) that you can enter on http://www.cisco.com/go/license. For the AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same pool of user sessions. The resulting activation key includes all features you have registered so far for permanent licenses, including the 3DES/AES license. For time-based licenses, each license has a separate activation key.
13. Apply the activation key.
    activation-key key
    Example:
    

Because this ASA did not yet have an activation key installed, you see the "Failed to retrieve permanent activation key." message. You can ignore this message.
You can only install one permanent key, and multiple time-based keys. If you enter a new permanent key, it overwrites the already installed one. If you ordered additional licenses after you installed the 3DES/AES license, the combined activation key includes all licenses plus the 3DES/AES license, so you can overwrite the 3DES/AES-only key.

14. The ASA FirePOWER module uses a separate licensing mechanism from the ASA. No licenses are pre-installed, but depending on your order, the box might include a PAK on a printout that lets you obtain a license activation key for the following licenses:
    • Control and Protection. Control is also known as "Application Visibility and Control (AVC)" or "Apps". Protection is also known as "IPS". In addition to the activation key for these licenses, you also need "right-to-use" subscriptions for automated updates for these features.
      The Control (AVC) updates are included with a Cisco support contract.
      The Protection (IPS) updates require you to purchase the IPS subscription from http://www.cisco.com/go/ccw. This subscription includes entitlement to Rule, Engine, Vulnerability, and Geolocation updates. Note: This right-to-use subscription does not generate or require a PAK/license activation key for the ASA FirePOWER module; it just provides the right to use the updates.

If you did not buy an ASA 5500-X that included the ASA FirePOWER services, then you can purchase an upgrade bundle to obtain the necessary licenses. See the Cisco ASA with FirePOWER Services Ordering Guide for more information.

Other licenses that you can purchase include the following:

• Advanced Malware Protection (AMP)
• URL Filtering

These licenses do generate a PAK/license activation key for the ASA FirePOWER module. See the Cisco ASA with FirePOWER Services Ordering Guide for ordering information. See also the Cisco Firepower System Feature Licenses.
To install the Control and Protection licenses and other optional licenses, see the ASA quick start guide for your model.

ASA 5500-X or ISA 3000 from FTD to FTD

This procedure describes how to use ROMMON to reimage an existing FTD to a new version of FTD software. This procedure restores the device to a factory default condition. If you want to perform a regular upgrade, see the upgrade guide instead.

In ROMMON, you must use TFTP on the Management interface to download the new FTD boot image; only TFTP is supported. The boot image can then download the FTD system software install package using HTTP or FTP. The TFTP download can take a long time; ensure that you have a stable connection between the FTD and the TFTP server to avoid packet loss.

Procedure

1. If you are managing the FTD from the Firepower Management Center, delete the device from the FMC.
2. If you are managing the FTD using Firepower Device Manager, be sure to unregister the device from the Smart Software Licensing server, either from the FDM or from the Smart Software Licensing server.
3. Download the FTD boot image (see Download Software) to a TFTP server accessible by the FTD on the Management interface.
   For the ASA 5506-X, 5508-X, 5516-X, ISA 3000: You must use the Management 1/1 port to download the image. For the other models, you can use any interface.
4. Download the FTD system software install package (see Download Software) to an HTTP or FTP server accessible by the FTD on the Management interface.
5. At the console port, reboot the Firepower Threat Defense device.
   reboot
   Example:
   Enter yes to reboot.
   Example:
   
6. Press Esc during the bootup when prompted to reach the ROMMON prompt.
   Pay close attention to the monitor.
   Example:
   

Press Esc at this point.
If you see the following message, then you waited too long, and must reload the FTD again after it finishes booting:

7. Erase all disk(s) on the FTD. The internal flash is called disk0. If you have an external USB drive, it is disk1.
   Example:
   

This step erases the old FTD boot and system images. If you do not erase the system image, you must remember to escape out of the boot process after you load the boot image in the next step; if you miss the escape window, the FTD will continue to load the old FTD system image, which can take a long time, and you will have to start the procedure over again.

8. Set the network settings, and load the new boot image using the following ROMMON commands:
   interface interface_id
   address management_ip_address
   netmask subnet_mask
   server tftp_ip_address
   gateway gateway_ip_address
   file path/filename
   set
   sync
   tftpdnld
   The Firepower Threat Defense boot image downloads and boots up to the boot CLI.
   Note
   If you did not erase the disk in the previous step, then you need to press Esc to enter the boot CLI:
   

See the following information:

• interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other models always use the Management 1/1 interface.
• set—Shows the network settings. You can also use the ping command to verify connectivity to the server.
• sync—Saves the network settings.
• tftpdnld—Loads the boot image..

Example:

9. Enter setup, and configure network settings for the Management interface to establish temporary connectivity to the HTTP or FTP server so that you can download and install the system software package.
   Note
   If you have a DHCP server, the FTD automatically sets the network configuration. See the following sample startup messages when using DHCP:
   

Example:

10. Download the Firepower ThreatDefense system software installpackage. This step shows an HTTP installation.
    system install [noconfirm] url
    Include the noconfirm option if you do not want to respond to confirmation messages.
    Example:
    

You are prompted to erase the internal flash drive. Enter y.

The installation process erases the flash drive and downloads the system image. You are prompted to continue with the installation. Enter y.

When the installation finishes, press Enter to reboot the device.

The reboot takes upwards of 30 minutes, and could take much longer. Upon reboot, you will be in the Firepower Threat Defense CLI.

11. To troubleshoot network connectivity, see the following examples.
    Example:
    
12. To troubleshoot installation failures, see the following examples.
    Example:
    "Timed out" error
    At the downloading stage, if the file server is not reachable, it will fail due to a time out.
    

In this case, make sure the file server is reachable from the ASA. You can verify by pinging the file server.
"Package not found" error
If the file server is reachable, but the file path or name is wrong, the installation fails with a "Package not found" error:

In this case, make sure the FTD package file path and name is correct.

Installation failed with unknown error
When the installation occurs after the system software has been downloaded, the cause is generally displayed as "Installation failed with unknown error". When this error happens, you can troubleshoot the failure by viewing the installation log:

You can also view the upgrade.log, pyos.log, and commandd.log under /var/log/cisco with the same command for boot CLI related issues.

13. You can use either Firepower Device Manager or Firepower Management Center to manage your device. See the Quick Start Guide for your model and your manager to continue setup: http://www.cisco.com/go/ftd-asa-quick

What's Next

Firepower Threat Defense
See the quick start guide for your model and management application:

• Firepower Device Manager for the ASA 5506-X
• Firepower Management Center for the ASA 5506-X
• Firepower Device Manager for the ASA 5508-X and 5516-X
• Firepower Management Center for the ASA 5506-X and 5516-X
• Firepower Device Manager for the ASA 5512-X through 5555-X
• Firepower Management Center for the ASA 5512-X through 5555-X
• Firepower Device Manager for the Firepower 2100
• Firepower Management Center for the Firepower 2100

ASA
See the quick start guide for your model:

• ASA for the ASA 5506-X
• ASA for the ASA 5508-X and 5516-X
• ASA for the ASA 5512-X through 5555-X
• ASA for the Firepower 2100

Documents / Resources

References

• Cisco Secure Firewall Threat Defense - Install and Upgrade Guides - Cisco
• Cisco ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Hardware Installation Guide - Installing and Connecting the ASA 5500-X [Cisco Secure Firewall Threat Defense] - Cisco
• Cisco ASA 5506-X Series Quick Start Guide - Cisco
• Cisco ASA 5508-X and 5516-X Getting Started Guide - Cisco
• Cisco ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Quick Start Guide - Cisco
• Cisco
• Cisco: Software, Network, and Cybersecurity Solutions - Cisco

Download manual

Here you can download full pdf version of manual, it may contain additional safety instructions, warranty information, FCC rules, etc.

Download Cisco Firepower 1000, Firepower 2100, ASA 5555-X, ISA 3000 Reimage Guide