The upgrade procedure a Cisco Firepower ASA 2100 standalone unit with ASA version 9.13 and above is similar to the upgrade procedure in a classic Cisco ASA firewall.
The newer Firepower 2100 with ASA are shipped with ASA version 9.13 above which runs in Appliance mode. The ASA version 9.16.3 is the TAC recommended code (with gold star) as of this writing. Always check the ASA version and ASDM compatibility using this matrix. The ASA 9.16.3.19 is compatible with ASDM 7.18 (1.152)
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.16(2)3
SSP Operating System Version 2.10(1.172)
Device Manager Version 7.16(1)
Compiled on Mon 06-Sep-21 19:54 GMT by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.10.1.172.SPA"
Config file at boot was "startup-config"
ciscoasa up 31 mins 46 secs
Hardware: FPR-2120, 6588 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
1: Int: Internal-Data0/1 : address is 000f.b748.1234, irq 0
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is 3c26.e404.5678, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 3500
AnyConnect Essentials : Disabled
Other VPN Peers : 3500
Total VPN Peers : 3500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 8000
Cluster : Disabled
Serial Number: JAD26291234
Configuration register is 0x1
Configuration last modified by enable_1 at 08:19:10.249 UTC Sun Dec 11 2022
ciscoasa# show run asdm
no asdm history enable
ciscoasa# show fxos mode
Mode is currently set to appliance
I used a USB flash disk to easily copy the ASA image and ASDM files. There's no syslog generated by the ASA when a USB flash disk is inserted.
ciscoasa# dir ?
/all List all files
/recursive List files recursively
all-filesystems List files on all filesystems
disk0: Directory or file name
disk1: Directory or file name
flash: Directory or file name
system: Directory or file name
<cr>
ciscoasa# dir disk1:
Directory of disk1:/
<OUTPUT TRUNCATED>
181 -rwx 474321104 23:27:50 Sep 12 2022 cisco-asa-fp2k.9.16.3.19.SPA
182 -rwx 110401360 17:03:44 Dec 11 2022 asdm-7181-152.bin
12 file(s) total size: 1036935529 bytes
2013265920 bytes total (886046720 bytes free/44% free)
Use the copy disk1: disk0: to transfer image files from USB to ASA flash memory.
ciscoasa# copy disk1:/asdm-7181-152.bin disk0:/asdm-7181-152.bin
Source filename [asdm-7181-152.bin]?
Destination filename [asdm-7181-152.bin]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Verifying file disk0:/asdm-7181-152.bin...
Writing file disk0:/asdm-7181-152.bin...
110401360 bytes copied in 27.340 secs (4088939 bytes/sec)
ciscoasa# copy disk1:/cisco-asa-fp2k.9.16.3.19.SPA disk0:/cisco-asa-fp2k.9.16.3.19.SPA
Source filename [cisco-asa-fp2k.9.16.3.19.SPA]?
Destination filename [cisco-asa-fp2k.9.16.3.19.SPA]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Verifying file disk0:/cisco-asa-fp2k.9.16.3.19.SPA...
Writing file disk0:/cisco-asa-fp2k.9.16.3.19.SPA...
474321104 bytes copied in 110.830 secs (4312010 bytes/sec)
ciscoasa# dir
Directory of disk0:/
134217958 drwx 52 19:54:29 Jul 20 2022 log
268599726 -rw- 37230720 19:55:18 Sep 06 2021 asdm.bin
2 drwx 4096 19:49:07 Jul 20 2022 cores
134217961 drwx 6 19:53:47 Jul 20 2022 fxos
134217962 drwx 22 19:54:51 Jul 20 2022 smart-log
402653602 -rw- 176 08:18:37 Dec 11 2022 npu-asa-cmd-server.log
402653603 -rw- 39 08:18:26 Dec 11 2022 snortpacketinfo.conf
268745990 drw- 26 19:55:22 Jul 20 2022 coredumpinfo
402653597 -rwx 474321104 09:15:43 Dec 11 2022 cisco-asa-fp2k.9.16.3.19.SPA
402653605 -rwx 110401360 09:17:03 Dec 11 2022 asdm-7181-152.bin
5 file(s) total size: 621953399 bytes
21475885056 bytes total (20637024256 bytes free/96% free)
Use the verify command to check the integrity of the file. MD5 checksum are found in the Cisco website.
ciscoasa# verify /md5 asdm-7181-152.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<OUTPUT TRUNCATED>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
verify /MD5 (disk0:/asdm-7181-152.bin) = 5871d371950e3861c303d351de361f54
ciscoasa# verify /md5 cisco-asa-fp2k.9.16.3.19.SPA
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<OUTPUT TRUNCATED>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
verify /MD5 (disk0:/cisco-asa-fp2k.9.16.3.19.SPA) = 1fc4a0d9ad1729f1719e978713585ba8
Like the classic ASA, just change the boot system variable to point to the new ASA image and ASDM, save and reload for it to take effect.
ciscoasa# show run boot system
ciscoasa# <BLANK>
ciscoasa# configure terminal
ciscoasa(config)# boot system disk0:/cisco-asa-fp2k.9.16.3.19.SPA
The system is currently installed with security software package 9.16.2.3, which has:
- The platform version: 2.10.1.172
- The CSP (asa) version: 9.16.2.3
Preparing new image for install...
!!!!!!!!!!!
Image download complete (Successful unpack the image).
Installation of version 9.16.3.19 will do the following:
- upgrade to the new platform version 2.10.1.207
- upgrade to the CSP ASA version 9.16.3.19
After installation is complete, ensure to do write memory and reload to save this config and apply the new image.
Finalizing image install process...
Install_status: ready............
Install_status: validating-images.....
Install_status: upgrading-npu
Install_status: upgrading-system
Install_status: update-software-pack-completed
ciscoasa(config)# asdm image disk0:/asdm-7181-152.bin
ciscoasa(config)# end
ciscoasa# write memory
Building configuration...
Cryptochecksum: dc4d65b9 d6d90953 487e762f c145c225
12006 bytes copied in 1.890 secs (12006 bytes/sec)
[OK]
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down Application Agent
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
..
lina_monitor pro2022 Dec 11 09:25:15 PMLOG: PM IPC UTILITY: Shutting down all ports
Cisco ASA: CMD=-stop, CSP-ID=cisco-asa.9.16.2.3__asa_001_JMX2630X263NOV0U01, FLAG=''
Cisco ASA stopping ...
Cisco ASA stopped successfully.
Stopping Octeon Serial Logd...
Stopping Octeon Serial Logd... success
Stopping OpenBSD Secure Shell server: sshd
stopped /usr/sbin/sshd (pid 9975)
done.
Stopping Octeon NPU ...
<OUTPUT TRUNCATED>
It took around 9 mins for the upgrade to complete.
Cisco ASA: CMD=-bootup, CSP-ID=cisco-asa.9.16.2.3__asa_001_JMX2630X263NOV0U01, FLAG=''
Cisco ASA booting up ...
INFO:-MspCheck: Configuration Xml found is /opt/cisco/csp/applications/configs/cspCfg_cisco-asa.9.16.2.3__asa_001_JMX2630X263NOV0U01.xml
INFO:
firepower-2120 login: admin (automatic login)
Successful login attempts for user 'admin' : 1
INFO: System Disks /dev/sda is present. Status: Operable. /dev/sdb is present. Status: Inoperable.
Waiting for Application infrastructure to be ready...
Verifying the signature of the Application image...
Please wait for Cisco ASA to come online...1...
Please wait for Cisco ASA to come online...2...
Please wait for Cisco ASA to come online...3...
Please wait for Cisco ASA to come online...4...
Please wait for Cisco ASA to come online...5...
Please wait for Cisco ASA to come online...6...
Please wait for Cisco ASA to come online...7...
Please wait for Cisco ASA to come online...8...
Cisco ASA: CMD=-upgrade, CSP-ID=cisco-asa.9.16.3.19__asa_001_JMX2630X263NOV0U01, FLAG='cisco-asa.9.16.2.3__asa_001_JMX2630X263NOV0U01'
Cisco ASA begins upgrade ...
Please wait for Cisco ASA to come online...9...
Please wait for Cisco ASA to come online...10...
Please wait for Cisco ASA to come online...11...
Please wait for Cisco ASA to come online...12...
Please wait for Cisco ASA to come online...13...
Please wait for Cisco ASA to come online...14...
Verifying signature for cisco-asa.9.16.3.19 ...
Verifying signature for cisco-asa.9.16.3.19 ... success
Please wait for Cisco ASA to come online...15...
Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.16.3.19__asa_001_JMX2630X263NOV0U01, FLAG=''
Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.
Please wait for Cisco ASA to come online...16...
Please wait for Cisco ASA to come online...17...
Please wait for Cisco ASA to come online...18...
lina_init_env: memif is not enabled.
System Cores 8 Nodes 1 Max Cores 48
Number of Cores 8
Global Reserve Memory Per Node: 692060160 bytes Nodes=1
LCMB: HEAP-CACHE POOL got 683671552 bytes on numa-id=0, virt=0x0000005555600000
total_reserved_mem = 1073741824
total_heapcache_mem = 683671552
total mem 7168280331 system 7222935552 kernel 54655221 image 0
new 7168280331 old 1073741824 reserve 1757413376 priv new 5465522176 priv old 0
Processor memory: 6908362752
POST started...
POST finished, result is 0 (hint: 1 means it failed)
Cisco Adaptive Security Appliance Software Version 9.16(3)19
Compiled on Wed 03-Aug-22 05:26 GMT by builders
Platform is FPR-2120
Adding Cavium NIC interface 1 port 0
Total NICs found: 5
NIC pci:id 00, slot 0, port 1, bus -1, dev -1 func 0, irq 00, internal, ten_gb-ethernet, ind 1
NIC pci:id 01, slot 0, port -1, bus 0, dev 0 func 0, irq 00, internal, , ind 0
NIC pci:id 02, slot 1, port 1, bus -1, dev -1 func -1, irq 00, internal, gb-ethernet, ind 1
NIC pci:id 03, slot 1, port 1, bus -1, dev -1 func -1, irq 00, external, gb-ethernet, ind 1
NIC pci:id 04, slot 1, port 1, bus -1, dev -1 func -1, irq 00, internal, gb-ethernet, ind 1
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 03 MAC: 3c26.e404.9e81
en_vtun rev00 Backplane Tap Interface @ index 04 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
Use software crypto.
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
Cisco Adaptive Security Appliance Software Version 9.16(3)19
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.16
Copyright (c) 1996-2022 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!!!.....
Cryptochecksum (unchanged): dc4d65b9 d6d90953 487e762f c145c225
INFO: Power-On Self-Test in process.
..............
INFO: Power-On Self-Test complete.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: ********
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.16(3)19
SSP Operating System Version 2.10(1.207)
Device Manager Version 7.18(1)152
Compiled on Wed 03-Aug-22 05:26 GMT by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.10.1.207.SPA"
Config file at boot was "startup-config"
ciscoasa up 1 min 37 secs
Hardware: FPR-2120, 6588 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
1: Int: Internal-Data0/1 : address is 000f.b748.1234, irq 0
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is 3c26.e404.5678, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 3500
AnyConnect Essentials : Disabled
Other VPN Peers : 3500
Total VPN Peers : 3500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 8000
Cluster : Disabled
Serial Number: JAD26291234
Configuration register is 0x1
Configuration has not been modified since last system restart.
ciscoasa# show asdm ?
history Show contents of Device Manager history buffer
image Show current Device Manager image file
log_sessions Show current Device Manager logging sessions
sessions Show current Device Manager sessions
ciscoasa# show asdm image
Device Manager image file, disk0:/asdm-7181-152.bin
Remove the default ASA config with this command script.
interface Ethernet1/1
no ip address dhcp setroute
interface Ethernet1/2
no ip address
interface Management1/1
no ip address
no dns domain-lookup outside
no object network obj_any
no http 0.0.0.0 0.0.0.0 management
no http 192.168.1.0 255.255.255.0 inside
no dhcpd auto_config outside
no dhcpd address 192.168.1.20-192.168.1.254 inside
no dhcpd enable inside
write memory
ciscoasa# show run
: Saved
:
: Serial Number: JAD26291234
: Hardware: FPR-2120, 6588 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
:
ASA Version 9.16(3)19
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
!
interface Ethernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address dhcp setroute
!
boot system disk0:/cisco-asa-fp2k.9.16.3.19.SPA
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.220.220
name-server 208.67.222.222
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7181-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0a0142800000014523c844b500000002
30820560 30820348 a0030201 0202100a 01428000 00014523 c844b500 00000230
0d06092a 864886f7 0d01010b 0500304a 310b3009 06035504 06130255 53311230
<OUTPUT TRUNCATED>
6b3c1083 c6addea8 cd168e8d f0073771 9ff2abfc 41f5c18b ec00375d 09e54e80
effab15c 3806a51b 4ae1dc38 2d3cdcab 1f901ad5 4a9ceed1 706cccee f457f818
ba846e87
quit
crypto ca certificate chain _SmartCallHome_ServerCA2
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
<OUTPUT TRUNCATED>
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:dc4d65b9d6d90953487e762fc145c225
: end
No comments:
Post a Comment