Image Swap: ASA to FTD

Firewalls are a necessary component in any network environment, especially in an enterprise. Take a look at your front door, would you remove it permanently? Firewalls have evolved over the years from simple gatekeepers to complex security solutions that integrate with the rest of the network. Imagine if you could program your front door to only allow people in who wore green shirts. Once inside they would only be able to walk into the living room…on a Tuesday. My own firewall journey started years back on Juniper SSG350s then onto ASA and Palo Alto. I am currently looking into Cisco’s Firepower Threat Defense (FTD). As a fan of most things Cisco (ASA CX anyone?), FTD adds visibility to the rest of the ecosystem that might include AMP, ISE and Stealthwatch. With an ASA 5512-X in hand, my mission is to replace its ASA image with FTD.

The following will be my experience with the easy replacement of the ASA image on a 5512-X. I by no means am making a discovery, but simply following Cisco’s thorough guide on image swapping. Check out https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html. The guide covers FTD to ASA and ASA to FTD image swaps.

Upon booting up the 5512-X and running a show inventory I did not see the SSD. The SSD is required on the 5512-X in order for it to run the FTD image. After about a minute of panic, I realized I did have the SSD installed. For some reason, the show inventory did not give any details on it. The same command on a 5545 or 5525 does yield info on the SSD. Either way, the requirement was met and I could proceed. In order to find out the version I could use on the ASA, I took a look at Cisco’s Firepower Compatibility Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html. A 5512-X can run version up to 6.2.3 of Firepower, which is the oldest version I could run on the Firepower Management Center 6.6 that I was also going to deploy. I logged in to Cisco’s site and grabbed the boot image and the install package I needed for Firepower 6.2.3.

  1. Enter ROMMON!
    Usually, ROMMON is not the place I’d like to be. If I see ROMMON, either something bad happened or I’m trying to reset a password on a device. To proceed with the ASA to FTD image swap, you have to start in ROMMON. I booted up the ASA and hit <ESC> when I was prompted. So far so good.
  2. Once in ROMMON, the management interface needed to be configured. This would be the start to the process of transferring the downloaded files for the upgrade. I entered the most of the IP info (did not need a gateway) and the boot image file. The command set shows you the changes. The command sync locks those settings in.
  1. By this time, I had already given my laptop with the files an IP on the same subnet and had connected it to the ASA’s management interface. A ping test was suggested in the instructions and that was successful.
  1. The command tftpdnld grabs the file I made reference to in the previous config. I did not mention this earlier, but based on that command, you do need to use TFTP to download the file. I used MobaXTerm a terminal client that comes with TFTP Server capabilities.
  2. Once the download was complete, the FTD setup was next. On the screen below I typed setup.
  1. The management interface configuration was typed in. I thought I could get away without a gateway, but I ended up having to make one up. Keep in mind, I was still directly connected to the management interface with my laptop.
  1. I tried to get away with using TFTP again (unsecure simplicity), but of course for the next file that did not work out. The install package can be downloaded via HTTP, HTTPS or FTP. The command system install noconfirm ftp://<user:pass@IP>/<filename> grabbed the file from my MobaXTerm’s FTP Server. The noconfirm portion of the command took me through the install without having to worry about a prompt.
  1. Cisco’s guide says the process could take about 30 minutes or so and that is pretty much how long it took. Once the process is complete there is a reboot. Once the system initialized it was time to login with the default admin/Admin123 combo.
  1. In the next few prompts I accepted the EULA, changed the password.
  1. Done! The ASA image had been successfully changed to the FTD image. Now it was time to think about adding the firewall to the Firepower Management Center in order to have some real fun.

That was it! The whole process took about an hour as I read through Cisco’s guide, connected the laptop and went through the process. Overall, changing the image from ASA to FTD on a 5512-X was pretty simple. Keep in mind, you can have an ASA with the Firepower services running. This allows you to have a little of both worlds on the same box, but what I did was a complete jump from ASA to FTD using the ASA hardware.

Published by

David Alicea

I am a network engineer working in manufacturing with experience in education. I am going to use this blog as an opportunity to teach and crack some jokes along the way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s