||If you are managing the Firepower Threat Defense device from the Firepower Management Center, delete the device from the Management Center. |
||If you are managing the Firepower Threat Defense device using Firepower Device Manager, be sure to unregister the device from the Smart Software Licensing server, either from the Firepower Device Manager or from the Smart Software Licensing server.|
||Download the ASA image (see Download Software) to a TFTP server accessible by the Firepower Threat Defense device on the Management interface.
For the ASA 5506-X, 5508-X, and 5516-X, you must use the Management 1/1 port to download the image. For the other models, you can use any interface.
||At the console port, reboot the Firepower Threat Defense device. |
This command will reboot the system. Continue?
Please enter 'YES' or 'NO': yes
Enter yes to reboot.
||Press Esc during the bootup when prompted to reach the ROMMON prompt.
Pay close attention to the monitor.
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 7 seconds.
Press Esc at this point.
If you see the following message, then you waited too long, and must reboot the Firepower Threat Defense device again after it finishes booting:
Boot configuration file contains 2 entries.
||Erase all disk(s) on the Firepower Threat Defense device. The internal flash is called disk0. If you have an external USB drive, it is disk1. |
rommon #0> erase disk0:
About to erase the selected device, this will erase
all files including configuration, and images.
Continue with erase? y/n [n]: y
This step erases Firepower Threat Defense files so that the ASA does not try to load an incorrect configuration file, which causes numerous errors.
||Set the network settings, and load the ASA image using the following ROMMON commands.
The ASA image downloads and boots up to the CLI.
See the following information:
interface—(ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only) Specifies the interface ID. Other models always use the Management 1/1 interface.
gateway—Sets the gateway address to be the same as the server IP address if they’re on the same network.
set—Shows the network settings. You can also use the ping command to verify connectivity to the server.
sync—Saves the network settings.
tftpdnld—Loads the boot image..
Example for the ASA 5555-X:
rommon #2> interface gigabitethernet0/0
rommon #3> address 10.86.118.4
rommon #4> server 10.86.118.21
rommon #5> gateway 10.86.118.21
rommon #6> file asalatest-smp-k8.bin
rommon #7> set
ROMMON Variable Settings:
rommon #8> sync
Updating NVRAM Parameters...
rommon #9> tftpdnld
Example for the ASA 5506-X:
rommon #2> address 10.86.118.4
rommon #3> server 10.86.118.21
rommon #4> gateway 10.86.118.21
rommon #5> file asalatest-lfbff-k8.SPA
rommon #6> set
ROMMON Variable Settings:
rommon #7> sync
Updating NVRAM Parameters...
rommon #8> tftpdnld
||Configure network settings and prepare the disks.
When the ASA first boots up, it does not have any configuration on it. you can either follow the interactive prompts to configure the Management interface for ASDM access, or you can paste a saved configuration or, if you do not have a saved configuration, the recommended configuration (below).
If you do not have a saved configuration, we suggest pasting the recommended configuration if you are planning to use the ASA FirePOWER module. The ASA FirePOWER module is managed on the Management interface and needs to reach the internet for updates. The simple, recommended network deployment includes an inside switch that lets you connect Management (for FirePOWER management only), an inside interface (for ASA management and inside traffic), and your management PC to the same inside network. See the quick start guide for more information about the network deployment:
- At the ASA console prompt, you are prompted to provide some configuration for the Management interface.
Pre-configure Firewall now through interactive prompts [yes]?
If you want to paste a configuration or create the recommended configuration for a simple network deployment, then enter no and continue with the procedure.
If you want to configure the Management interface so you can connect to ASDM, enter yes, and follow the prompts.
- At the console prompt, access privileged EXEC mode.
The following prompt appears:
- Press Enter. By default, the password is blank.
- Access global configuration mode.
- If you did not use the interactive prompts, copy and paste your configuration at the prompt.
If you do not have a saved configuration, and you want to use the simple configuration described in the quick start guide, copy the following configuration at the prompt, changing the IP addresses and interface IDs as appropriate. If you did use the prompts, but want to use this configuration instead, clear the configuration first with the clear configure all command.
ip address dhcp setroute
ip address ip_address netmask
object network obj_any
subnet 0 0
nat (any,outside) dynamic interface
http server enable
http inside_network netmask inside
dhcpd address inside_ip_address_start-inside_ip_address_end inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
For the ASA 5506W-X, add the following for the wifi interface:
same-security-traffic permit inter-interface
interface GigabitEthernet 1/9
ip address ip_address netmask
http wifi_network netmask wifi
dhcpd address wifi_ip_address_start-wifi_ip_address_end wifi
dhcpd enable wifi
- Reformat the disks:
The internal flash is called disk0. If you have an external USB drive, it is disk1. If you do not reformat the disks, then when you try to copy the ASA image, you see the following error:
%Error copying ftp://10.86.89.125/asa971-smp-k8.bin (Not enough space on device)
- Save the new configuration:
||Install the ASA and ASDM images.
Booting the ASA from ROMMON mode does not preserve the system image across reloads; you must still download the image to flash memory. You also need to download ASDM to flash memory.
- Download the ASA and ASDM images (see Download Software) to a server accessible by the ASA. The ASA supports many server types. See the copy command for more information: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368.
- Copy the ASA image to the ASA flash memory. This step shows an FTP copy.
ciscoasa# copy ftp://admin:firstname.lastname@example.org/asa961-smp-k8.bin disk0:asa961-smp-k8.bin
- Copy the ASDM image to the ASA flash memory. This step shows an FTP copy.
ciscoasa# copy ftp://admin:email@example.com/asdm-761.bin disk0:asdm-761.bin
- Reload the ASA:
The ASA reloads using the image in disk0.
Install the ASA FirePOWER module software.
You need to install the ASA FirePOWER boot image, partition the SSD, and install the system software according to this procedure.
- Copy the boot image to the ASA. Do not transfer the system software; it is downloaded later to the SSD. This step shows an FTP copy.
ciscoasa# copy ftp://admin:firstname.lastname@example.org/asasfr-5500x-boot-6.0.1.img disk0:/asasfr-5500x-boot-6.0.1.img
- Download the ASA FirePOWER services system software install package from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the Management interface. Do not download it to disk0 on the ASA.
- Set the ASA FirePOWER module boot image location in ASA disk0:
sw-module module sfr recover configure image disk0:file_path
ciscoasa# sw-module module sfr recover configure image disk0:asasfr-5500x-boot-6.0.1.img
- Load the ASA FirePOWER boot image:
sw-module module sfr recover boot
ciscoasa# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
Recover module sfr? [confirm] y
Recover issued for module sfr.
- Wait a few minutes for the ASA FirePOWER module to boot up, and then open a console session to the now-running ASA FirePOWER boot image. You might need to press Enter after opening the session to get to the login prompt. The default username is admin and the default password is Admin123.
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
asasfr login: admin
If the module boot has not completed, the session command will fail with a message about not being able to connect over ttyS1. Wait and try again.
- Configure the system so that you can install the system software install package.
You are prompted for the following. Note that the management address and gateway, and DNS information, are the key settings to configure.
Host name—Up to 65 alphanumeric characters, no spaces. Hyphens are allowed.
Network address—You can set static IPv4 or IPv6 addresses, or use DHCP (for IPv4) or IPv6 stateless autoconfiguration.
DNS information—You must identify at least one DNS server, and you can also set the domain name and search domain.
NTP information—You can enable NTP and configure the NTP servers, for setting system time.
Welcome to Cisco FirePOWER Services Setup
[hit Ctrl-C to abort]
Default values are inside 
- Install the system software install package:
system install [noconfirm] url
Include the noconfirm option if you do not want to respond to confirmation messages. Use an HTTP, HTTPS, or FTP URL; if a username and password are required, you will be prompted to supply them. This file is large and can take a long time to download, depending on your network.
When installation is complete, the system reboots. The time required for application component installation and for the ASA FirePOWER services to start differs substantially: high-end platforms can take 10 or more minutes, but low-end platforms can take 60-80 minutes or longer. (The show module sfr output should show all processes as Up.)
asasfr-boot> system install http://admin:email@example.com/packages/asasfr-sys-6.0.1-58.pkg
Description: Cisco ASA-FirePOWER 6.0.1-58 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Starting upgrade process ...
Populating new system image
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. [type Enter]
Broadcast message from root (ttyS1) (Mon Feb 17 19:28:38 2016):
The system is going down for reboot NOW!
Console session with module sfr terminated.
- If you need to install a patch release, you can do so later from your manager: ASDM or the Firepower Management Center.
||Obtain a Strong Encryption license and other licenses for an existing ASA for which you did not save the activation key: see http://www.cisco.com/go/license. In the section you can re-download your licenses.
To use ASDM (and many other features), you need to install the Strong Encryption (3DES/AES) license. If you saved your license activation key from this ASA before you previously reimaged to the Firepower Threat Defense device, you can re-install the activation key. If you did not save the activation key but own licenses for this ASA, you can re-download the license. For a new ASA, you will need to request new ASA licenses.
||Obtain licenses for a new ASA.|
- Obtain the serial number for your ASA by entering the following command:
show version | grep Serial
This serial number is different from the chassis serial number printed on the outside of your hardware. The chassis serial number is used for technical support, but not for licensing.
- See http://www.cisco.com/go/license, and click Get Other Licenses.
Figure 1. Get Other Licenses
- Choose IPS, Crypto, Other.
Figure 2. IPS, Crypto, Other
- In the Search by Keyword field, enter asa, and select Cisco ASA 3DES/AES License.
Figure 3. Cisco ASA 3DES/AES License
- Select your Smart Account, Virtual Account, enter the ASA Serial Number, and click Next.
Figure 4. Smart Account, Virtual Account, and Serial Number
- Your Send To email address and End User name are auto-filled; enter additional email addresses if needed. Check the I Agree check box, and click Submit.
Figure 5. Submit
- You will then receive an email with the activation key, but you can also download the key right away from the area.
- If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, see http://www.cisco.com/go/ccw. After you purchase a license, you will receive an email with a Product Authorization Key (PAK) that you can enter on http://www.cisco.com/go/license. For the AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same pool of user sessions. The resulting activation key includes all features you have registered so far for permanent licenses, including the 3DES/AES license. For time-based licenses, each license has a separate activation key.
||Apply the activation key.
ciscoasa(config)# activation-key 7c1aff4f e4d7db95 d5e191a4 d5b43c08 0d29c996
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Both Running and Flash permanent activation key was updated with the requested key.
Because this ASA did not yet have an activation key installed, you see the “Failed to retrieve permanent activation key.” message. You can ignore this message.
You can only install one permanent key, and multiple time-based keys. If you enter a new permanent key, it overwrites the already installed one. If you ordered additional licenses after you installed the 3DES/AES license, the combined activation key includes all licenses plus the 3DES/AES license, so you can overwrite the 3DES/AES-only key.
||The ASA FirePOWER module uses a separate licensing mechanism from the ASA. No licenses are pre-installed, but depending on your order, the box might include a PAK on a printout that lets you obtain a license activation key for the following licenses:
Control and Protection. Control is also known as “Application Visibility and Control (AVC)” or “Apps”. Protection is also known as “IPS”. In addition to the activation key for these licenses, you also need “right-to-use” subscriptions for automated updates for these features.
The Control (AVC) updates are included with a Cisco support contract.
The Protection (IPS) updates require you to purchase the IPS subscription from http://www.cisco.com/go/ccw. This subscription includes entitlement to Rule, Engine, Vulnerability, and Geolocation updates. Note: This right-to-use subscription does not generate or require a PAK/license activation key for the ASA FirePOWER module; it just provides the right to use the updates.
If you did not buy an ASA 5500-X that included the ASA FirePOWER services, then you can purchase an upgrade bundle to obtain the necessary licenses. See the Cisco ASA with FirePOWER Services Ordering Guide for more information.
Other licenses that you can purchase include the following:
These licenses do generate a PAK/license activation key for the ASA FirePOWER module. See the Cisco ASA with FirePOWER Services Ordering Guide for ordering information. See also the Cisco Firepower System Feature Licenses.
To install the Control and Protection licenses and other optional licenses, see the ASA quick start guide for your model.