思科Firepower 2100 FTD更换ASA镜像
如果您购买的Firepower防火墙是使用的FTD镜像,但是您又十分怀念ASA软件怎么办?您是可以删除FTD镜像并重新安装ASA镜像的。这有点类似于把您笔记本原厂预装的Windows 10换成Linux系统。本文将向您展示其安装步骤。
Step 0 - 设备连接
- 用Console线连接笔记本USB口和防火墙Console口。
- 用网线连接笔记本网卡和防火墙管理口Management1/1。
- 笔记本设置一个192.168.45.0/24网段的IP,比如192.168.45.123/24,网关192.168.45.45。
- 笔记本上准备好ASA镜像,并启用TFTP软件。
Step 1 - 擦除FTD镜像
从Console口输入账号密码登录FXOS,其默认账号密码为admin/Admin123。然后就是格式化硬盘。
firepower-2110# connect local-mgmt
firepower-2110(local-mgmt)# format everything
All configuration and bootable images will be lost.
Do you still want to format? (yes/no):
输入yes后Firepower 2100会自动重启。
Step 2 - 进入ROMMON模式
当重启后输出提示Use BREAK or ESC to interrupt boot
时按Esc键。
Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present
Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
如果没有及时按Esc键,Firepower 2100会尝试启动3次后最终进入ROMMON模式。(因为镜像都被删了,只有ROMMON可用)
Step 3 - 通过 TFTP启动FXOS
在ROMMON模式下使用命令行:
address 192.168.45.45
: 配置管理口Management1/1地址
netmask 255.255.255.0
:配置管理口网络掩码
server 192.168.45.123
:设置TFTP服务器,也就是笔记本的IP地址
gateway 192.168.45.1
:设置网关,也可以不配置
file cisco-asa-fp2k.9.8.3.8.SPA
:设置TFTP服务器上的ASA镜像包名。FXOS和ASA是同一个软件包。
rommon 1> address 192.168.45.45
rommon 2> netmask 255.255.255.0
rommon 3> server 192.168.45.123
rommon 4> gateway 192.168.45.1
rommon 5> file cisco-asa-fp2k.9.8.3.8.SPA
rommon 6> set
[…]
rommon 7> sync
rommon 8> tftp -b
Enable boot bundle: tftp_reqsize = 268435456
[…]
link up
Receiving cisco-asa-fp2k.9.8.3.8.SPA from 10.70.33.222!!!!!!!!
[…]
- set :显示网络设置。您还可以使用 ping 命令来验证与服务器的连接
- sync :保存网络设置
- tftp -b : 加载 FXOS
加载完毕后Firepower 2100会进入FXOS模式。
Step 4 - 使用U盘将ASA镜像复制至防火墙flash
现在我们只是从TFTP服务器加载了ASA镜像并进入了FXOS系统,ASA镜像并没有上传至Firepower 2100 Flash中。
据网上资料所示,我们使用TFTP、FTP等协议上传ASA镜像到Flash不起作用,只能使用U盘将ASA镜像复制至防火墙Flash。
- 复制ASA镜像至U盘,插入机箱上的USB接口。(U盘文件系统需为FAT32格式)
- 从Console口输入账号密码登录FXOS,其默认账号密码为admin/Admin123。
- 使用如下命令复制:
firepower-2110# scope firmware
firepower-2110 /firmware # download image usbA:/cisco-asa-fp2k.9.8.3.8.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2130 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.3.8.SPA
Usb A 0 Downloading
- 复制完毕后进行安装
irepower 2110 /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.3.8.SPA 9.8.3.8
firepower 2110 /firmware # scope auto-install
firepower-2130 /firmware/auto-install # install security-pack version 9.8.3.8
The system is currently installed with security software package not set, which has:
- The platform version: not set
If you proceed with the upgrade 9.8.3.8, it will do the following:
- upgrade to the new platform version 2.2.2.97
- install with CSP asa version 9.8.3.8
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):yes
Triggered the install of software package version 9.8.3.8
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-2130 /firmware/auto-install # show detail
Firmware Auto-Install:
Package-Vers: 9.8.3.8
Oper State: Scheduled
Installation Time: 2021-02-22T22:50:53.775
Upgrade State: Ready
Upgrade Status:
Validation Software Pack Status:
Firmware Upgrade Status:
Current Task:
从安装进程可以看到,先是安装的FXOS version 2.2.2.97,然后安装的是ASA version 9.8.3.8。FXOS和ASA两个软件被打包在一起。
使用ASA软件
上个步骤执行完后会自动重启进入FXOS模式。这样我们就可以愉快的使用ASA了。
firepower-2110# connect asa
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: <blank>
ciscoasa# configure terminal
ciscoasa(config)#
Firepower ASA软件的配置、使用教程请参考我之前的文章:
思科Firepower 2100运行ASA配置指南