Re: ASA FTD Help!!

m_schmidt1 · ‎11-26-2020

I've worked on ASA's before and always felt fairly confident with them in the past, however, I've been tasked with building a new ASA firewall HA cluster for where I now work and I've hit a problem. I found we've already got an existing ASA sitting elsewhere on the network but it didn't seem to be doing much, other than, I kid you not, just serving as a single access-list entry for about two or three network objects at most. It was installed by my predecessor and I began to think there was something really odd about this unit because it hasn't set it up for ASDM or even SSH so I couldn't remote onto it. Instead its got a Firepower Web GUI that you connect to using a VM - I've never seen this before. So anyway, my plan is to redeploy this unit elsewhere, somewhere more centrally on our network and cluster it with a new identical unit for nothing other than typical Layer 4 filtering. I've un-racked it, brought it back to the office to see what it could do, and the first time consoling onto it, the CLI is very different to normal IOS and there's no enable command to enter privilege exec mode. When it boots up, it says the following:

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5516-X Threat Defense v6.2.3.3 (build 76)

I followed the re-imaging guide to make the unit into an ordinary ASA, but I think I've made some mistakes. I accidentally disabled the ability to get into ROMMON now by, i think, incorrectly entering the following whilst I was in there:

do you wish to change the configuration? y/n  [n]:  y
disable "password recovery"? y/n  [n]:  y
disable "display break prompt"? y/n  [n]:  y
enable "ignore system configuration"? y/n  [n]:  y
enable "auto-boot image in disks"? y/n  [n]:  y
change console baud rate? y/n  [n]:  n
select specific image in disks to boot? y/n  [n]:  n

Configuration Register: 0x01010041
Configuration Summary
 [ 0 ] ignore system configuration
 [ 1 ] auto-boot image in disks
 [ 2 ] console baud: 9600
 boot: ...... auto-boot index 1 image in disks

do you wish to change the configuration? y/n  [n]:  n

You must reset or power cycle for new config to take effect
rommon 7 >  reload

The problem now is that, I am in a catch 22 where, In order to fix this, I need to re-image, but in order to re-image, the re-imaging guide says you must delete the old config files from ROMMON. What can i do to fix this? Attached is the full console session output.

m_schmidt1 · ‎11-27-2020

Upon closer inspection, it appears I need to remove the following command from the CLI of the ASA:

no service password-recovery

However, I have no idea how to configure this. It's not straight forward at all.It's not a normal IOS CLI. Can anyone help?

Marvin Rhoads · ‎11-27-2020

The ASA is imaged with FTD - not ASA software. To reimage it to ASA software, you can follow this guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_57458

erase disk0:

...from the rommon prompt is the key command. Note you will have to have access to an ASA image from a tftp server to then load onto the device and proceed with ASA configuration.

All that aside, FTD is a better and more modern OS. It would be an equally good or even better choice to just use it (after upgrading to the current recommended release of 6.6.1).

m_schmidt1 · ‎11-27-2020

All that aside, FTD is a better and more modern OS. It would be an equally good or even better choice to just use it (after upgrading to the current recommended release of 6.6.1).

Can you point me to some resources that would help me understand the benefits of FTD over ASA?

Marvin Rhoads · ‎11-28-2020

The Cisco marketing team have an "At a Glance" summary that you can find here:

https://www.cisco.com/c/en/us/products/security/firewalls/index.html