Solved: Convert Cisco ASA 5506-X TFD to Cisco ASA OS

pgiouvanellis · ‎09-14-2018

Hello ,

I would like to ask a question before i do anything .

A customer has bought 4 Cisco ASA 5506 FTD image , 2 for one site and 2 for another ( so 2 failover pairs ) . Customer has not bought FMC and do not want to work with ftd image , he want to convert ftd to asa os as the 4 firewalls he has right know .

So i search and see that it is able to convert ASA 5506 FTD to asa 5506 os , i found a guide ,

but what happens with Firepower services and licenses for failover etc ?

As i know i can get 3des/aes licenses but what about failover ?

and firepower services that customer want to enable in future ?

Can anyone inform me or confirm that is it possible to convert asa 5506 ftd image to asa 5506 firepower services with no loss of features and that it is possible to get somehow licenses from cisco for failover feature ?

thanks

Marvin Rhoads · ‎09-14-2018

Yes you can convert. You lose the FTD NGIPS functionality of course (but can add it back somewhat if you use the Firepower service module to the ASA 5506 with ASA image but then they would need FMC....).

Failover is not a separately licensed feature on the current generation of ASA models so there's no need to add/preserve anything to get that. The old ASA 5505 and 5510 used to require Security Plus license to enable the failover feature but that's not the case anymore with ASA 5500-X series.

Edit: You need to purchase Security Plus license for failover feature on the ASA 5506.

View solution in original post

Marvin Rhoads · ‎09-14-2018

Yes you can convert. You lose the FTD NGIPS functionality of course (but can add it back somewhat if you use the Firepower service module to the ASA 5506 with ASA image but then they would need FMC....).

Failover is not a separately licensed feature on the current generation of ASA models so there's no need to add/preserve anything to get that. The old ASA 5505 and 5510 used to require Security Plus license to enable the failover feature but that's not the case anymore with ASA 5500-X series.

Edit: You need to purchase Security Plus license for failover feature on the ASA 5506.

pgiouvanellis · ‎09-14-2018

Ok ,

But as i searched the net i found that when i perform convert from ftd to asa the ASA boot ups with no activation key and from a sh ver i found i can see that neither 3DES/AES license is enabled nor Failover license is enabled .

sh version

Cisco Adaptive Security Appliance Software Version 9.6(2)23

Device Manager Version 7.8(2)151

Compiled on Thu 28-Sep-17 07:50 PDT by builders

System image file is "tftp://10.20.30.2/asa962-23-lfbff-k8.SPA"

Config file at boot was "startup-config"

ciscoasa up 6 hours 53 mins

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

Internal ATA Compact Flash, 7168MB

BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 4c77.6d86.f679, irq 255

2: Ext: GigabitEthernet1/2 : address is 4c77.6d86.f67a, irq 255

3: Ext: GigabitEthernet1/3 : address is 4c77.6d86.f67b, irq 255

4: Ext: GigabitEthernet1/4 : address is 4c77.6d86.f67c, irq 255

5: Ext: GigabitEthernet1/5 : address is 4c77.6d86.f67d, irq 255

6: Ext: GigabitEthernet1/6 : address is 4c77.6d86.f67e, irq 255

7: Ext: GigabitEthernet1/7 : address is 4c77.6d86.f67f, irq 255

8: Ext: GigabitEthernet1/8 : address is 4c77.6d86.f680, irq 255

9: Int: Internal-Data1/1 : address is 4c77.6d86.f678, irq 255

10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0

11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0

12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0

13: Ext: Management1/1 : address is 4c77.6d86.f678, irq 0

14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0

The Running Activation Key is not valid, using default settings:

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 5 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Disabled perpetual

Carrier : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 12 perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

Shared License : Disabled perpetual

Total TLS Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Cluster : Disabled perpetual

This platform has a Base license.

About the 3des/aes license ok i can get one from cisco.com but what about failover feature ?

That is why i am not sure what to do .

About the firepower services i suppose i will import sfr image and module and set it up as it was Cisco ASA os from the scratch . am i right ?

Thanks .

Marvin Rhoads · ‎09-14-2018

Sorry - I misspoke from memory earlier. You are right you need to purchase a license for failover on the ASA 5506. it's the Security Plus license.

Yes, you can add the Firepower module on a re-imaged ASA by going through the whole image and boot process.