Re: Reimage Cisco ASA 5508-x from FTD to ASA

tbry681027971 · ‎05-05-2020

Hi everyone

I have a Cisco ASA 5508-x with Cisco Firepower Threat Defense to configure. I've found on the internet that by default Firepower Device Manager is the main admin configuration interface.

I wanted to access Cisco ASA CLI and maybe the web management interface. From what I saw, we need to reimage the firewall to installa Cisco ASA iOS.

However I would like to make sure that I won't lose the licence given with the hardware if I do that.

Besides I got the CCNA certification and I wonder if I am entitled to access ressources such as Cisco iOS.

I hope someone can help me

Marvin Rhoads · ‎05-05-2020

If you change to ASA image your Firepower licenses will be not applicable as they only apply to the current FTD image.

Having any Cisco certification does not grant you any entitlement to download Cisco software images. For that entitlement you need a support contract.

Michael ONeil · ‎05-07-2020

The FTD does have a CLI interface.

From the SSH session to the FTD, run system support diagnostic-cli

hit enter if you get prompted for a password

With this CLI access to the FTD you can ONLY run show commands, packet-tracer, debug, captures etc

then to exit, just type exit several times to get back to the SFR prompt

The FDM is accessed via https://<management ip>

FDM is basic management, while FMC is more feature rich.

tbry681027971 · ‎05-08-2020

Hello

I’ve already tried these command but I did not enables me to configure the firewall.
I saw some thins about FMC. Do you know where I can download this and how do I have to proceed for the installation?

From what I saw, FMC is more useful when we have a lot of firewall to manage. In my case there’s only one.

Thank you

Marvin Rhoads · ‎05-08-2020

FMC is not free. It requires purchasing a license. Only with a purchased license will you be entitled to download and use it.

If you are just managing one small ASA with FTD image, then the free on-box FDM is usually sufficient for 90%+ of the use cases.

tbry681027971 · ‎05-09-2020

I have to configure three xDSL WAN access and I didn’t find any option to set a PPPoE interface.
I also have to set up VPN access and I did not find these option too.

Is it possible to do this with FDM ?

Marvin Rhoads · ‎05-09-2020

PPPoE support for FDM was added in version 6.6.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-interfaces.html#concept_92B885383C1C41E18EF091FFBB4E1569

Any earlier versions require using FMC.

Here you can see it in the FDM interface configuration on an FTD 6.6 device:

FDM PPPoE

tbry681027971 · ‎05-09-2020

I just checked my version it is 6.2.3-83.
Is it possible to update the firewall to the 6.6 ?

Marvin Rhoads · ‎05-09-2020

As already noted in the first reply to this thread - a support contract will entitle you to download images (including upgrades).

The 5508-X does support version 6.6:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/compatibility.html#id_107242

tbry681027971 · ‎05-09-2020

Ok thank you very much.
I just don’t understand why shall I have to subscribe a contract for a just unboxed product.

Marvin Rhoads · ‎05-09-2020

Cisco's (and most other major networking vendors') business model is primarily designed around selling to enterprises. Part of that model is that services and software updates are obtained via a paid support contract.

It can be frustrating to the individual user but it's been that way for decades and not likely to change anytime soon.

tbry681027971 · ‎05-10-2020

Ok I understand.
Do you know how I can subscribe to a paid support ? I did not find anything on Cisco website.
My Cisco Smart Account is pending approval

Marvin Rhoads · ‎05-10-2020

Cisco doesn't sell it directly to the public. Both individuals and companies purchase via Cisco distributors and partners.

The SKU (Stock Keeping Unit AKA part number) for an ASA 5508-X with FTD image is "CON-SSSNT-ASD5508F", a support contract available in 1-, 3- or 5-year terms. It provides software image entitlement as well as 24-7 Cisco TAC support and hardware support.