To make things easy, if you don’t want to hear my voice LOL: On FTD: Scope firmware Download image tftp://10.0.0.1/ Show download-task Show packages Install security-pack version on ASA: Boot system disk0:/
You left pout important prep steps like how to give it an IP to do the transfer. Anyhow if found it simpler to just copy the SPA file to USB and plug into the device.
Thank you for the video, it is very informative. just wanted to ask, what will happen to the license like AnyConnet or security plus license if it is activated in ASA and then we switch to Firepower. will it still be active?
Hi, have you tried to configure one of the interfaces (inside) as a switch port trunk and associate it with multiple VLANs? I am having an issue wherein, it will work when newly configured but will stop working after reboot. I made sure that all changes are deployed. I needed to change the interface to routed and then change it back to switchport trunk to make it work but again will stop working after reboot.
Question I imagine this process is the same for a FPR-4110 or 4100 Series. I also am wondering how the Migration tool will work with using another physical ASA 555X config any thoughts
The process is basically the same but you have an additional option when working on the chassis based fpr devices. The 4100/9300 also have the ability to be managed via the Firepower Chassis Manager. In FCM you can add an ASA logical device, both FTD/ASA are logical devices in the 4/9 series. Same as how the 1010 runs the FTD/ASA on top of fxos. The migration tool worked pretty well for me when I did a migration from 5545-X to FPR1120, so shouldn't have many issues with 4100. Though with IT I nearly ALWAYS have something go wrong the first time. Here are a couple articles that give some good information: www.cisco.com/c/en/us/td/docs/security/firepower/fxos/upgrade/b_FXOSUpgrade/upgrade_asa_and_fxos_on_the_firepower_4100_9300_chassis.html www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3035.pdf www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKSEC-3035.pdf
I don't currently have an ASA to show the process, though pretty simple you just upload the new ASDM image and configure it as the current through either the current ASDM or through CLI. I just uploaded a short video exploring ASA/ASDM versioning. Once I get my ASA up and running again, I can run through that. ua-cam.com/video/GCY-gtrbHVQ/v-deo.html
Hi nTRaaS - very informative video - thank you. Question: Do you know if a license is needed in order to have "VLAN Trunk Ports" enabled on a FPR 1010?
You don’t need any specific license to run subinterfaces (trunk ports), BUT you need to have a base license to use the firewall longer than the trial period…
When you specify static routes on the ASA you specify the route based on the nameif which is technically a security zone. Each interface is put into a nameif and static routes specify the nameif facing that route, also, ip route doesn’t exist in ASA. Route management
To make things easy, if you don’t want to hear my voice LOL:
On FTD:
Scope firmware
Download image tftp://10.0.0.1/
Show download-task
Show packages
Install security-pack version
on ASA:
Boot system disk0:/
Best guide I've used. Straight to the point, concise but useful explanations. Great job.
You left pout important prep steps like how to give it an IP to do the transfer. Anyhow if found it simpler to just copy the SPA file to USB and plug into the device.
Great video!
My interfaces are down and I can’t get them back up
Thank you for the video, it is very informative. just wanted to ask, what will happen to the license like AnyConnet or security plus license if it is activated in ASA and then we switch to Firepower. will it still be active?
hi, which interface that i should connect to download the image?
Hi, have you tried to configure one of the interfaces (inside) as a switch port trunk and associate it with multiple VLANs?
I am having an issue wherein, it will work when newly configured but will stop working after reboot. I made sure that all changes are deployed.
I needed to change the interface to routed and then change it back to switchport trunk to make it work but again will stop working after reboot.
Question I imagine this process is the same for a FPR-4110 or 4100 Series. I also am wondering how the Migration tool will work with using another physical ASA 555X config any thoughts
The process is basically the same but you have an additional option when working on the chassis based fpr devices. The 4100/9300 also have the ability to be managed via the Firepower Chassis Manager. In FCM you can add an ASA logical device, both FTD/ASA are logical devices in the 4/9 series. Same as how the 1010 runs the FTD/ASA on top of fxos.
The migration tool worked pretty well for me when I did a migration from 5545-X to FPR1120, so shouldn't have many issues with 4100. Though with IT I nearly ALWAYS have something go wrong the first time.
Here are a couple articles that give some good information:
www.cisco.com/c/en/us/td/docs/security/firepower/fxos/upgrade/b_FXOSUpgrade/upgrade_asa_and_fxos_on_the_firepower_4100_9300_chassis.html
www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3035.pdf
www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKSEC-3035.pdf
Thank you for the video! Can you please make a video on installing ASDm with right version.
I don't currently have an ASA to show the process, though pretty simple you just upload the new ASDM image and configure it as the current through either the current ASDM or through CLI. I just uploaded a short video exploring ASA/ASDM versioning. Once I get my ASA up and running again, I can run through that.
ua-cam.com/video/GCY-gtrbHVQ/v-deo.html
Hi nTRaaS - very informative video - thank you. Question: Do you know if a license is needed in order to have "VLAN Trunk Ports" enabled on a FPR 1010?
You don’t need any specific license to run subinterfaces (trunk ports), BUT you need to have a base license to use the firewall longer than the trial period…
@@ntraas1584 Got it - thank you for the follow-up.
fantastic guide, thank you
Why did you do "route management" instead of "ip route" for your default route? Is that because you used EIGRP?
When you specify static routes on the ASA you specify the route based on the nameif which is technically a security zone. Each interface is put into a nameif and static routes specify the nameif facing that route, also, ip route doesn’t exist in ASA.
Route management