Tim's Technology Journey Wiki

User Tools

Site Tools

Trace: 9300_conversion_from_5585
cisco:asa:9300_conversion_from_5585

Table of Contents

Engineer Howto - Firewalls - 9300 Conversion from 5585

This document will cover the process to convert existing Cisco 5585 ASA firewalls to the Cisco Firepower 9300 firewalls.

High-level Overview

  • Day 1 Verify cabling and hardware. Input system and admin context configuration to each FW. Verify remote connectivity; Terminal Server (TS) if necessary. Begin upload of contexts (~100) per each FW; no method to bulk upload.
  • Day 2 Complete context upload. "Activate" each context on each FW (This is involves deleting each context config from the system config then re-applying the config on each FW) Verify F5 pools are up for each context. Troubleshoot any downed pools
  • Day 3 Complete security hardening. Begin CSM rediscovery
  • Day 4 Complete CSM rediscovery.

9300 Workflow

  1. Reference this document to configure the 9300 chassis from fresh out of the box.
    1. _Cisco Firepower 9300 Implementation Guide
  2. Work start
    1. Verify customer traffic isn't traversing the device.
  3. On the mgmt-sw, the following commands can be used to form a template to change the port descriptions: Note: The F5 and 9300 mgmt connections all belong in VLAN 99.
    1. show config | display set | match f5
    2. show inter desc | match f5
    3. show config | display set | match TenGigabitEthernet 0/0/0
    4. show configuration interfaces ge-0/0/0 | display set
    5. Then modify the description. Refer to another site's descriptions.
  4. Port testing is very important.
  5. Make sure the removable trays in the back of the 9300 chassis can be removed. No power cords in the way.
  6. Back a backup of the 5585 configs.
  7. Enable ASDM and create a .cfg of the system context
    1. changeto context system
copy running-config disk0:/system.cfg
    2. To enable ASDM access, on the firewall:
      1. changeto context admin
conf t
http server enable
http 192.168.0.0 255.255.255.0 mgmt !(Note: mgmt has to be replaced with whatever the management interface's nameif is defined as)
ssh 192.168.0.0 255.255.255.0 mgmt
wr
end
exit
    3. Make sure http is allowed via AAA
      1. show run | i http
      2. Example: aaa authentication http console global-tacacs LOCAL (Note: http has to be present)
  8. Log into each 5585 FW and download all the CFGs
  9. After all CFGs are downloaded AND the traffic is failed over, the 5585 can be replaced with the 9300. Port test the copper and fiber. Modify switch interface descriptions, modify Mgmt SW descriptions, and modify TS Menu

Modify the 5585-formatted .cfg Files to 9300-formatted

  1. Make a backup of the 5855 directory and rename it for the 9300 conversions. ie: a1-9300
  2. Open Notepad++ and close all documents, but save any you need. File–>Close All
  3. Open the directory with all the contexts that are to be modified.
  4. Select the admin.cfg and system.cfg files
    1. Delete the following lines in the admin context:
      • enable password
      • username admin
    2. Delete the following lines in the system context:
      • enable password
      • boot system
      • ntp
      • username admin
      • Delete the admin context
        • context admin
allocate-interface Management0/0 
config-url disk0:/admin.cfg
  5. Open the directory with all the contexts that are to be modified.
    1. Select all files. CTRL+A
    2. Unselect the admin.cfg and system.cfg (already are open in Notepad++)
    3. Right-click and select Edit with Notepad++
      • This will open all files within Notepad++
      1. Search for ** and make sure all passwords are visible
        1. Search–>Find
          1. Find what: **
          2. Make sure In selection is not checked and the Search Mode is Normal
          3. Find All in All Opened Documents
      2. This next section will cover modifying the interface names.
        1. Search–>Replace
        2. The following table will define the A1 firewalls<WRAP>

^ Find what ^ Replace with ^

Management0/0 Ethernet1/8
TenGigabitEthernet0/6 Ethernet1/1
TenGigabitEthernet0/7 Ethernet1/2
TenGigabitEthernet0/8 Ethernet1/3

</WRAP>

  1. The following table will define the A2 firewalls<WRAP>

^ Find what ^ Replace with ^

Management0/0 Ethernet1/8
TenGigabitEthernet0/6 Ethernet1/5
TenGigabitEthernet0/7 Ethernet1/6
TenGigabitEthernet0/8 Ethernet1/7

</WRAP>

  1. File–>Save All
  2. Close all contexts except the system context
  3. Make a backup of the system context called contexts.txt
  4. In the System context:
    1. Search–>Mark
    2. Find what: config-url disk0
    3. Select Bookmark line
    4. Click on Mark All
    5. Search–>Bookmark–>Remove Bookmarked Lines
    6. Save the context file
  5. In the backup System context file, called contexts.txt
    1. Search–>Mark
    2. Find what: config-url disk0
    3. Select Bookmark line
    4. Click on Mark All
    5. Find what: context
    6. Select Bookmark line
    7. Click on Mark All
    8. Search–>Bookmark–>Remove Unmarked Lines
    9. The only lines left are the context and config-url lines for each context.
    10. Delete any extra lines at the top and bottom of the file.
    11. Save the context.txt file
  6. Now all contexts, except the backup System context can be added to the 9300.

Add the Customer Contexts to all CSMs

  • The next section will be done in the CLI
  1. For the admin and System contexts, just copy/paste into the CLI.
  2. For the System context, paste a few context sections back in at a time and save often.
    1. When the System context and all the tenant context files are added to the 9300, the backup System context file can be copy/pasted in, one context at a time.
  3. Upload customer CFGs to respective 9300 FW via ASDM
  4. Diagram of the 9300

Generate Crypto Keys and SNMP configs

  • The next section will be done in the CLI for all contexts
  • All crypto keys will be regenerated in all contexts.
  1. Do one context at a time. The branch-1 context will be used as an example throughout. Commands are in bold. Please make sure you perform the following under the context you're working on.
    1. Log into the context to regenerate the crypto keys
      1. changeto context branch-1
conf t
crypto key generate rsa modulus 2048
yes !(yes is just to overwrite any existing keys)
wr
  2. Complete the hardening checklist
  3. Verify network monitoring devices can communicate with the firewalls.
  4. Do one context at a time. The branch-1 context will be used as an example throughout. Commands are in bold. Please make sure you perform the following under the context you're working on.
    1. Log into the context to regenerate the crypto keys and rebuild the snmp-server config
      • Replace pass123 with the correct password in the template below
      • Replace the snmp-server IP and site name with the correct variants in the template below
  5. Could use a copy of the context.txt file and replace config-url with the crypto key and snmp config sections
  6. changeto context branch-1
conf t
clear config snmp-server
crypto key generate rsa modulus 2048
yes !(yes is just to overwrite any existing keys)
snmp-server group globalgroup v3 priv
snmp-server user branch-1 globalgroup v3 auth sha pass123 priv aes 128 pass123 
snmp-server host mgmt 192.168.24.15 poll version 3 branch-1
snmp-server host mgmt 192.168.24.16 poll version 3 branch-1
snmp-server host mgmt 192.168.24.17 version 3 branch-1
snmp-server host mgmt 192.168.24.11 trap version 3 branch-1
snmp-server host mgmt 192.168.24.13 poll version 3 branch-1
snmp-server host mgmt 192.168.24.27 poll version 3 branch-1
snmp-server host mgmt 192.168.25.15 poll version 3 branch-1
snmp-server host mgmt 192.168.25.16 poll version 3 branch-1
snmp-server host mgmt 192.168.25.17 version 3 branch-1
snmp-server host mgmt 192.168.25.11 trap version 3 branch-1
snmp-server host mgmt 192.168.25.13 poll version 3 branch-1
snmp-server host mgmt 192.168.25.27 poll version 3 branch-1
snmp-server location branch-1
snmp-server contact global
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps memory-threshold
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config
wr
  7. Make sure this is done for all contexts, to include those not in CSM

Activate contexts

  1. In the System context, add the config-url command under each context
  2. Use the context.txt from above to accomplish this
  3. Note: this should be done one context at a time and save often

Verify Contexts

  1. Verify LB pools are all up
    1. Local Traffic–>Pools–>Statistics
    2. Change Partition to All
    3. Change Status to display Offline
    4. Expand all Offline contexts
    5. Take a screenshot of all the offline contexts to include all pages
    6. Save those screenshots on the share drive

CSM work

  1. Determine shared policies
    1. Two Options:
      1. Option 1: Click through each shared policy and take a screenshot and save it to OneNote to reference later.
        1. On a1
          1. Change Host name if needed
          2. Change "5585" to "9300"
          3. Change rackel section if needed
          4. Delete the ending part that says sec/pri standby/active, if present
          5. Click Save
        2. Repeat for all firewalls
        3. Reassign all shared policies to all four firewalls.
          • Use the screenshots as reference
          1. Right-click on the first local policy for that device and select Assign shared policy
            1. Assign the appropriate policy
          2. When done, File–>Submit
          3. When done, File–>Deploy
      2. Option 2: Legacy method
        1. On a1
          1. Change Host name if needed
          2. Change "5585" to "9300"
          3. Change rackel section if needed
          4. Delete the ending part that says sec/pri standby/active, if present
          5. Click Save
        2. On a2
          1. Change Host name if needed
          2. Change "5585" to "9300"
          3. Change rackel section if needed
          4. Delete the ending part that says sec/pri standby/active, if present
          5. Click Save
          6. Hold Ctrl and left-click on both a1 and a2 to highlight them
          7. Right-click and select Discover Policies on Devices
          8. Click Finish
          9. When done, click on b1 and reassign the shared policies to a1/a2
          10. When done, File–>Submit
          11. When done, File–>Deploy

Appendix A: Configure ASA for ASDM

  1. If you can't connect to a device via asdm due to versioning differences, just copy over the asdm-7181-152.bin file from the share drive. (Replace file with the one approved for installation.)
  2. This .bin file is copied to the ASA via the CLI using SSH and authenticating via your network account.
    1. Via WinSCP, copy asdm to jumpbox, /var/tmp
  3. On the ASA via the CLI:
    1. changeto context system
copy scp://john.doe@192.168.1.2//var/tmp/asdm-7181-152.bin disk0:/asdm-7181-152.bin
  4. On the ASA via the CLI:
    1. changeto context system
      1. conf t
asdm image disk0:/asdm-7181-152.bin

Troubleshooting Notes

  1. Device not discovering
    1. c9300-fw-a1/branch-1(config)# show run ssl
ssl cipher default low
ssl cipher tlsv1 low
ssl cipher tlsv1.1 low
ssl cipher tlsv1.2 low
ssl cipher dtlsv1 low
ssl cipher dtlsv1.2 low
    2. Removed all those and CSM can communicate with it now.

Engineer Howto - Firewalls
Engineer Howto - Firewalls
Engineer HowTo

cisco/asa/9300_conversion_from_5585.txt · Last modified: 2022/10/15 13:59 by Derg Enterprises

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki