This document will cover the process to convert existing Cisco 5585 ASA firewalls to the Cisco Firepower 9300 firewalls.

• Day 1 Verify cabling and hardware. Input system and admin context configuration to each FW. Verify remote connectivity; Terminal Server (TS) if necessary. Begin upload of contexts (~100) per each FW; no method to bulk upload.
• Day 2 Complete context upload. “Activate” each context on each FW (This is involves deleting each context config from the system config then re-applying the config on each FW) Verify F5 pools are up for each context. Troubleshoot any downed pools
• Day 3 Complete security hardening. Begin CSM rediscovery
• Day 4 Complete CSM rediscovery.

1. Reference this document to configure the 9300 chassis from fresh out of the box.
   1. _Cisco Firepower 9300 Implementation Guide
2. Work start
   1. Verify customer traffic isn't traversing the device.
3. On the mgmt-sw, the following commands can be used to form a template to change the port descriptions: Note: The F5 and 9300 mgmt connections all belong in VLAN 99.

   1. show config | display set | match f5

   2. show inter desc | match f5

   3. show config | display set | match TenGigabitEthernet 0/0/0

   4. show configuration interfaces ge-0/0/0 | display set

   5. Then modify the description. Refer to another site's descriptions.
4. Port testing is very important.
5. Make sure the removable trays in the back of the 9300 chassis can be removed. No power cords in the way.
6. Back a backup of the 5585 configs.
7. Enable ASDM and create a .cfg of the system context

   1. changeto context system
      copy running-config disk0:/system.cfg

   2. To enable ASDM access, on the firewall:

      1. changeto context admin
         conf t
         http server enable
         http 192.168.0.0 255.255.255.0 mgmt !(Note: mgmt has to be replaced with whatever the management interface's nameif is defined as)
         ssh 192.168.0.0 255.255.255.0 mgmt
         wr
         end
         exit

   3. Make sure http is allowed via AAA

      1. show run | i http

      2. Example: aaa authentication http console global-tacacs LOCAL (Note: http has to be present)
8. Log into each 5585 FW and download all the CFGs
9. After all CFGs are downloaded AND the traffic is failed over, the 5585 can be replaced with the 9300. Port test the copper and fiber. Modify switch interface descriptions, modify Mgmt SW descriptions, and modify TS Menu

1. Make a backup of the 5855 directory and rename it for the 9300 conversions. ie: a1-9300
2. Open Notepad++ and close all documents, but save any you need. File–>Close All
3. Open the directory with all the contexts that are to be modified.
4. Select the admin.cfg and system.cfg files
   1. Delete the following lines in the admin context:
      • enable password
      • username admin
   2. Delete the following lines in the system context:
      • enable password
      • boot system
      • ntp
      • username admin
      • Delete the admin context

        • context admin
          allocate-interface Management0/0 
          config-url disk0:/admin.cfg

5. Open the directory with all the contexts that are to be modified.
   1. Select all files. CTRL+A
   2. Unselect the admin.cfg and system.cfg (already are open in Notepad++)
   3. Right-click and select Edit with Notepad++
      • This will open all files within Notepad++

      1. Search for ** and make sure all passwords are visible

         1. Search–>Find

            1. Find what: **

            2. Make sure In selection is not checked and the Search Mode is Normal
            3. Find All in All Opened Documents
      2. This next section will cover modifying the interface names.
         1. Search–>Replace
         2. The following table will define the A1 firewalls<WRAP>

^ Find what ^ Replace with ^

</WRAP>

1. The following table will define the A2 firewalls<WRAP>

^ Find what ^ Replace with ^

</WRAP>

1. File–>Save All
2. Close all contexts except the system context
3. Make a backup of the system context called contexts.txt
4. In the System context:
   1. Search–>Mark
   2. Find what: config-url disk0
   3. Select Bookmark line
   4. Click on Mark All
   5. Search–>Bookmark–>Remove Bookmarked Lines
   6. Save the context file
5. In the backup System context file, called contexts.txt
   1. Search–>Mark
   2. Find what: config-url disk0
   3. Select Bookmark line
   4. Click on Mark All
   5. Find what: context
   6. Select Bookmark line
   7. Click on Mark All
   8. Search–>Bookmark–>Remove Unmarked Lines
   9. The only lines left are the context and config-url lines for each context.
   10. Delete any extra lines at the top and bottom of the file.
   11. Save the context.txt file
6. Now all contexts, except the backup System context can be added to the 9300.

• The next section will be done in the CLI

1. For the admin and System contexts, just copy/paste into the CLI.
2. For the System context, paste a few context sections back in at a time and save often.
   1. When the System context and all the tenant context files are added to the 9300, the backup System context file can be copy/pasted in, one context at a time.
3. Upload customer CFGs to respective 9300 FW via ASDM
4. Diagram of the 9300
   • 

• The next section will be done in the CLI for all contexts
• All crypto keys will be regenerated in all contexts.

1. Do one context at a time. The branch-1 context will be used as an example throughout. Commands are in bold. Please make sure you perform the following under the context you're working on.
   1. Log into the context to regenerate the crypto keys

      1. changeto context branch-1
         conf t
         crypto key generate rsa modulus 2048
         yes !(yes is just to overwrite any existing keys)
         wr

2. Complete the hardening checklist
3. Verify network monitoring devices can communicate with the firewalls.
4. Do one context at a time. The branch-1 context will be used as an example throughout. Commands are in bold. Please make sure you perform the following under the context you're working on.
   1. Log into the context to regenerate the crypto keys and rebuild the snmp-server config
      • Replace pass123 with the correct password in the template below
      • Replace the snmp-server IP and site name with the correct variants in the template below
5. Could use a copy of the context.txt file and replace config-url with the crypto key and snmp config sections

6. changeto context branch-1
   conf t
   clear config snmp-server
   crypto key generate rsa modulus 2048
   yes !(yes is just to overwrite any existing keys)
   snmp-server group globalgroup v3 priv
   snmp-server user branch-1 globalgroup v3 auth sha pass123 priv aes 128 pass123 
   snmp-server host mgmt 192.168.24.15 poll version 3 branch-1
   snmp-server host mgmt 192.168.24.16 poll version 3 branch-1
   snmp-server host mgmt 192.168.24.17 version 3 branch-1
   snmp-server host mgmt 192.168.24.11 trap version 3 branch-1
   snmp-server host mgmt 192.168.24.13 poll version 3 branch-1
   snmp-server host mgmt 192.168.24.27 poll version 3 branch-1
   snmp-server host mgmt 192.168.25.15 poll version 3 branch-1
   snmp-server host mgmt 192.168.25.16 poll version 3 branch-1
   snmp-server host mgmt 192.168.25.17 version 3 branch-1
   snmp-server host mgmt 192.168.25.11 trap version 3 branch-1
   snmp-server host mgmt 192.168.25.13 poll version 3 branch-1
   snmp-server host mgmt 192.168.25.27 poll version 3 branch-1
   snmp-server location branch-1
   snmp-server contact global
   snmp-server enable traps syslog
   snmp-server enable traps ipsec start stop
   snmp-server enable traps memory-threshold
   snmp-server enable traps cpu threshold rising
   snmp-server enable traps ikev2 start stop
   snmp-server enable traps nat packet-discard
   snmp-server enable traps config
   wr

7. Make sure this is done for all contexts, to include those not in CSM

1. In the System context, add the config-url command under each context
2. Use the context.txt from above to accomplish this
3. Note: this should be done one context at a time and save often

1. Verify LB pools are all up
   1. Local Traffic–>Pools–>Statistics
   2. Change Partition to All
   3. Change Status to display Offline
   4. Expand all Offline contexts
   5. Take a screenshot of all the offline contexts to include all pages
   6. Save those screenshots on the share drive
   • 
   • 
   • 
   • 
   • 
   • 

1. Determine shared policies
   1. Two Options:
      1. Option 1: Click through each shared policy and take a screenshot and save it to OneNote to reference later.
         1. On a1
            1. Change Host name if needed
            2. Change “5585” to “9300”
            3. Change rackel section if needed
            4. Delete the ending part that says sec/pri standby/active, if present
            5. Click Save
         2. Repeat for all firewalls
         3. Reassign all shared policies to all four firewalls.
            • Use the screenshots as reference
            1. Right-click on the first local policy for that device and select Assign shared policy
               1. Assign the appropriate policy
            2. When done, File–>Submit
            3. When done, File–>Deploy
      2. Option 2: Legacy method
         1. On a1
            1. Change Host name if needed
            2. Change “5585” to “9300”
            3. Change rackel section if needed
            4. Delete the ending part that says sec/pri standby/active, if present
            5. Click Save
         2. On a2
            1. Change Host name if needed
            2. Change “5585” to “9300”
            3. Change rackel section if needed
            4. Delete the ending part that says sec/pri standby/active, if present
            5. Click Save
            6. Hold Ctrl and left-click on both a1 and a2 to highlight them
            7. Right-click and select Discover Policies on Devices
            8. Click Finish
            9. When done, click on b1 and reassign the shared policies to a1/a2
            10. When done, File–>Submit
            11. When done, File–>Deploy

1. If you can't connect to a device via asdm due to versioning differences, just copy over the asdm-7181-152.bin file from the share drive. (Replace file with the one approved for installation.)
2. This .bin file is copied to the ASA via the CLI using SSH and authenticating via your network account.
   1. Via WinSCP, copy asdm to jumpbox, /var/tmp
3. On the ASA via the CLI:

   1. changeto context system
      copy scp://john.doe@192.168.1.2//var/tmp/asdm-7181-152.bin disk0:/asdm-7181-152.bin

4. On the ASA via the CLI:
   1. changeto context system

      1. conf t
         asdm image disk0:/asdm-7181-152.bin

1. Device not discovering

   1. c9300-fw-a1/branch-1(config)# show run ssl
      ssl cipher default low
      ssl cipher tlsv1 low
      ssl cipher tlsv1.1 low
      ssl cipher tlsv1.2 low
      ssl cipher dtlsv1 low
      ssl cipher dtlsv1.2 low

   2. Removed all those and CSM can communicate with it now.

Engineer Howto - Firewalls
Engineer Howto - Firewalls
Engineer HowTo