Cisco 5506 with Firepower

norman · January 20, 2016, 7:00am

Hi !

anyone that is familiar with firepower in 5506? I have install the module and set up ip adresses but i cant ping it nor can i get it in the gui.

/Oskar

ReneMolenaar · January 20, 2016, 10:31am

Hi Oskar,

I’m using a 5506 with firepower here, it works very well but it takes some time to figure out how it works.

First of all, you can’t connect to it from your normal ASA interfaces. You have to connect a second cable to the management interface and put it in the same subnet. This will allow you to access it from the outside. You can then configure it and reach it through ASDM.

Rene

norman · January 20, 2016, 12:57pm

Hi !

I have config the firepower with sesson sfr console
http://www.petenetlive.com/KB/Article/0001107
And then i cant ping it which it says in the url above.
i guess it not on the same subnet.
then i have to do the config of the firepower all over again

ReneMolenaar · January 22, 2016, 12:53pm

Hi Oskar,

You need to make sure that:

You connect the management interface to the same subnet as one of your inside interfaces of the ASA
You configure an IP address on the firepower console from the same subnet.

Once you do this, you should be able to ping this address and access it through ASDM.

Rene

norman · January 24, 2016, 2:18pm

Hi Rene!

Ip on the inside is 10.10.100.1 and on the Firepower is 10.10.100.2 but i cant stil not ping it.
When i start the asdm ip 10.10.100.1 it says that it cant rech the firepower on ip 10.10.100.2 port 443.
when i try to ping it it says

FW-ASA(config)# sh run int management 1/1
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address

FW-ASA(config)# ping 10.10.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.100.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

ReneMolenaar · January 25, 2016, 8:21pm

Hi Oskar,

The management interface on the ASA looks ok, that’s exactly what I have here. What about your firepower configuration?

Is the management interface up/up?

Rene

norman · January 27, 2016, 7:43pm

Here is the Firepower config:

&gt; show network
&#61;&#61;&#61;&#61;&#61;==========[ System Information ]===============
Hostname                  : Fire.local.com
Domains                   : example.net
DNS Servers               : 8.8.8.8
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.10.100.1

&#61;&#61;&#61;&#61;&#61;=================[ eth0 ]======================
State                     : Enabled
Channels                  : Management &amp; Events
Mode                      :
MDI/MDIX                  : Auto/MDIX
MTU                       : 1500
MAC Address               : D8:B1:90:B7:28:17
&#45;&#45;&#45;&#45;&#45;-----------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 10.10.100.2
Netmask                   : 255.255.255.0
Broadcast                 : 10.10.100.255
&#45;&#45;&#45;&#45;&#45;-----------------[ IPv6 ]----------------------
Configuration             : Disabled

&#61;&#61;&#61;&#61;&#61;==========[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

FW-ASA# sh module

Mod Card Type Model Serial No.
—- ——————————————– —————— ———–
0 ASA 5506-X with FirePOWER services, WiFi, 8G ASA5506W JAD192300ZI
sfr FirePOWER Services Software Module ASA5506W JAD192300ZI
wlan WLAN AP N/A N/A

Mod MAC Address Range Hw Version Fw Version Sw Version
—- ——————————— ———— ———— —————
0 d8b1.90b7.2818 to d8b1.90b7.2821 1.0 1.1.1 9.4(1)
sfr d8b1.90b7.2817 to d8b1.90b7.2817 N/A N/A 5.4.1-211
wlan none N/A N/A

Mod SSM Application Name Status SSM Application Version
—- —————————— —————- ————————–
sfr ASA FirePOWER Up 5.4.1-211

Mod Status Data Plane Status Compatibility
—- —————— ——————— ————-
0 Up Sys Not Applicable
sfr Up Up
wlan Up Up
more config

FW-ASA# ping 10.10.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.100.2, timeout is 2 seconds:
No route to host 10.10.100.2

Success rate is 0 percent (0/1)

FW-ASA# sh int ip bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1/1 unassigned YES DHCP down down
GigabitEthernet1/2 10.10.100.1 YES CONFIG down down
GigabitEthernet1/3 unassigned YES unset administratively down down
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
GigabitEthernet1/9 172.16.254.1 YES CONFIG up up
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up down
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Management1/1 unassigned YES unset down down

it on the same subnet as inside. as you can see i have 10.10.100.1 inside and firepower 10.10.100.2

ReneMolenaar · January 28, 2016, 4:02pm

Hi Oskar,

Check this:

Management1/1 unassigned YES unset down down

This interface should be up/up. Make sure you got a cable attached to this interface, connect it to the switch and put it in the same VLAN as your inside interface.

Rene

norman · February 1, 2016, 1:11pm

Okay !

It isn’t connected to a switch … i dont have any.

norman · February 4, 2016, 9:01pm

hi i got a switch cisco 2960-c so iam going to test it during this weekend

norman · February 6, 2016, 7:24pm

Hi I am getting the Firepower up but then i get this message

ReneMolenaar · February 9, 2016, 4:15pm

Hi Oskar,

I had the same issue…are you using Windows 10?

Once I switched back to windows 7 + latest version of ASDM this problem would go away.

Rene

norman · February 9, 2016, 4:32pm

Hi !

yes i am using Win 10 …

I will check my version of ASDM

/oskar