topic Re: Software FirePower management 0/0 in Network Security

Software FirePower management 0/0

h.dam — Fri, 21 Feb 2020 15:19:00 GMT

Hello,

I am going to implement a pair of FW cluster in Active/passive mode with software Firepower module.
Here's what I suggest:
- SFR module managed by ASDM
- SFR management using interface management0/0
- FW management using inside interface G0/0
they are connected to two different ports on a management L2 switch in the same vlan.

Since I use etherchannel (2 ports) for each zone, I don't have enough ports for management.

So my question is:
Could I use the management 0/0 for both SFR module and FW?
How can I configure in this case?
Any impact on the traffic flow going thru this port?

Another case: if I use VM Management center for SFR, should I also use management 0/0 for Firepower?

Thanks a lot.

Re: Software FirePower management 0/0

Marvin Rhoads — Sat, 10 Feb 2018 16:01:17 GMT

You can manage both the Firepower module and the ASA via interface m0/0. They will each have their own IP address on the same subnet. There's no functional impact on either device.

Re: Software FirePower management 0/0

h.dam — Sat, 10 Feb 2018 17:46:30 GMT

Hello,

Thanks for your reply, this is what I want to do.

Could you show me how to connect the FW management interface and the SFR module ?

Re: Software FirePower management 0/0

Marvin Rhoads — Sun, 11 Feb 2018 10:32:33 GMT

They simply connect to your existing infrastructure via a switchport in a VLAN that's associated with the subnet from which you have configured their IP addresses.

Re: Software FirePower management 0/0

h.dam — Mon, 12 Feb 2018 10:56:03 GMT

Hello,

I have connected the management 0/0 on a switch containing ADM VLAN.

SFR module is configured using the same management 0/0 interface as default gw.

Now I cannot ssh the FW address, but only SFR module. As far as I know (maybe I am wrong) this is normal since one cannot use the same management interface for two devices.

Even I can use ASDM to manage the FW but I also use CLI to run on it. This solution is not what I expected.

Any one has some suggestions?

Re: Software FirePower management 0/0

Marvin Rhoads — Tue, 13 Feb 2018 02:39:49 GMT

You can use one physical interface to manage both the ASA and the Firepower (sfr) module. Each must have an address in the same subnet and the interface must connect to a switchport in access mode (or you can plug your laptop directly into it). Furthermore, the ASA must allow management access (http and ssh) on the management interface.

Re: Software FirePower management 0/0

h.dam — Tue, 13 Feb 2018 14:40:03 GMT

Hello,

Here's what I have done:

- interface management 0/0 connected to a switch with the port configured "switchport access vlan"

- FW and SFR are on the same subnet

- http and ssh are configured

- reboot ASA

After these actions, the following works:

- ASDM

- ssh to SFR (from a pc in the same subnet)

But ssh to ASA didn't work with message "server unexpectedly closed network connection".

I am working on it. I should missed something.

Re: Software FirePower management 0/0

Marvin Rhoads — Tue, 13 Feb 2018 14:49:08 GMT

The "server unexpectedly closed" message usually indicates a protocol error like no common crypto algorithm (usually shows up in the log of your terminal program) or also something like no rsa key on the ASA (can verify with "show crypto key mypubkey rsa" or (re)generate one with "crypto key generate rsa mod 2048" command from config mode).

Re: Software FirePower management 0/0

h.dam — Tue, 13 Feb 2018 15:07:13 GMT

Hello,

Thanks for your quick answer. I am going in this direction.

I also got this message when I run ASDM:

"The certificate used to identify the website is not trusted."

Re: Software FirePower management 0/0

Marvin Rhoads — Tue, 13 Feb 2018 15:11:05 GMT

The certificate error is because you are using a default self-signed certificate. ASDM uses Java and its SSL/TLS libraries and certificates. Unless the certificate comes from a trusted 3rd party certificate authority (CA) or had been explicitly imported and trusted into your client PC's local certificate store you will get that message.

Re: Software FirePower management 0/0

h.dam — Tue, 13 Feb 2018 15:18:18 GMT

Hello Marvins,

Here's my ssh configuration:

crypto ca trustpool policy

ssh stricthostkeycheck

ssh x.x.x.x ADM

ssh version 2

ssh timeout 15

ssh key-exchange group dh-group1-sha1

Is it correct?

Re: Software FirePower management 0/0

Marvin Rhoads — Tue, 13 Feb 2018 15:38:17 GMT

Assuming the "ssh" command is followed by the address or subnet and mask of where your manage the ASA from that's fine.

Did you check the "show crypto..." command I mentioned?

Re: Software FirePower management 0/0

h.dam — Tue, 13 Feb 2018 20:44:49 GMT

After regenerate the rsa key, ssh to asa works well. Thanks very much.

One last question, just for my curiosity, why did ssh to SFR work before? Does it really need a rsa key?

Thanks again.

Re: Software FirePower management 0/0

Marvin Rhoads — Tue, 13 Feb 2018 21:54:10 GMT

You're welcome - thanks for rating.

The ASA needs you to explicitly generate an RSA key before using ssh to it the first time. Without knowng the provenance of your ASA I can't say why it might not have had one.

The sfr module setup pre-generates one on it.