topic Re: Firesight Management Center in Network Security

Firesight Management Center

Rockyy — Fri, 21 Feb 2020 15:40:13 GMT

Hello,

I have an existing ASA5506-x in my network and recently I've installed FMC to manage my firewall. The problem is under NAT no security zones are appearing in FMC.

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

> show summary
-------------------[ firepower ]--------------------
Model : ASA5506 (72) Version 6.2.0 (Build 362)
Rules update version : 2017-09-13-001-vrt
VDB version : 297
----------------------------------------------------

------------------[ policy i ]-------------------
Access Control Policy : NUMINA DEFAULT INTERNET

--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : Untrusted
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : Trusted
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 70:69:5A:4F:0A:9A
IPv4 Address : 192.168.100.5
--------------------[ tun1 ]----------------------
IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------

---------------[ snort version info ]---------------
Snort Version : 2.9.12 GRE (Build 136)
libpcap Version : 1.1.1
PCRE Version : 7.4 2007-09-21
ZLIB Version : 1.2.5
----------------------------------------------------

Attached is the screenshot.

Re: Firesight Management Center

michoudi — Thu, 26 Apr 2018 21:58:44 GMT

The FMC isn't going to pull the existing security zones from the ASA. You need to create the security zones in the FMC under Objects>Object Management>Interface.

Re: Firesight Management Center

yogdhanu — Fri, 27 Apr 2018 05:34:19 GMT

Hi Rocky,

I assume you are using FTD software on ASA and managing it via FMC. You would need to create the zones under device>settings based on interface or define zones under Object and then map them with interfaces.

Hope that helps,

yogesh

Re: Firesight Management Center

Rockyy — Sat, 28 Apr 2018 01:38:47 GMT

Correct, I'm using FTD softwareo n ASA and managing it via FMC. I did the basic configurations on ASA firewall i.e. NAT, inside, outside interfaces. Write an access-list to send traffic to SFR, class-map, policy and it is sending traffic to SFR.

I have created zones via FMC under Objects -> Interfaces -> Add -> Security Zone. After that I have created new policy for NAT save deploy and come back under NAT but no security zones are appearing over there.

Please advise if I'm missing something and why it's just not showing it?

Re: Firesight Management Center

Rockyy — Sun, 29 Apr 2018 02:06:35 GMT

I guess I have done enough struggle with it, I'm not sure what I'm doing is wrong but it's not appearing there at all.

Basically, I guess I was confused with FTD vs ASA with FirePower.

Please correct me if I'm wrong, I have ASA 5506-X which comes FirePower

While run show module it appears SFR there, so if it's an SFR I can manage Routing, NAT, VPN through ASA and Firepower Services Software will do - AVC, URL Filtering, NGIPS, and AMP.

Is that correct?