Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
6
Replies

setting up firepower module, question about interfaces

faghouri83
Level 1
Level 1

‎11-30-2017 04:28 AM - edited ‎02-21-2020 06:52 AM

Hi all

 

I'm in the process of upgrading the firepower software on a Cisco 5525-X. I have updated the boot firmware to 6.2.2. Once I get into the module using the module sfr command i then enter setup to configure the ip address for the firepower module. 

 

My question is, what physical interface on the firewall is this ip address binded to? does the firepower ip address have to be in the same subnet as the inside interface ip?  Once i can get the firepower talking to filezilla server, i can then upgrade the rest. 

 

Thanks

 

 

Labels:
0 Helpful
6 Replies 6

mikael.lahtela
Level 4
Level 4

‎11-30-2017 04:52 AM

Hi,

The firepower ip address configured at setup is bound to Management 1/1.
Don't think they need to be in the same subnet as inside, but it makes things easier.
You will only access the Firepower module through the Management port, asa configuration must be access from inside or an extra oob management port.
https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html

br, Micke
0 Helpful

faghouri83
Level 1
Level 1
In response to mikael.lahtela

‎11-30-2017 06:01 AM

Thanks for the answer. I shall give it a go. 

0 Helpful

johnlloyd_13
Level 9
Level 9

‎12-01-2017 07:02 PM

hi,

the FP module logical eth0 interface is binded to the ASA chassis management0/0 interface.

both the FP module interface and ASA management interface can be on the same subnet (for IP design ease) BUT the management functions are separate. meaning, you SSH/ASDM to ASA management0/0 IP while you use the FP module IP for FMC device registration.

 

here's a useful link for the ASA FP module upgrade process.

http://ccnpsecuritywannabe.blogspot.com/2017/09/cisco-asa-firepower-module-upgrade.html

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎12-02-2017 07:20 AM - edited ‎12-02-2017 06:32 PM

@johnlloyd_13 note that the question was about the 5585-X. Those are a bit different in that they use a hardware module. As Micke noted, connectivity is via interface management 1/1 - e.g. the interface on the Firepower SSP module in slot 1.

 

(corrected information below - Thanks John)

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎12-02-2017 05:57 PM - edited ‎12-02-2017 05:58 PM

hi marvin,


OP said it was for a 5525-X. look closely further above :)

"I'm in the process of upgrading the firepower software on a Cisco 5525-X."

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎12-02-2017 06:31 PM

Oh - sorry about that John. You are right. Time to get my glasses checked. :)

 

On the ASA 5525-X the Firepower module indeed uses interface Management 0/0. That applies to the 5512-X, 5515-X, 5525-X, 5545-X and 5555-X.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_overview.html#58700

 

On the 5506-X, 5508-X and 5516-X they number the sole management interface "Management 1/1". 

 

The 5585-X has two management interfaces - Management 0/0 on the base ASA and Management 1/0 on the SSP. The latter is used for the Firepower SSP.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_overview.html#58700

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card