Re: ASA 5525-X Interface shutdown

dandi-cisco · ‎09-25-2021

I have problem with Cisco ASA 5525-X. I can connect only via console port.

From the CLI, I see all interfaces are shutdown.

But I unable to set command no shutdown.

Please help me to find command to enable the interfaces and set IP address to them.

The CLI here is very different with CLI in switch/router.

Below is the detail:

> show tech-support
-------------------[ firepower ]--------------------
Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.3 (B
uild 83)
UUID : f2479d86-967e-11ea-ac50-8080b9c7af0f
Rules update version : 2017-09-13-001-vrt
VDB version : 290
----------------------------------------------------

Cisco Adaptive Security Appliance Software Version 9.9(2)
Firepower Extensible Operating System Version 2.3(1.84)

Compiled on Sun 25-Mar-18 17:49 PDT by builders
System image file is "disk0:/os.img"
Config file at boot was "startup-config"

firepower up 2 days 0 hours

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4224 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

------------------ show running-config ------------------

: Saved

:
: Serial Number: FCH2412779D
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
NGFW Version 6.2.3
!
hostname firepower
enable password <removed> pbkdf2
strong-encryption-disable
names

!
interface GigabitEthernet0/0
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address dhcp setroute
ipv6 address autoconfig
ipv6 enable
!
interface GigabitEthernet0/1
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address

Rob Ingram · ‎09-26-2021

Hi @dandi-cisco

You are running the FTD image, to configure the interfaces you'll need to login to the Web GUI, you cannot do it from the CLI.

If you have an FMC, you'd login to that to configure the settings of the ASA and deploy. If you don't have an FMC you'll be using local management using FDM. So open a web browser and connect to the IP address, login and make the relevant changes.

Once you get connected you should also consider upgrading the device, as 6.2.3 is very old, the latest recommended version supported by your hardware is 6.6.5.

HTH

dandi-cisco · ‎09-26-2021

Thanks for reply.

The problem is I am unable to access it via browser.

Is there any config so I can access it via browser?

Rob Ingram · ‎09-26-2021

@dandi-cisco

Is the device already configured?

You can run the command "show network" this will tell you the IP address of the management interface IP address. Connect your laptop to the management interface, configure your nic in the same network and then connect to the IP address.

Here is the FDM config guide

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-get-started.html

dandi-cisco · ‎09-26-2021

Hi Rob,

I follow your guide. But still can't access via browser.

=========================

In laptop:

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::8c51:554e:aa44:3a54%38
IPv4 Address. . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

=================

In ASA5525-X

>
> show network
===============[ System Information ]===============
Hostname : firepower
DNS Servers : 208.67.222.222
208.67.220.220
Management port : 8305
IPv4 Default route
Gateway : 192.168.1.1

======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 3C:57:31:B3:B3:7D
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.1.46
Netmask : 255.255.255.0
Broadcast : 192.168.1.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information

Marvin Rhoads · ‎09-26-2021

Most likely it has been configured for FMC management. Please check with the command "show managers".

If that shows there is registration to a managing DC (Defense Center - old name for FMC), then you will either have to use it or else change to local management ("configure manager local"). The latter will delete any Firepower configuration on the device beyond the basic bootstrap information you showed already. Once local management is configured you can use FDM (the on-box GUI).

dandi-cisco · ‎09-26-2021

Hi Marvin,

Here is the result:

> show managers
Managed locally.

>

From here, how I can FDM?

Marvin Rhoads · ‎09-26-2021

It should be accesible via the management interface IP address using https:

https://192.168.1.46

... in your case

dandi-cisco · ‎09-26-2021

Hi Marvin,

I still unable to access it via browser.

Is there any CLI command to troubleshoot this issue?

Marvin Rhoads · ‎09-26-2021

Is your earlier cli output taken from an ssh session or via console port?

I'm asking so as to confirm that the appliance is accessible via its IP address on the physical management interface.

If it's a new/repurposed device it may be easier to just reimage it on the current recommended version (6.6.5) and go from there vs. struggle with this non-working 6.2.3 installation. Here's the procedure for doing that:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#task_lzh_2zn_rgb

dandi-cisco · ‎09-26-2021

Hi Marvin,

It's taken via console port.

So, is it better to upgrade to recommended version than stuck on this version?

Marvin Rhoads · ‎09-27-2021

Are you able to connect to the appliance via ssh? Your PC should be plugged into the management interface (or via a switch with with the appliance management interface and your PC in the same VLAN).

Regarding the version - yes, version 6.6.5 is the current recommended release.

cmarva · ‎09-27-2021

and you tried accessing the web interface on port 8305? If so, and that still didn't work, then I'd have to agree with the later post and just end up reimaging.