Solved: ASA 5555-X Management Interface

Ciscouser20188 · ‎05-07-2018

would it possible to configure the management interface on the 5555-x with an IP address and also set the interface IP as the default gateway of the Firepower?

I am out of available interface on the 5555-x, some cisco doc says its possible, but I want to ask if anyone have actually configured something like this.

Thank you

Mohammed al Baqari · ‎05-08-2018

Ok now I understand. No you can't assign IP on 5555-X MGMT interface is you
are using SFR module. This is listed by Cisco. See this doc.

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Quoted:

ASA 5506-X (9.6 and Earlier) through ASA 5555-X (Software Module) in Routed
Mode

These models run the ASA FirePOWER module as a software module, and the ASA
FirePOWER module shares the Management 0/0 or Management 1/1 interface
(depending on your model) with the ASA.

All management traffic to and from the ASA FirePOWER module must enter and
exit the Management interface. The ASA FirePOWER module also needs Internet
access. Management traffic cannot pass through the ASA over the backplane;
therefore you need to physically cable the management interface to an ASA
interface to reach the Internet.

If you do not configure a name and IP address in the ASA configuration for
Management, then the interface belongs exclusively to the module. In this
case, the Management interface is not a regular ASA interface, and you can:

*1.* <> Configure
the ASA FirePOWER IP address to be on the same network as a regular ASA
data interface.

*2.* <> Specify
the data interface as the ASA FirePOWER gateway.

*3.* <> Directly
connect the Management interface to the data interface (using a Layer2
switch).

See the following typical cabling setup to allow ASA FirePOWER access to
the Internet through the ASA inside interface:

<>

For the ASA 5506-X on 9.6 and earlier, the ASA 5508-X, and the ASA 5516-X,
the default configuration enables the above network deployment; the only
change you need to make is to set the module IP address to be on the same
network as the ASA inside interface and to configure the module gateway IP
address.

For other models, you must remove the ASA-configured name and IP address
for Management 0/0 or 1/1, and then configure the other interfaces as
indicated above.

*Note* <>: For
ASA 9.7 and later, you can avoid using an external switch if you have extra
interfaces that you can assign to an inside bridge group. Be sure to set
all bridge group interfaces to the same security level, allow same security
communication, and configure NAT for each bridge group member. See the ASA
interfaces configuration guide chapter for more information.

*Note* <>: If you
want to deploy a separate router on the inside network, then you can route
between management and inside. In this case, you can manage both the ASA
and ASA FirePOWER module on the Management interface with the appropriate
configuration changes, including configuring the ASA name and IP address
for the Management interface (on the same network as the ASA FirePOWER
module address).

View solution in original post

Mohammed al Baqari · ‎05-07-2018

Yes its possible. I am assuming you are referring to FP module which uses
the MGMT interface along with ASA to use the same interface.

Ciscouser20188 · ‎05-08-2018

Thank you very much Mohammed for the email

here is more detail

I have a 5550 and want to migrate to 5555-x
5550 has 8 interfaces configured with IP address, and 5555-x also has 8
interfaces.

the MGMT on the 5550 is currently not in use

I'm in the process of migrating the config, and at this time I'm managing
the 5555-x using 172.16.109.202.

if I migrate the config from 5550 to 5555-x, I wont be able to manage
5555-x using 172.16.109.202

my question is this

is it possible to configure the MGMT interface on 5555-x with
172.16.109.202 and Firepower with 172.16.109.203 and configure Firewpower
default gateway to use 172.16.109.202 which is the IP of the MGMT interface?

I did some research, some say it should work, other says it wont, that the
MGMT is reserved for the Firepower and should not be configured with an IP
address on the ASA

Thank you very much

Current Firewall 5550

Interface IP-Address OK? Method Status
Protocol
GigabitEthernet0/0 106.20.10.24 YES CONFIG up
up
GigabitEthernet0/1 139.79.24.10 YES CONFIG up
up
GigabitEthernet0/2 10.50.19.2 YES CONFIG up
up
GigabitEthernet0/3 10.1.2.100 YES CONFIG
up up
Internal-Data0/0 unassigned YES unset up
up
Management0/0 unassigned YES unset administratively down
up
GigabitEthernet1/0 10.250.216.21 YES unset
up up
GigabitEthernet1/1 162.50.117.26 YES CONFIG up
up
GigabitEthernet1/2 10.202.116.40 YES CONFIG up
up
GigabitEthernet1/3 10.205.118.90 YES CONFIG up
up
Internal-Data1/0 unassigned YES unset up
up

New Firewall 5555-x

Interface IP-Address OK? Method Status
Protocol
GigabitEthernet0/0 unassigned YES unset administratively down
down
GigabitEthernet0/1 unassigned YES unset administratively down
down
GigabitEthernet0/2 unassigned YES unset administratively down
down
GigabitEthernet0/3 unassigned YES unset administratively down
down
GigabitEthernet0/4 unassigned YES unset administratively down
down
GigabitEthernet0/5 unassigned YES unset administratively down
down
GigabitEthernet0/6 172.16.109.202 YES manual up
up
GigabitEthernet0/7 10.250.2.1 YES unset up up
Internal-Control0/0 127.0.1.1 YES unset up
up
Internal-Data0/0 unassigned YES unset up
down
Internal-Data0/1 unassigned YES unset up
up
Internal-Data0/2 unassigned YES unset up
up
Internal-Data0/3 169.254.1.1 YES unset up
up
Management0/0 unassigned YES unset down
down

Mohammed al Baqari · ‎05-08-2018

Ok now I understand. No you can't assign IP on 5555-X MGMT interface is you
are using SFR module. This is listed by Cisco. See this doc.

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Quoted:

ASA 5506-X (9.6 and Earlier) through ASA 5555-X (Software Module) in Routed
Mode

These models run the ASA FirePOWER module as a software module, and the ASA
FirePOWER module shares the Management 0/0 or Management 1/1 interface
(depending on your model) with the ASA.

All management traffic to and from the ASA FirePOWER module must enter and
exit the Management interface. The ASA FirePOWER module also needs Internet
access. Management traffic cannot pass through the ASA over the backplane;
therefore you need to physically cable the management interface to an ASA
interface to reach the Internet.

If you do not configure a name and IP address in the ASA configuration for
Management, then the interface belongs exclusively to the module. In this
case, the Management interface is not a regular ASA interface, and you can:

*1.* <> Configure
the ASA FirePOWER IP address to be on the same network as a regular ASA
data interface.

*2.* <> Specify
the data interface as the ASA FirePOWER gateway.

*3.* <> Directly
connect the Management interface to the data interface (using a Layer2
switch).

See the following typical cabling setup to allow ASA FirePOWER access to
the Internet through the ASA inside interface:

<>

For the ASA 5506-X on 9.6 and earlier, the ASA 5508-X, and the ASA 5516-X,
the default configuration enables the above network deployment; the only
change you need to make is to set the module IP address to be on the same
network as the ASA inside interface and to configure the module gateway IP
address.

For other models, you must remove the ASA-configured name and IP address
for Management 0/0 or 1/1, and then configure the other interfaces as
indicated above.

*Note* <>: For
ASA 9.7 and later, you can avoid using an external switch if you have extra
interfaces that you can assign to an inside bridge group. Be sure to set
all bridge group interfaces to the same security level, allow same security
communication, and configure NAT for each bridge group member. See the ASA
interfaces configuration guide chapter for more information.

*Note* <>: If you
want to deploy a separate router on the inside network, then you can route
between management and inside. In this case, you can manage both the ASA
and ASA FirePOWER module on the Management interface with the appropriate
configuration changes, including configuring the ASA name and IP address
for the Management interface (on the same network as the ASA FirePOWER
module address).

Ciscouser20188 · ‎05-08-2018

Thank you very much All good