hi marvin,

thanks! i have a lab 5525-x with FP and did a point-to-point to FTP PC and MGMT interface.

it does work if MGMT and FP are on different subnets.

another question, so it means now we need to patch the ASA MGMT port to a switch and configure the VLAN to which it will reach the FMC?

hi marvin,

it was awkward when i saw the MGMT and FP IPs are on different subnets.

i was able to install the .pkg file directly from my FTP PC to ASA MGMT port.

i'll put the MGMT and FP IPs to be on same subnet so it wont' be confusing when another tech takes a look.

the previous admin (vendor/contractor) left the MGMT IP on192.168.1.1/24

i'll do the correct IP setup on my next FW projects.

hi marvin,

another questions pop up, can i re-configure or run again the wizard to setup the SFR module? i initially want to use IPs for my lab and run the wizard and assign production IPs once the ASA+FP is ready for deployment. 

is this different from the 'setup' command?

asasfr-boot> setup

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

ciscoasa# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Sourcefire ASA5555 v5.3.1 (build 152)
Sourcefire3D login:

Running "setup" from the boot image prepares the unit for the full package. Once the package loads, you will then have to re-enter most of that in the first time autorun script as it is essentially a fresh OS at that point.

After you have a module fully configured and want to go back later and change addresses etc. you use the "configure network..." commands from the clish (that's the lightweight command line interface shell that runs on top of the Linux bash shell that you would see in expert mode).

Note that if you change the DNS value for the sfr module you need to restart the nscd daemon from expert mode (or else wait up to 24 hours for the cached entries to expire).

Pete Long has a good example in his blog posting here:

https://www.petenetlive.com/KB/Article/0001173

thanks marvin!

i just got the SFR upgraded to 6.0.

i'll play with it first.

these upgrade steps are unpractical unlike CP and PA FWs.

will cisco fix or eliminate the SSD upgrade on the newer FP21xx/41xx?

MY-ASA# show module sfr details
Getting details from the Service Module, please wait...

Card Type:          FirePOWER Services Software Module
Model:              ASA5525
Hardware version:   N/A
Serial Number:      FCH1834Jxxx
Firmware version:   N/A
Software version:   6.0.0-1005
MAC Address Range:  fc5b.39aa.5162 to fc5b.39aa.xxx
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       6.0.0-1005
Data Plane Status:  Up
Console session:    Ready
Status:             Up
DC addr:            No DC Configured                                            
Mgmt IP addr:       192.168.45.45                                               
Mgmt Network mask:  255.255.255.0                                               
Mgmt Gateway:       0.0.0.0                                                     
Mgmt web ports:     443                                                         
Mgmt TLS enabled:   true   

You're welcome.

On a new deployment, you are best off going all the way to the current release - 6.2.0 image with 6.2.0.2 patch would be the current one on that platform. Note if you are planning to use FMC, it must be at or above the managed device version.

FirePOWER appliances (2100, 4100 and 9300 series) don't run ASA with FirePOWER services. You can run an ASA image (logical device they call it) on the 4100 and 9300 series but there's no service module support.

FirePOWER Threat Defense (FTD) is the new unified image that runs on all three and you upgrade it in one operation - either from FirePOWER Device Manager (local web UI management) or FirePOWER Management Center.

Hi Marvin,

i have an issue with my ASA Mgmt Interface ,  i have tow ASA 5516-x configured as cluster and both ASA have SFR module so after configure SFR module i was not able to reach the mgmt ip of both ASA from outside mgmt subnet , why do you think happened ?