Solved: Hi Gary and Marvin, I fixed

Gary Culler · ‎07-20-2015

Need some assistance with the new ASA-5506X for my home network. For some reason, i can no longer access the FirePower module via the ASDM. ASDM starts to load at stops at 17% (Initializing FirePOWER communication). Here is the error:

Cannot connect to teh ASA FirePOWER module. Check that it is correctly configured and on the network. It is also possible that the management address is being translated by NAT. Please verify the IP address/Hostname and port.

This unit has been challenging to say the least for a non security guy to get going. Very little documentation on the 5506X is out there. Here is what i'm trying to follow:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html

I have a 3560GC connected to interface Gig1/2, right now it's a very simple config using VLAN1 & the IP address of 192.168.1.254. I wanted to get the basic configuration working before i tried to introduce any complexity

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!

interface Management1/1
management-only
no nameif
no security-level
no ip address
!

!
boot system disk0:/asa932-2-lfbff-k8.SPA
ftp mode passive
object network INSIDE_HOST
subnet 192.168.1.0 255.255.255.0
pager lines 60
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network INSIDE_HOST
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
!

aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.1.50-192.168.1.150 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside

bmoney-asa5506# show inter manag 1/1
Interface Management1/1 "", is down, line protocol is down
Hardware is en_vtun rev00, BW 1000 Mbps, DLY 10 usec
   Auto-Duplex, Auto-Speed
   Input flow control is unsupported, output flow control is off
   Available but not configured via nameif
   MAC address 78ba.f988.ad62, MTU not set
   IP address unassigned
   0 packets input, 0 bytes, 0 no buffer
   Received 0 broadcasts, 0 runts, 0 giants
   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
   0 pause input, 0 resume input
   0 L2 decode drops
   0 packets output, 0 bytes, 0 underruns
   0 pause output, 0 resume output
   0 output errors, 0 collisions, 2 interface resets
   0 late collisions, 0 deferred
   0 input reset drops, 0 output reset drops
   input queue (blocks free curr/low): hardware (0/0)
   output queue (blocks free curr/low): hardware (0/0)

!

bmoney-asa5506# show module

Mod Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            <removed>
sfr FirePOWER Services Software Module           ASA5506            <removed>

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 78ba.f988.ad62 to 78ba.f988.ad6b 1.0          1.1.1        9.3(2)2
sfr 78ba.f988.ad61 to 78ba.f988.ad61 N/A          N/A          5.4.1-211

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211

Mod Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
sfr Up                 Up

bmoney-asa5506# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

(none) login: <removed>
Password:
Last login: Wed Jul 15 19:33:29 UTC 2015 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)

>
>
> show network
===============[ System Information ]===============
Hostname                  : (none)
Domains                   : example.net
Management port           : 8305
IPv4 Default route
Gateway                 : 192.168.1.1

======================[ eth0 ]======================
State                     : Enabled
Channels                  : Management & Events
Mode                      :
MDI/MDIX                  : Auto/MDIX
MTU                       : 1500
MAC Address               : 78:BA:F9:88:AD:61
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.168.1.2
Netmask                   : 255.255.255.0
Broadcast                 : 192.168.1.255
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

>

Could really use some help

Marvin Rhoads · ‎07-20-2015

Gary,

Your interface m1/1 also needs to be connected to the internal switch on the same vlan as your gi1/2.

The FirePOWER module can only use the physical management port for its IP communications directly to the rest of the network. Otherwise you can only access it via the internal dataplane as you do when you session to the module from ASA cli (or redirect the traffic via the service-policy for inspection).

View solution in original post

Marvin Rhoads · ‎07-20-2015

Gary,

Your interface m1/1 also needs to be connected to the internal switch on the same vlan as your gi1/2.

The FirePOWER module can only use the physical management port for its IP communications directly to the rest of the network. Otherwise you can only access it via the internal dataplane as you do when you session to the module from ASA cli (or redirect the traffic via the service-policy for inspection).

Gary Culler · ‎07-20-2015

Thanks Marvin, i left that out that it is also connected to the same switch on the same VLAN (i only have one vlan for now), however something is up with that port. I kept wondering why the m1/1 interface was down/down... I moved to a different port & all is working now...:o)...

Now onto some additional advanced settings. I was originally thinking i would make the ASA be the default gateway for each VLAN. My thinking was mark/map Guest traffic to a lower security level. I wanted to get the basics working before moving on.

Found the thread about the 5506 isn't a switch & doesn't support VLAN's but i'm going to try Subinterfaces to see what i can get working...:o).. Bridge groups could also be an option, just have to play around with is.

Marvin Rhoads · ‎07-20-2015

Subinterfaces should be fine for what you describe.

Bridge groups would mean moving to transparent mode.

Sergio Garrido · ‎07-22-2015

Hello Dear Friends,

I am installing and configuring a New ASA 5506x, I have a little issue, I cannot connect to the sfr module If I connect in a diferrent subnet, I can ping, I can access the ASA via ASDM, but cannot access to the SFR.
If I am in the same subnet connect successfully.

When I try to connect to the ASA using the ASDM in of the ASA loggin I see the atacched log.

Any help will be appreciated.

Thanks in advance.

Sergio Garrido

Marvin Rhoads · ‎07-22-2015

Sergio,

The sfr module has its own routing table and needs to have a default gateway set that tells it how to reach the external devices it communicates with.

The information you have given us doesn't tell us enough to be able to give a good suggestion as to what might be wrong.

If you could provide a diagram with the ASA interfaces, sfr address and its gateway as well as your client PC location, it would help.

Sergio Garrido · ‎07-24-2015

Hi Marvin,

Thanks for your quick response. Sorry for the previous post, I was in a hurry when I wrote that.

I attached a diagram with description of the issue.

If you need more information please let me know.

Thanks in advance.

Sergio Garrido

Marvin Rhoads · ‎07-24-2015

I agree with Gary's post.

Since you have an inside router, you would be better setting it's interface address in the 172.16.1.0/29 subnet as the gateway for your sfr module.

Sergio Garrido · ‎07-24-2015

Ok, I will do this change this afternoon. I will let know the results in briefly.

Thanks for your time and help.

Sergio

Sergio Garrido · ‎07-29-2015

Hi Gary and Marvin,

I fixed my issue following your suggestion.

Thanks you very much.

Gary Culler · ‎07-24-2015

As per the Quick Start guide:

Note: If you want to deploy a separate router on the inside network, then you can route between management and inside. In this case you can manage both the ASA and ASA Firepower module on the Management 1/1 with the appropriate configuration

Have you created that route?

Sergio Garrido · ‎07-24-2015

Hi Gary,

Thanks for your reply.

I have a EIGRP process between the outside router, ASA and Inside Router.

The routing configuration between those three device works fine, only I have issues to manage the sfr module from other subnet through the ASDM.

Attached de diagram to get the topology and the issue.

Best regards,

Sergio Garrido

dharma.raj · ‎02-03-2017

It is working. Thanks.

jolape · ‎08-06-2015

Hi Gary,

I have this problem too, but for me, everything are reachable to each other like the DC, ASA and SFR. I observe on your "show network" command, it specify that the management port is 8305. When I do "show network" it state below

===============[ System Information ]===============
Hostname                  : Sourcefire3D
Domains                   : example.net
DNS Servers               : 8.8.8.8
Management port           : 443

Management port is not 8305 but 443. I also paste here the logs from DC.

Aug 06 2015 04:19:48 192 SF-IMS[10338]: [16033] sftunneld:sf_ssl [WARN] Unable to connect to peer '192.168.1.102'
Aug 06 2015 04:19:48 192 SF-IMS[10338]: [16033] sftunneld:sf_ssl [INFO] No IPv4 connection to 192.168.1.102
Aug 06 2015 04:19:48 192 SF-IMS[10338]: [16033] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Connection timed out

I used windows 7 and installed esxi. inbound and outbound port on 8305 are open already.

Ben Gaskins · ‎11-13-2015

I use firefox in linux. I could only see the status tab in asdm. I fired up a windows VM and IE showed the tabs. I would like to see firefox work since IE is not available on linux.

It looks like ASDM uses port 443. Defense Center uses port 8305.

I would like to have a Protect license over a Control license but that's me. 5 dmz's is a massive improvement over the 5505. The professionally built SF solution with a reasonable home license subscription price would save me time building the in-line open source solution. This is one of the few things I've seen that can catch the latest malware.

ASA5506X Help - Cannot connect to the ASA FirePOWER Module