cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5238
Views
30
Helpful
11
Replies

cant enter to enable mode + how to add helper address on Cisco ASA5516-X Threat Defense (75) Version 6.2.3.3

amralrazzaz
Level 5
Level 5

dear all 

 

i need your help in below points which an issue i spent couple of hours but i cant resolve so i need to get some help from your great and valued information :

 

1- i cant enter to enable or exec mode ( before i can but maybe after changed the admin password from the firepowe gui (fmc) i think some privilege were disappeared for this user 

so is there any way to get the enable mode or to create new user with full privilege ? 

 

2- as im not able to enter to enable mode to configure ip helper address on asa ftd so im able to access via web normally but i dont know how to add the dhcp  servers or dhcp relay agent 

so what is the steps to add the helper address or on asa it called dhcp relay agent ?? where should i add ?

 

i already have 2 dhcp server and i dont know how via FMC (firepower GUI) to add them so i can get the dhcp parameters from main data center not from local dhcp service

 

note:

> show version
-------------------[ CampinaFTD ]-------------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.2.3.3 (Build 76)
UUID : 992fa59e-0135-11e8-a180-9f33b9f2f505
Rules update version : 2019-02-07-001-vrt
VDB version : 308
----------------------------------------------------

also that what i have access(options allow to me) and no enable mode 

 

>
aaa-server Specify a AAA server
app-agent Configure appagent features
asdm Disconnect a specific ASDM session
asp Configure ASP parameters
blocks Set block diagnostic parameters
capture Capture inbound and outbound packets on one or more inter faces
capture-traffic Display traffic or save to specified file
cd Change current directory
clear Reset functions
cluster Cluster exec mode commands
configure Change to Configuration mode
copy Copy from one file to another
cpu general CPU stats collection tools
crashinfo Crash information
crypto Execute crypto Commands
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
dns Update FQDN IP addresses
downgrade Downgrade the file system and reboot
eject Eject a device
eotool Change to Enterprise Object Tool Mode
erase Erase a filesystem
exit Exit this CLI session
expert Invoke a shell
failover Perform failover operation in Exec mode
file Change to File Mode
format Format a filesystem
fsck Filesystem check
help Interactive help for commands
history Display the current session's command line history
kill Terminate a telnet session
ldapsearch Test LDAP configuration
logging Configure flash file name to save logging buffer
logout Logout of the current CLI session
memory Memory tools
mkdir Create new directory
more Display the contents of a file
no Negate a command or set its defaults
nslookup Look up an IP address or host name with the DNS servers
packet-tracer trace packets in F1 data path
perfmon Change or view performance monitoring options
pigtail Tail log files for debugging (pigtail)
ping Test connectivity from specified interface to an IP addre ss
pmtool Change to PMTool Mode
pwd Display current working directory
reboot Reboot the sensor
redundant-interface Redundant interface
rename Rename a file
rmdir Remove existing directory
sftunnel-status Show sftunnel status
show Show running system information
shun Manages the filtering of packets from undesired hosts
shutdown Shutdown the sensor
system Change to System Mode
tail-logs Tails the logs selected by the user
test Test subsystems, memory, interfaces, and configurations
traceroute Find route to remote network
undebug Disable debugging functions (see also 'debug')
verify Verify a file
vpn-sessiondb Configure the VPN Session Manager
webvpn-cache Remove cached object
write Write running configuration to memory, network, or termin al

>

amr alrazzaz
11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

When you run Firepower Threat Defense (FTD) almost all configuration commands are done from the manager GUI. (Firepower Management Center (FMC), the local manager Firepower Device Manager (FDM) or cloud-based manager Cisco Defense Orchestrator (CDO)).

Instructions for configuring DHCP relay using FMC can be found here:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html

I don't think DHCP relay configuration for FDM- and CDO-managed FTD appliances is supported as of the current Firepower 6.6.

is there any way to get back the enable mode ?

i tried to create new user from cli with config privilege but same thing i cant go to enable?

 

btw how to go to enable mode ?

why im not able to see enable option ?

 

 

 

amr alrazzaz

There is no enable mode in the ftd cli shell. If you drop to the diagnostic cli there is enable mode but it still doesn't allow you to make configuration changes.

Config changes must be made in the GUI except for a VERY small number of things you can do in the cli.

so from what u r saying there are no enable mode and config mode to configure the Fw so what os the purpose then of the cli if not anle to configure any?! just show ?!

so i have now 2 helper address and i need to configure them ?! how ?! 

 

note : my network contains core switch 3850 and the local dhcp configured on it but the gateways on Fw ?! so is there any optiom to configure the helper on switch if im not allowed to do it on fw?!!

amr alrazzaz

The cli shell can be used for show commands, some diagnostic/ troubleshooting commands and a (very) limited number of configuration commands.

99% of all FTD configuration must be done through the GUI (not mentioning API for purposes of this discussion).

I already provided the link to the FMC configuration guide section on configuring the DHCP relay feature. Did you read that?

yes definitely i go through link and when i try to apply on fw so i didnt find dhcp relay

its only dhcp server  and cofigure dhcp option ... they mentioned image version should 6.0 and above and im running 6.2.3

 so thats why im asking?!! 

 

the firewall i can connect via ssh and telnet but the no enable mode so i cam configure but seems i cant so thats why im asking?!

 

also i mentioned that i have core switch maybe i have the chance to configre the helper address on it if the asa will not aupport me ob this?!!

amr alrazzaz

Can you share a screen shot of your device management page, DHCP tab and show me what it looks like?

I don't have a FMC 6.2.3 to verify but I did check FTD devices on version 6.3, 6.4 and 6.6 FMCs and see the option for DHCP relay on all of them.

thanks and please check the attached pics with appreciation

 

amr alrazzaz

You're using the local Firepower Device Manager - FDM.

As I mentioned in my 29 July reply, DHCP relay configuration for FDM- and CDO-managed FTD appliances is not supported as of the current Firepower 6.6. (The same shortcoming applies to the upcoming 6.7 as well.)

You need to use an external Firepower Management Center (FMC) to be able to configure the more advanced features.

may i ask you how can i use external fmc?! 

and from where to get?!  

 or i can upgrade my image to 6.6 ?! 

thanks for your great support

amr alrazzaz

FMC is a separate product that requires you purchase and install it on a VMware ESXi server.

No version of FDM-managed FTD currently supports DCHP helper without having FMC to configure the feature.

Review Cisco Networking for a $25 gift card