cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1891
Views
0
Helpful
7
Replies

Firepower 1010 Getting Started

BrianTG
Level 1
Level 1

Hi everyone, I just received a new FPR-1010 unit, and it seems many of the out-of-the-box instructions no longer work to get it up and running, in more ways than one. I have a few questions regarding it, because if I can't get it up and running, well I can't even register it for the required support/license plan and such.

 

First, it's not very clear to me yet - does this unit support DH group 24? From what I am gathering it seems that I will need to flash certain versions of ASA on the device to be able to use this, is that correct?

 

Second, to access the ASA interface, the instructions in the box say to browse to https://192.168.1.1/admin. I'm successfully able to reach the page, but the only thing it outputs is plain text, appearing to be in a query result format, stating {message unauthorized status_code 401}. Any advice on this for how to get it working?

 

Thanks!

7 Replies 7

Hi,

What software are you running on the FPR1010, FTD or ASA?

 

If running ASA, then the first version of ASA the FPR1010 supports is 9.13, in the release notes it confirms DH group 24 is depreciated. https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

 

IKEv2: The following subcommands are deprecated:
crypto ikev2 policy priority
integrity md5
prf md5
group 2
group 5
group 24

...so you wouldn't be able to use DH group 24 if running ASA, why do you need DH group 24? Select another such as 19, 20 or 21.

 

Connect to the console port of the device to confirm whether you are running FTD or ASA, try connecting to https://ip-address.

 

HTH

Unfortunately I have no choice with group 24, as it's a requirement on the other end and they aren't willing to change it.

Honestly I'm not sure what version of ASA is on the unit as I can't even log in per the instructions that came in the box.

 

Would I be able to downgrade to a version of ASA that supports it?

 

I am able to reach the FTD page and log in fine, but that's not what I'm looking to use, and the instructions state that FTD is located at 192.168.1.1 and ASA at 192.168.1.1/admin

 

Ok, so your FPR1010 has FTD installed, you would need to re-image to use ASA (they don't run FTD and ASA at the same time). Regardless the FPR1010 only supports ASA 9.13 or above, DH group 24 was depreciated in 9.13. You cannot run an older version than 9.13 on your hardware.

You should convince your peer to change to a supported DH group, DH group 24 was depreciated by cisco for a reason.

 

You could run FTD version 6.5, which I believe still supports DH group 24, however this will be depreciated in later versions - so don't upgrade. Alternatively find an older appliance that can run older ASA code and run the insecure DH group.

 

http://theglens.net/diffie-hellman-groups/

https://tools.ietf.org/html/rfc8247#section-2.4

HTH

Ok thanks for clearing that up Rob. Those out-of-the-box instructions just listed both interfaces as though they were both immediately available for use.

 

I would like to convince them to change the DH group, but unfortunately we're a tiny business attempting to connect with a mega corporation so they won't budge much! Their tech support told me last week that groups 20 and 21 are also acceptable (24 is what they currently have configured), but I saw neither of these either as an option in the FTD interface that came preinstalled.

 

Is there anything I would lose going with FTD instead of ASA? The requirements of the other end in a nutshell are IKEV2, AES256, SHA512, DE group 24 (can also do 20 or 21)

You don't lose anything by running FTD over ASA. FTD is the latest NGFW, if you are licensed you get more features than you do running ASA. Here is the re-image guide, if you decide you wish to run ASA instead of FTD.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#task_vhy_5kc_sgb

 

FTD and ASA can run DH group 20/21 and the other algorithms fine.

Strange, the only DH options I saw in the FTD interface were something like 5 and 10 (I don't remember clearly except that there were only two options and the numbers were much lower than 20). If I license the unit it will unlock other DH groups?

 

I definitely plan on licensing it, it would just be nice to know for sure that the unit is capable of what I need before dumping more money into it.

 

Anyway, I thank you for your attention to my questions, it's really appreciated! I couldn't get Cisco support on the phone and networking is not my forte; a solo software developer that had everything IT tossed on my shoulders not long ago.

Yes, I'm sure, I don't believe there is even a DH group 10. I think you might be looking in the wrong place, provide a screenshot if you still need assistance.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: