Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1862
Views
0
Helpful
4
Replies

Firepower 4110 with ASA

dm2020
Level 1
Level 1

‎12-12-2019 10:06 AM - edited ‎02-21-2020 09:45 AM

Hi All,

 

I'm looking to configure a pair of Cisco Firepower 4110 appliances that are running ASA software. I have read through the below configuration guide and it states that when configuring the logical ASA device, a management interface needs to be configured for the ASA itself which is different to the chassis (FXOS) interface.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp4100/firepower-4100-gsg/asa_deploy.html

 

Is this management interface the same management interface that you have on a standard ASA appliance? If so, even though you have to specify one during the setup of the logical ASA, does it have to be used to actually manage the ASA or can you use the standard in-band interfaces (such as inside) to access the ASA ASDM and CLI?

 

Thanks, 

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-12-2019 06:41 PM

You can use the in-band (data plane) interfaces of your ASA logical device so long as you have allowed it with the "ssh..." and "http.." commands just like on a traditional ASA.

0 Helpful

dm2020
Level 1
Level 1
In response to Marvin Rhoads

‎12-13-2019 12:51 AM

Hi Marvin,

 

Thats great, thanks for confirming that. I'm used to traditional ASA and I've never used its management interface before as its not in a separate routing table and and has always conflicted with my production networks. I'm assuming that this is no different and has the same restrictions? I know that the chassis management interface is in a different routing table and can now be used for true out-of-band management of the appliance which is nice.

 

Thanks

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dm2020

‎12-13-2019 02:43 AM

Actually ASA management interfaces have had their own separate routing table since ASA Release 9.5(1):

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-overview.html#reference_F02E984EE51F49F5B979DE3ED9239EEE

So both the chassis management (via FX-OS) and ASA logical device management (via designated ASA management interface) can be in an out-of band or otherwise logically separated management network.

0 Helpful

CSOSTSupportSupport6291
Level 1
Level 1
In response to Marvin Rhoads

‎11-05-2020 10:05 AM

Is there any way to setup the Firepower with an ASA image without having to "burn" an external interface?  Seems a waste to use a 10GB interface for just being able to access the ASA from the FXOS console.  Once it is setup can I reconfigure the interface in the ASA so I can add sub-interfaces.  I noticed when I used "connect module 1 telnet" that it was using an internal IP address and not the management IP address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card