Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
6
Replies

firepower configuration missing on 5506

yangsonggui
Level 1
Level 1

‎08-29-2016 03:11 AM - edited ‎03-12-2019 01:12 AM

The FirePower configuration button is not visible in ASDM. 

login ASDM, use the setup wizard, configure the firepower address: 10.55.5.201/255.255.0.0/10.55.5.241

laptop connect to switch, configure the IP address: 10.55.5.202,  ping 10.55.5.201 is okay, ASDM login with management IP(10.55.5.201) is OK. but cannot find Firepower configuration button.

the firewall mode is transparent.

ASA Version 9.6(1)
!
firewall transparent
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

!
interface GigabitEthernet1/1
nameif outside
bridge-group 1
security-level 100
!
interface GigabitEthernet1/2
nameif inside
bridge-group 1
security-level 100
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.55.5.201 255.255.0.0
!
interface BVI1
ip address 192.168.1.205 255.255.255.0
!
ftp mode passive
access-list inside-to-outside extended permit ip any any
access-list outside_access_in extended permit ip host 192.168.1.189 192.168.1.0 255.255.255.0
access-list outside_mpc extended permit ip host 192.168.1.189 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group inside-to-outside out interface outside
route management 0.0.0.0 0.0.0.0 10.55.5.241 1
route outside 0.0.0.0 0.0.0.0 192.168.1.175 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.0.0.0 255.0.0.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dynamic-access-policy-record DfltAccessPolicy

username cisco123 password 3USUcOPFUiMCO4Jk encrypted privilege 15


!
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map outside-policy
class outside-class
inspect netbios
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:525fd9bed6e62a005c45cf4d64ddd39c
: end
ciscoasa#

ciscoasa# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JADxxxxxxx

sfr FirePOWER Services Software Module ASA5506 JADxxxxxxx

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 002a.104b.57e6 to 002a.104b.57ef 1.1 1.1.8 9.6(1)
sfr 002a.104b.57e5 to 002a.104b.57e5 N/A N/A 5.4.1-211

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up

ciscoasa#

ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 9.6(1)
Device Manager Version 7.6(1)

Compiled on Fri 18-Mar-16 14:04 PDT by builders
System image file is "disk0:/asa961-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 5 hours 8 mins

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 002a.104b.57e7, irq 255
2: Ext: GigabitEthernet1/2 : address is 002a.104b.57e8, irq 255
3: Ext: GigabitEthernet1/3 : address is 002a.104b.57e9, irq 255
4: Ext: GigabitEthernet1/4 : address is 002a.104b.57ea, irq 255
5: Ext: GigabitEthernet1/5 : address is 002a.104b.57eb, irq 255
6: Ext: GigabitEthernet1/6 : address is 002a.104b.57ec, irq 255
7: Ext: GigabitEthernet1/7 : address is 002a.104b.57ed, irq 255
8: Ext: GigabitEthernet1/8 : address is 002a.104b.57ee, irq 255
9: Int: Internal-Data1/1 : address is 002a.104b.57e6, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 002a.104b.57e6, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total UC Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5506 Security Plus license.

Serial Number: JADxxxxxxx
Running Permanent Activation Key: 
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration last modified by cisco at 00:50:54.329 UTC Mon Aug 29 2016
ciscoasa#
ciscoasa#

Labels:
Preview file
51 KB
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-29-2016 06:53 AM

Have you sessioned into the sfr module and accepted the EULA?

0 Helpful

yangsonggui
Level 1
Level 1
In response to Marvin Rhoads

‎08-29-2016 06:05 PM

not yet, is it the necessary step? 

do you think the sfr ip address is correct or not in my case? it should be 192.168.1.xxx or 10.55.5.xxx? and what is the gateway ip address?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to yangsonggui

‎08-29-2016 06:22 PM

You shouldn't have to accept the EULA to reach the module.

Re-reading your post, did you set BOTH the ASA managment and FirePOWER module address to 10.55.5.201? They need to be different addresses in that /16. Think of the  FirePOWER module like a VM on the same ESXi host as the ASA software. Each has it's own distinct IP configuration and address.

The FirePOWER module gateway should be the core switch at 10.255.5.202.

0 Helpful

yangsonggui
Level 1
Level 1
In response to Marvin Rhoads

‎08-29-2016 06:36 PM

thanks so much!

as my understanding now, i should login ASDM, use the setup wizard, change the FirePOWER module ip address to 10.55.5.202/16 and correct gateway address, then logout ASDM and re-login, the FirePOWER module configuration button should be found in ASDM, right?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to yangsonggui

‎08-29-2016 06:41 PM

Well close - you said your core switch is .202 and the ASA management interface is .201.

The FirePOWER module needs to be a third unique address in that /16 subnet.

When you launch ASDM it pulls up information from the FirePOWER module (same that you could do from cli with "show module sfr detail") and uses that information to populate the FirePOWER module Home, Configuration and Monitoring sections within ASDM.

0 Helpful

yangsonggui
Level 1
Level 1
In response to Marvin Rhoads

‎08-29-2016 06:48 PM

Okay, totally understand. actually .202 isn't the gateway address. I know we need an unique address for FirePOWER module. thanks for clarifying!

I will try to troubleshooting next week maybe(due to the new schedule). will let you know the latest update, much appreciate!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card