Hi Marvin,

Thank you for a quick response. That is correct.

From my perspective, there is no point of running a firepower module via web service since I can have it all in one place and that is ASDM.

Here is the output that you requested:

Card Type: FirePOWER Services Software Module
Model: ASA5508
Hardware version: N/A
Serial Number: XXXXXXXXX
Firmware version: N/A
Software version: 5.4.1-211
MAC Address Range: cc16.7e87.2284 to cc16.7e87.2284
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.4.1-211
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 192.168.100.2
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.100.1
Mgmt web ports: 443
Mgmt TLS enabled: true

I have changed something in the configuration so I am posting newest config:

ASA Version 9.6(1)
!
hostname ASA
enable password OfCHMfd1XRg0CosZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool SandersVPN_DHCP 10.16.16.2-10.16.16.22 mask 255.255.255.0
ip local pool SandersFB_VPN_DHCP 172.16.16.2-172.16.16.22 mask 255.255.255.0

!
interface GigabitEthernet1/1
description Primary line to ISP
nameif outsideMain
security-level 0
ip address xxx.xxx.xxx.18 255.255.255.248
!
interface GigabitEthernet1/2
description Failback 4G link
nameif outsideFailback
security-level 0
ip address 192.168.8.100 255.255.255.0
!
interface GigabitEthernet1/3
nameif administration
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4.1
vlan 4
nameif administrationW
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description TestOutsideConnection
nameif TestConnection
security-level 0
ip address xxx.xxx.xxx.218 255.255.255.248
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outsideMain
dns domain-lookup outsideFailback
dns domain-lookup administration
dns domain-lookup administrationW
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.16.16.0_27
subnet 10.16.16.0 255.255.255.224
object network NETWORK_OBJ_172.16.16.0_27
subnet 172.16.16.0 255.255.255.224
object network AdministrationObj
subnet 192.168.1.0 255.255.255.0
object network AdministrationWObj
subnet 192.168.4.0 255.255.255.0
object network GuestWiFiObj
subnet 192.168.10.0 255.255.254.0
object network AdministrationFailbackObj
subnet 192.168.1.0 255.255.255.0
object network AdministrationW_FailbackObj
subnet 192.168.4.0 255.255.255.0
object network GuestWiFi_FailbackObj
subnet 192.168.10.0 255.255.254.0
object network MainGatewayIP
host xxx.xxx.xxx.17
description Gateway IP
object network 4G_FailbackGateway
host 192.168.8.1
description 4G Failback link
object network AdminWifiNetwork
host 192.168.4.1
description Access to Administration WiFi
object network OutSideMainLink
subnet xxx.xxx.xxx.16 255.255.255.248
description MainLink
object network FailbackLink
subnet 192.168.8.0 255.255.255.0
description FailbackLink
object network TestConnectionNAT
subnet 192.168.1.0 255.255.255.0
description test connection NAT
object network TestConnectionNAT_W
subnet 192.168.4.0 255.255.255.0
description Test connection NAT_W
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp traceroute
service-object icmp unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list sfr_policy extended permit ip any any
access-list sfr_redirect extended permit ip any any
access-list administrationICMP extended permit icmp interface administration interface administrationW echo-reply log
access-list administrationICMP extended permit ip any any
access-list outsideFailback_access_in extended permit icmp any any echo-reply
access-list outsideFailback_access_in extended permit icmp any 192.168.1.0 255.255.255.0 echo-reply
access-list outsideMain_access_in extended permit icmp any interface administration echo-reply
access-list outsideMain_access_in extended permit icmp any interface administrationW echo-reply
access-list administrationW_access_in extended permit object-group TCPUDP any4 any4 eq domain
access-list administrationW_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 any4
access-list administrationW_access_in extended permit ip any4 any
access-list ICMP-ADM extended permit object-group TCPUDP any4 any4 eq domain
access-list ICMP-ADM extended permit object-group DM_INLINE_SERVICE_2 any4 any4
access-list ICMP-ADM extended permit ip any4 any4
access-list ICMP-ADM extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list SFR extended permit ip any any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
no logging message 106023
mtu outsideMain 1500
mtu outsideFailback 1500
mtu administration 1500
mtu administrationW 1500
mtu TestConnection 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any administration
icmp permit any administrationW
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (administration,outsideMain) source static any any destination static NETWORK_OBJ_10.16.16.0_27 NETWORK_OBJ_10.16.16.0_27 no-proxy-arp route-lookup
nat (administration,outsideFailback) source static any any destination static NETWORK_OBJ_172.16.16.0_27 NETWORK_OBJ_172.16.16.0_27 no-proxy-arp route-lookup
!
object network AdministrationObj
nat (administration,outsideMain) dynamic interface dns
object network AdministrationWObj
nat (administrationW,outsideMain) dynamic interface dns
object network AdministrationFailbackObj
nat (administration,outsideFailback) dynamic interface dns
object network AdministrationW_FailbackObj
nat (administrationW,outsideFailback) dynamic interface dns
object network TestConnectionNAT
nat (administration,TestConnection) dynamic interface dns
object network TestConnectionNAT_W
nat (administrationW,TestConnection) dynamic interface dns
access-group ICMP-ADM in interface administration
access-group administrationW_access_in in interface administrationW
route TestConnection 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1 track 1
route outsideMain 0.0.0.0 0.0.0.0 xxx.xxx.xxx.17 10
route outsideFailback 0.0.0.0 0.0.0.0 192.168.8.1 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 administration
http 192.168.4.0 255.255.255.0 administrationW
no snmp-server location
no snmp-server contact
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface TestConnection
sla monitor schedule 123 life forever start-time now
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outsideMain_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsideMain_map interface outsideMain
crypto map outsideFailback_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outsideFailback_map interface outsideFailback
crypto map administration_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map administration_map interface administration
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_3
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate c237a157
308202d2 308201ba a0030201 020204c2 37a15730 0d06092a 864886f7 0d010105
2dc52822 2eeb5786 20a1501a 7773d35c e652203e 4a35a93f f9d5608e 2fce8683
ed8f6158 5ef66923 fde27750 30079459 6c62a503 cc6b630f f0688977 1a11a05a
b2a97b88 58cb8fe5 bccc23da f0bc88c3 57864600 7df648ef 29c6039f f057b891
e7d96647 86cda131 3cd9f917 642a3c49 5a14f9fd 480b
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate ad4ea157
308202d2 308201ba a0030201 020204ad 4ea15730 0d06092a 864886f7 0d010105
649bbb84 bec1ce02 9786ca6c 28853c8f 2612008c c4685609 61d3fef4 37c65619
fdc26c74 e03a4138 d87274ac f38f65ff 11b4a431 4bc9edf8 cd737d2b 50bca3ff
6b9ed4be 94a7fb56 de090512 529dbc38 f9a5b7f0 8fc6
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
certificate f87bb257
308202d2 308201ba a0030201 020204f8 7bb25730 0d06092a 864886f7 0d010105
03b3cf80 adce66ae 47c4cd38 06bc99f9 1d4aa0b9 bd20767b 60aaa23d 90bfb854
2a0c1aec 20c886cd d694f1ca 8eadf488 cf0159d0 3ce4c7c2 222d0f90 d1f74302
8afed8ee 07d20667 43205b08 940a8f7f 86ee0f1d f4cd
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_3
certificate ae39db57
308202d2 308201ba a0030201 020204ae 39db5730 0d06092a 864886f7 0d010105
66b80ffd 7bc5184f ea6c2d81 4d3dd060 b27b4f83 afad9c79 19ca6b94 57905770
8ea59c83 b822780b bd100f43 9a0496cb fc21a997 49a0c94f 9162607e 85eae1c0
706207ff 83a475d2 4aa7fdfa 1444aab2 51e85e59 a232
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outsideMain client-services port 443
crypto ikev2 enable outsideFailback client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_1
!
track 1 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 administration
ssh 192.168.4.0 255.255.255.0 administrationW
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
!
dhcpd address 192.168.1.2-192.168.1.251 administration
dhcpd dns 8.8.8.8 8.8.4.4 interface administration
dhcpd enable administration
!
dhcpd address 192.168.4.2-192.168.4.247 administrationW
dhcpd dns 8.8.8.8 8.8.4.4 interface administrationW
dhcpd enable administrationW
!
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outsideMain
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outsideFailback
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 administration
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 administrationW
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 administration vpnlb-ip
webvpn
enable outsideMain
enable outsideFailback
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect profiles FailbackVPN_Access_client_profile disk0:/FailbackVPN_Access_client_profile.xml
anyconnect profiles MainVPN_Access_client_profile disk0:/MainVPN_Access_client_profile.xml
anyconnect profiles SandersFailbackVPN_client_profile disk0:/SandersFailbackVPN_client_profile.xml
anyconnect profiles SandersMainVPN_client_profile disk0:/SandersMainVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_MainVPN_Access internal
group-policy GroupPolicy_MainVPN_Access attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain none
webvpn
anyconnect profiles value MainVPN_Access_client_profile type user
group-policy GroupPolicy_FailbackVPN_Access internal
group-policy GroupPolicy_FailbackVPN_Access attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain none
webvpn
anyconnect profiles value FailbackVPN_Access_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password ULntHxAPASxzoMC/ encrypted privilege 15
username administrator password ULntHxAPASxzoMC/ encrypted privilege 15
tunnel-group MainVPN_Access type remote-access
tunnel-group MainVPN_Access general-attributes
address-pool SandersVPN_DHCP
default-group-policy GroupPolicy_MainVPN_Access
tunnel-group MainVPN_Access webvpn-attributes
group-alias MainVPN_Access enable
tunnel-group FailbackVPN_Access type remote-access
tunnel-group FailbackVPN_Access general-attributes
address-pool SandersFB_VPN_DHCP
default-group-policy GroupPolicy_FailbackVPN_Access
tunnel-group FailbackVPN_Access webvpn-attributes
group-alias FailbackVPN_Access enable
!
class-map SFR
match access-list SFR
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
class-map sfr_policy
match access-list sfr_policy
class-map DefaultInspectionTraffic
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class sfr
sfr fail-open
class inspection_default
inspect icmp
class SFR
sfr fail-open
policy-map global-policy
description SFR rule for ASDM to Firepower module communication
class DefaultInspectionTraffic
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
inspect netbios
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

I cannot simply ping that SFR module and I cannot understand why. By all the comments from other guys/girls, following that tutorial they managed to get Firepower module working in ASDM... What is different in my config?

Is there any additional access-list or security policy that I need to apply?

Best regards

Hi Marvin,

yes, I am aware that it might be an routing issue, and I also tried to set sfr network to be 192.168.1.250/24 with gw 192.168.1.1, but without luck. Every time when I try to ping that IP (192.168.1.250) I get no reply from ASA...

I don't believe that it is routing issue, it must be something else... I will modify the config and post you result.

If you change the sfr network to be in the same subnet as your administration interface, then make sure to change the VLAN that the attached switchport is assigned to.

How can I do that?

again I am bit new into this?

The VLAN assignment is on the switch. If it is a Cisco switch, it would be something like

conf t
interface <interface number>
switchport access vlan <vlan id>
end

Ok, I am totally confused now. As you mentioned VLAN. how to find which VLAN is needed for sfr module to work? I have Gi1/3 which is VLAN (default - VLAN 1)  and Gi1/4 which is subinterface that is set as VLAN 4, but this is for totally different thing (admin/guest wifi). The whole network is designed like that... How can I tell which VLAN is needed for sfr module to function?

Best regards

Please look at the figure in the Quick Start Guide that I linked earlier.

ASA needs to be able to reach sfr. That can happen if:

1. Physical interfaces are assigned to same subnets and connected to a switch whose parts are in the same VLAN. this is what's shown in the quick start guide and the simplest setup.

2. Physical interfaces are assigned to different subnets and switchports are in associated VLANs corresponding to those subnets and routing is setup to allow the communication between them.

In the latter case (which you have) the VLAN assignment is dictated by your switching and routing setup in your network.

Thanks Marvin. I will try tomorrow when I come to office.

Best regards.

Here is the newest config of sfr:

> show network
===============[ System Information ]===============
Hostname : SandersASA
DNS Servers : 8.8.8.8
8.8.4.4
208.67.222.222
208.67.220.220
Management port : 8305
IPv4 Default route
Gateway : 192.168.1.1

======================[ eth0 ]======================
State : Enabled
Channels : Management & Events
Mode :
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : CC:16:7E:87:22:84
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.1.250
Netmask : 255.255.255.0
Broadcast : 192.168.1.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

SFR config:

Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5508
Hardware version: N/A
Serial Number: JAD20240A15
Firmware version: N/A
Software version: 5.4.1-211
MAC Address Range: cc16.7e87.2284 to cc16.7e87.2284
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.4.1-211
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 192.168.1.250
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.1.1
Mgmt web ports: 443
Mgmt TLS enabled: true

PING:

ping 192.168.1.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.250, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

I simply don't have a clue why is not forwarding the traffic to SFR especially when I defined the access list policy.

"access-list SFR extended permit ip any any"

"policy-map global_policy
class sfr
sfr fail-open
class inspection_default
inspect icmp
class SFR
sfr fail-open
policy-map global-policy
description SFR rule for ASDM to Firepower module communication"