Solved: Re: Firewall ASA FTD firepower SecLvl 0 all interfaces

Fotiosmark · ‎02-27-2018

Hello,

I have a very weird problem with firepower device. Just got it out of the box, went through the management interface configuration, the web got stuck on loading 10 minutes so I refreshed. :)

After that I will not let me go through the https://192.168.45.45 or the inside interface gi1/2 1.1

I went through a console cable and I saw the it got the below configuration.

interface GigabitEthernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.1.1 255.255.255.0

interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address

Now correct me if I am wrong but since it has Security Level 0, it will never let me in through the Web.

I tried looking for commands to change the interface through CLI but I couldn't find any!!!

Model : Cisco ASA5516-X Threat Defense (75) Version 6.2.0 (Build 363)

Please Help! Whats wrong with it and why did it set the intrerfaces to Sec Level 0???

Marvin Rhoads · ‎02-28-2018

It looks like somehow your unit got an improper or partial configuration on it.

To get back to factory default, try the following from your console connection:

> configure manager delete
> configure firewall transparent
> configure firewall routed

View solution in original post

Marvin Rhoads · ‎02-28-2018

If your FMC is remotely located on the outside network then it is difficult to setup management with a gateway on the inside data interface.

For instance, how would your outside interface know its address?

You have to either put management interface on the outside network or else pre-deploy the appliance at there site where your FMC is and then send it to the remote location with all the addressing, routing and any NAT etc. already having been pushed to it.

View solution in original post

Marvin Rhoads · ‎03-05-2018

I'm not sure about your specific detailed design. That's probably a bit more than is best handled in a simple support forum thread.

Generally speaking FTD does support portchannel interfaces.

Email Security Appliance (ESA) licenses are completely separate from anything FTD- and FMC-related. There's generally no direct interaction between ESA and FTD.

View solution in original post

Rahul Govindan · ‎02-27-2018

The ASA looks to be running the Firepower Threat Defense OS.

Model : Cisco ASA5516-X Threat Defense (75) Version 6.2.0 (Build 363)

FTD no longer uses security levels but zones to create access policies between. Also, there is no CLI configuration on the FTD, this has to be configured using the on-box Firepower device manager (FDM) or centralized Firepower management center (FMC).

This is a quick start guide to set up FTD using the FDM.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5506X/ftd-fmc-5506x-qsg.html

If you want to get to the ASA image, use the guide below:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html

Fotiosmark · ‎02-28-2018

yes...it has locked me out. it won't load the start page not from management not from inside interface. the security levels are 0 for some reason.

Marvin Rhoads · ‎02-28-2018

It looks like somehow your unit got an improper or partial configuration on it.

To get back to factory default, try the following from your console connection:

> configure manager delete
> configure firewall transparent
> configure firewall routed

Fotiosmark · ‎02-28-2018

Yes, it was my actuall PC that just had issue. It worked. Anywho, Now I am trying to register FTD to FMC. I turned the management IP to be on the same Network as the Outside, to register the device and then turned it back to what it was to start with.
Now when I am trying to configure the manager i get the below....

The management IP address is currently using the data interfaces as the gateway. This is not supported when you manage the device remotely with Firepower Management Center. You must first use the "configure network ipv4 manual" or "configure network ipv6 manual" commands to configure an explicit gateway on the management network, then come back and run "configure manager add" command again.

My Priv. Net IP 192.168.99.0 / 24
Management IP : 192.168.45.45
Show Network
show network
===============[ System Information ]===============
Hostname : ******
DNS Servers : ******
8.8.8.8
Management port : 8305

======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:5D:73:F8:30:E0
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.45.45
Netmask : 255.255.255.0
Broadcast : 192.168.45.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

I have the outside interface to a switch, which can get to the outside network, and the management interface at a laptop. I have CLI console cable also.

Any suggestions/thoughts?

Marvin Rhoads · ‎02-28-2018

If your FMC is remotely located on the outside network then it is difficult to setup management with a gateway on the inside data interface.

For instance, how would your outside interface know its address?

You have to either put management interface on the outside network or else pre-deploy the appliance at there site where your FMC is and then send it to the remote location with all the addressing, routing and any NAT etc. already having been pushed to it.

Fotiosmark · ‎03-02-2018

Hi Marvin,

I am new to the whole Firepower with Manager configs. No much of CLI support.
What I was thinking, is to predeploy asa5516 FTD as transparent behind the actual Edge Routers (4 of them) and create BVIs to connect to the rest of the network.

Regarding the FMC (correct me if I am wrong) was thinking to deploy it localy, where I will manage the FTD, and do a Port Forwarding from my router to customers network and build a VPN tunnel between my router and where I will connect the management interface. Dunno if that design will work with FTD, I did these kind of Port Forwardings for other services that I would like to manage remotely.

Now since the whole licensing changed by cisco and took me 3 days to figure the Smart Licensing I am back trying to design.

FTD 4 intrafaces connected to 4 different edge routers and 4 to the Main Switch configure them as PortChannels(Can it do load balancing towards the routers and does it support Port Channels and LoadBalancing Based Mac address?)
Also I am really confused with the licenses. There is a license ESA-LIC (for email security) which I am not really sure if thats a different Service (build it like a different VM) or is it a service where I somehow put in on FMC and voila, I have a new option for Emails...
Thanks Marvin, You ve been a great help!

Marvin Rhoads · ‎03-05-2018

I'm not sure about your specific detailed design. That's probably a bit more than is best handled in a simple support forum thread.

Generally speaking FTD does support portchannel interfaces.

Email Security Appliance (ESA) licenses are completely separate from anything FTD- and FMC-related. There's generally no direct interaction between ESA and FTD.

Fotiosmark · ‎03-05-2018

I know :) I will share my results with you! It sounds interesting and I am wondering If I can pass the management traffic though out the public net :)

I would assume from what I am reading in cisco site, that it does support port-chan.
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/interfaces_for_firepower_threat_defense.html#ID-2077-00000046

Configure an EtherChannel
This section describes how to create an EtherChannel port-channel interface, assign interfaces to the EtherChannel, and customize the EtherChannel.

So I assume I can make the FTD Transparent, Connect 4 interfaces to inside switch all in the same BVIs and add them as port channels.