Solved: Re: How to add ASA5506-X to FMC? - Page 2

SlawekDejneka69032 · ‎03-19-2021

Hi,

I'm trying to create a lab with 2x 5506-X FWs and add them to the FMC. However initial configuration after FW reset doesn't allow me to choose 'Managed locally?' and set in to 'NO'. Therefore i can't use command 'Configure manager add xxx' - this command is not listed there.

What I'm doing wrongly? Please advise how to add FW to FMC?

Thanks in advance.

Marvin Rhoads · ‎03-28-2021

Since gi1/2 is on one subnet gi1/3 is on a different one the traffic from one to the other needs to go through the firewall. for that you need the command "same-security-traffic permit inter-interface".

SlawekDejneka69032 · ‎03-28-2021

Hi,

Thanks for this, but I think something is still missing as I'm still
getting 'no route to host' error. I think ASA misses default GW. Here again
when I type:
conf t
route outside 0.0.0.0 0.0.0.0 192.168.1.253

Error: invalid input detected and is pointing on >0.0.0.0

BTW. I forgot assign IP address to G1/2 and M1/1 - so I've set up:
G1/2 - 192.168.10.249/24 - here I had to choose new subnet as I had error
that 192.168.1.249 overlaps with G1/3 (which has 192.168.1.246)
M1/1 - no ip address

So, your command probably works fine, but I must set up a route - I think.

SlawekDejneka69032 · ‎03-29-2021

Guys,

Please advise, as regardless what network I'm configuring on any interface (i.e. G1/2), the common error is that network overlaps with interface M1/1. Two interfaces cannot be in the same subnet.

Shall I bridge them somehow?

Marvin Rhoads · ‎03-30-2021

Don't assign any address to M1/1. Assign the sfr module an address in 192.168.1.0 network.

You wouldn't assign the default route on the outside interface using an address from the subnet associated with Gi1/3 which is an internal network.

SlawekDejneka69032 · ‎04-03-2021

Thanks very much. Now I can ping FirePower IP address. I tried to add it to the FMC (6.2.3), but it says that SW ver. I have on FW is lower than 6.1.0 and this is not supported. So I must upgrade it I think to 6.2.3 or close to it.

Marvin Rhoads · ‎04-03-2021

Yes - FMC 6.2.3 can manage devices from 6.1.0 through 6.2.3.

Reference this guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_A0CAB7C28A2B440F8F901D316D6684F4

If it's a new Firepower service module, it is by far easier to simply reimage it to the newer version rather than upgrade.

SlawekDejneka69032 · ‎04-03-2021

That will be a challenge as I have never done it before... Do you know maybe any link with some more details how to do it? I'm searching Internet now. My current version is 5.4.1 - pretty old...

Marvin Rhoads · ‎04-03-2021

Follow this procedure:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc7

Use the 6.2.3 img and pkg files found here:

https://software.cisco.com/download/home/286283326/type/286277393/release/6.2.3

Then patch the FMC and Firepower service module to the latest 6.2.3 patch (6.2.3.16). You can go to a newer version on your FMC but the ASA 5506 is limited to 6.2.3.x.

SlawekDejneka69032 · ‎04-03-2021

Perfect thanks Marvin