Solved: How to add ASA5506-X to FMC?

SlawekDejneka69032 · ‎03-19-2021

Hi,

I'm trying to create a lab with 2x 5506-X FWs and add them to the FMC. However initial configuration after FW reset doesn't allow me to choose 'Managed locally?' and set in to 'NO'. Therefore i can't use command 'Configure manager add xxx' - this command is not listed there.

What I'm doing wrongly? Please advise how to add FW to FMC?

Thanks in advance.

Marvin Rhoads · ‎03-30-2021

Don't assign any address to M1/1. Assign the sfr module an address in 192.168.1.0 network.

You wouldn't assign the default route on the outside interface using an address from the subnet associated with Gi1/3 which is an internal network.

View solution in original post

Rob Ingram · ‎03-19-2021

Hi @SlawekDejneka69032

Run the command "show manager" to determine what is currently the manager local/central.

Use the command "configure manager add <fmc ip> <reg key>" to define the FMC.

Marvin Rhoads · ‎03-19-2021

Try "configure manager delete" first and then "configure manager add" with the parameters for your FMC appended.

SlawekDejneka69032 · ‎03-19-2021

Thanks guys, but there's no such command available. I tried type it in full assuming it will work, but it says there's no such command. It behaves like standard ASA.

When I'm trying to run 'show manager' it shows typical error when you type wrong command.

What might be wrong?

Rob Ingram · ‎03-19-2021

Are you running the ASA image not FTD? In which case the command will never work.

Please provide a screenshot of the CLI errors you get might help us quicker.

SlawekDejneka69032 · ‎03-23-2021

Apologies for late response. Here is a screen shot.

I think that ASA is running on its default OS image it came with. What software shall I have installed on it?

Thanks in advance.

Marvin Rhoads · ‎03-23-2021

You are showing ASA software image. That has no interaction with or management by an FMC.

The ASA 5506 also has a Firepower service module. That is like a VM that runs along side the ASA software. It is that module which is managed by FMC (or ASDM).

Please share the output of "show module sfr detail" taken from the ASA cli.

Also please see this guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

SlawekDejneka69032 · ‎03-23-2021

Many thanks - i didn't know that. Thanks for a link.

Here's the output:

ciscoasa# configure manager add
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa#
ciscoasa# show module sfr detail
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5506
Hardware version: N/A
Serial Number: xxxxxxx
Firmware version: N/A
Software version: 5.4.1-211
MAC Address Range: 7069.5a22.3567 to 7069.5a22.3567
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.4.1-211
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 192.168.45.45
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 0.0.0.0
Mgmt web ports: 443
Mgmt TLS enabled: true
ciscoasa#

Marvin Rhoads · ‎03-24-2021

OK, that appears to be the old factory-default image version 5.4. Do you have a license for the ASA 5506-X Firepower service module?

If so, you would be best to download and reimage the module with the latest version available for that platform - 6.2.3.x was the last available version for that model of ASA.

SlawekDejneka69032 · ‎03-25-2021

I need to have a look as this is kit which belongs to my company. I suppose I should have a license, or in the worst scenario I could order it. It should not more than £300 per year, I think.

In the meantime I'll have thorough reading of the link above.

I'll come back with more questions soon

johnlloyd_13 · ‎03-26-2021

hi,

see helpful links below in upgrading 5506 FP module and adding device in FMC.

the OS code used are a bit outdated but the concept is still the same.

https://wannabecybersecurity.blogspot.com/2018/11/cisco-asa-5506w-x-firepower-module_9.html

https://wannabecybersecurity.blogspot.com/2019/04/configuring-devices-in-cisco-fmc.html

SlawekDejneka69032 · ‎03-28-2021

Great thanks! I'm working on this today. Wish me luck Guys

SlawekDejneka69032 · ‎03-28-2021

Can you help me please how to set up ASA FirePower ip address? I have directly connected M1/1 to G1/2 as per instruction.

Correct me if I'm wrong:

- Mgmt 1/1 - no ip address

- G 1/2 - ip address 192.168.45.100 - sample IP

- sfr module - suggested IP was 192.168.45.45/24 - I've accepted defaults

My LAB doesn't have any internal router, so G1/1 should be connected to the external RTR as default GW.

FMC should be connected to the internal interface on FW and should be in a subnet 192.168.45.0/24 (i.e. 192.168.45.100/24) and the next step is in sfr module:

configure manager add 192.168.45.100 abcdef

Marvin Rhoads · ‎03-28-2021

That's correct so far.

Next add the Firepower service module as a device in FMC and then associates licenses and an Access Control Policy with it.

SlawekDejneka69032 · ‎03-28-2021

I can't add device to FMC as I think I have some issue with connectivity.

SFR module has ip address: 192.168.1.245/24.

G 1/3 has: 192.168.1.246/24

FMC: 192.168.1.250/24 - this is running as VM on a hosting server which has 192.168.1.253/24

Mgtm 1/1 - no ip address and is directly connected to G1/2

When I'm trying to ping 1.245 or 1.246 from ASA, I'm getting error 'No route to host'.

From SFR module I also can't ping 1.253 nor 1.250 (FMC).

From FMC I can't either ping 1.245 nor 1.246.

What I'm doing wrong? I'm sure connection between two boxes fails (switch level 2).