08-09-2016 06:52 AM - edited 02-21-2020 05:53 AM
Guys- I have procured some 5508-x device with firepower. To manage all these device I have procured CSM and FMC.
So Can I configure a single private IP to management interface and use both CSM and FMC?
If Yes, how can I proced further and if no please let me know the alternate solution.
Solved! Go to Solution.
08-09-2016 06:08 PM
Hello Rajesh, each component (ASA and FirePOWER) will have their individual and unique IP addresses for management. Thus, the ASA's management IP will be referenced in CSM while FirePOWER's management IP address will be referenced in FMC.
I hope this helps!
Thank you for rating helpful posts!
08-09-2016 06:08 PM
Hello Rajesh, each component (ASA and FirePOWER) will have their individual and unique IP addresses for management. Thus, the ASA's management IP will be referenced in CSM while FirePOWER's management IP address will be referenced in FMC.
I hope this helps!
Thank you for rating helpful posts!
08-10-2016 03:38 AM
Hi thanks for your info... here my question is we can assign IP address to management1/1 for CSM. and can we assign IP address for firepower service to mange from FMC ? and also could you please confirm both the IP we can use in same network or we need to use different network.
08-10-2016 09:00 AM
My answers below:
- Yes, the ip address that you assign to the management interface on the ASA can be used for CSM
- The FirePOWER module gets its own IP address during the setup process. That IP address has to be on same subnet as your regular ASA data interface.
- The ASA uses a completely separate VRF table for traffic related to its management interface. No other traffic would be allowed on that VRF.
- Here is a link to the ASA with FirePOWER Quick Start Guide that explains a lot of this in detail:
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html
I hope this helps!
Thank you for rating helpful posts!
08-10-2016 09:03 AM
Like my friend Neno says. :)
The separate management "VRF" is there as of ASA 9.5(1) or later.
08-10-2016 09:01 AM
Are you working with @abushayeed1? He is asking very simialr quesiton which I answered:
https://supportforums.cisco.com/discussion/13093471/cisco-asa-5508-x-firepower-implementation-doubts
If you use the management interface for both, then the ASA and FirePOWER modules must use the same subnet. If you manage the ASA via another interface, it can use a different network. Cisco's recommendation is to use the management interface for both and thus both addresses are on the same network.
08-10-2016 02:05 PM
Thank you for the endorsement sir!
08-10-2016 08:50 PM
Thank you Marvin and Neno for your help and support. Yes me and abushayeed1 are working together for our set up.
08-17-2016 09:56 PM
thanks for your information, it is very useful to me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide