03-03-2018 05:34 AM - edited 02-21-2020 07:28 AM
i have migrated my ASA 5506x from SFC to AS with FTD
I have a working FMC and it can see the new asa with FTD.
I can ping the FTD
the FMC can update rules on the FTD
the FMC see and shows the asa with FTD
i have TMC licnese on the FTD
i can SSL into the asa FTD and access both the asa side and the FTD side with CLI
i have nazmul rajib, FTD book.from cisco press
i CANT access the FTD gui
please advise how i can get access
03-03-2018 09:25 AM
If you manage FTD with a Firepower Management Center, you don't have a local GUI on the BOX. It's only one or the other, local GUI or FMC.
03-03-2018 10:38 AM
The book and my se says that
i see nowhere in FMC where i can config the device like the old ASDm ( depreciated Java app) similar detailed config
as well the CLI is MUCH different that the older asa/SFR combo
so how does one do the config?
i also have a TAC case as the conversion FMC vm is VERY BUGGY and tac has to hand convert your old asa/sfr CLI
03-05-2018 05:13 AM
Your SE in incorrect and you may be mis-reading the book.
What Karsten said is correct - enabling a remote manager (FMC) on an ASA with FTD disables the local Firepower Device Manager. All configuration (except for a few bootstrapping things like configuring the IP address and remote manager) is done via FMC.
If you were running a Firepower appliance (2100, 4100 or 9300 series) you would have the Firepower Chassis Manager GUI but you would still configure Firepower services via FMC.
05-22-2019 06:52 AM
Okay so if I understand correctly, if you have an FMC that you can access you won't be able to access the actual module GUI (DC ip). I can get to the webpage but when I attempt to login all I get is "Unable to authorize access. If problem persists please contact your systems administrator." I know we aren't using RADIUS (ISE) with this device and as near as I can tell (show users) there aren't any other users configured outside of the admin that are enabled. I understand authorization profiles as I setup ISE and it's authenticating in other physical areas on devices I setup. This is not one of those devices and it's not tied to anything else. I can login to the ASA no problem and not the FMC with no issues (using admin). I assumed the FMC and the module had the same creds....
05-22-2019 07:30 AM
"DC IP" refers to Defense Center (old name for Firepower Management Center) IP address. We see that in ASDM when the Firepower module in the ASA is managed by FMC.
Once a Firepower service module is FMC-managed there is no local GUI (e.g. ASDM) access.
The same applies for a Firepower 2110 running FTD - both Firepower Chassis Manager (FCM) and Firepower Device Manager (FDM) GUIs are no longer available when the device is FMC-managed.
In any case the cli credentials for a module or FTD device and the managing FMC are completely separate. Both have a built-in admin user but the local password is created separately on each and there's no credential synchronization.
05-22-2019 08:23 AM
05-22-2019 07:54 PM
On the module console, what does "show managers" tell you?
05-23-2019 06:51 AM
05-23-2019 08:05 AM
That output indicates that the device is registered to a Firepower Management Center (FMC).
You can thus only view and modify policies from the FMC indicated in the IP address of the output.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide