Re: Upgrade from 5505 to Firepower 2100

Tippey · ‎10-15-2021

Hi,

Just a query on this.

We are upgrading from a 5505 to a firepoewer 2100 with ASA platform on it.

Basically i have migrated as much of the config as i can with a few minor amendments which wouldn't take in the new setup.

We swapped over to the new kit and the connections didn't work, was to do with the VLANs not getting through (only 2 vlans on the device)

we made a bridge group which encompassed our inside interfaces and assigned the internal Vlan which allowed us to communicate which was great, however our outside connection was not contactable.

All routes were the same and compared.

This is the first time have had to deal with the new Firepower devices so any help advise would be appreciated

below is an exert of the interfaces on the old device:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Internal LAN
nameif inside
security-level 100
ip address 172.x.x.x 255.255.255.0
!
interface Vlan2
description Link to Internet
nameif outside
security-level 0
ip address 10.x.x.x 255.255.255.0

The new one had to add sub interfaces for the vlans but this didn't work until we removed and made a bridge group for the internal with the interfaces required for this.

Marvin Rhoads · ‎10-15-2021

A Firepower 2100 with ASA image would normally be used with routed interfaces assigned to physical ports - not with VLANs as you had on the 5505. So you would assign Ethernet 1/1 and 1/2 to match the addresses of VLAN 1 and 2 and name them inside an outside respectively.

You didn't say if you are using the switch ports on the 5505 for host computers. That would make a difference as well.

Tippey · ‎10-15-2021

Hi

What i had done was add ethernet1/1.1 with the vlan information which matched the others.

When this happened there was no connections at all.

Ethernet 1 is internal with vlan 1

2 is outside with vlan 2

and 3 had our core DMZ (vlan 1 also) attached these are the only ports being used on the device

so 0 is now equal to 1/1

1 is 1/2

2 is 1/3

Marvin Rhoads · ‎10-15-2021

If you added Ethernet 1/1.1 then it would tag all traffic for VLAN 1 and require the adjacent switch interface be a trunk port vs. an access port.

I don't understand how VLAN1 is both your internal network and your DMZ.

Tippey · ‎10-15-2021

hi,

Its not a true DMZ, its just called a DMZ in our systems all it does is pass the vlans from the router to the customer network.

We got the internal network working so we know how that works now

but the external for outside traffic is the issue now

Marvin Rhoads · ‎10-15-2021

For the external connection can you ping:

your default gateway?
an Internet address from the ASA itself? If that doesn't work then check your default route ("show route", "show run route").

If that works then we can focus on traffic through the firewall.

Tippey · ‎10-15-2021

The route for external and others are exactly the same as they were before

Obviously the equipment is not plugged in currently

The only details changed were having to have the vlans on the sub interfaces

But when that didn’t work we had to create a bridge interface to get the
internal traffic working