Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
56816
Views
9
Helpful
24
Comments

ASA 5500-X Sourcefire / FirePOWER configuration

zsmithtek
Level 1
Level 1
‎09-04-2014 12:16 PM

I have not found any documentation to install/configure the sourcefire/firePOWER module on the 5500-X NGFW so I have decided to create my own.  I hope you find this helpful.

 

*I have not figured all of this out - but this is a good starting point.  As I get more information i'll update this post.*

 

 

Configure firepower / sourcefire module on Cisco ASA 5500-X NGFW w/ SSD

 

I.Download required image and package file.

a.http://software.cisco.com/download/release.html?mdfid=286271174&flowid=70726&softwareid=286277393&release=5.3.1&relind=AVAILABLE&rellifecycle=&reltype=latest

b.At the time of this release – 5.3.1 was the latest build.

II.Once downloaded transfer the asasfr-5500x-boot-5.3.1-152.img  to the flash partition of the ASA

a.I used CoreFTP Server to setup FTP server on my laptop.  Connected to the management interface on ASA

  1. Copy ftp://user:pass@Laptop-IP/asasfr-5500x-boot-5.3.1-152.img  flash:

III.Configure sourcefire module / remove active modules if applicable.

a.Issue the ‘show module' command on the ASA

b.If the IPS or CXSC module are present you will need to shutdown and uninstall

c.From ASA enable prompt:

  1. Sw-module module (ips/cxsc) shutdown
  2. Sw-module module (ips/cxsc) uninstall
  3. Reload

d.Now set the ASA sourcefire boot image location that you recently uploaded to flash:

  1. Sw-module module sfr recover configure image disk0: asasfr-5500x-boot-5.3.1-152.img

ii.Wait approximately 5 minutes for the image to boot up.  For me on the 5515-X it took about five minutes to connect to the console and then another 2 or 3 to allow me to login.

iii.Login to the srf console.  From the ASA enable prompt enter:

1.Session sfr console

a.If the image hasn’t fully booted you’ll receive error message:

i.ERROR: Failed opening console session with module sfr. Module is in "Recover" state.

ii.Please try again later.

2.User: admin |  Pass: Admin123

3.At this point run the ‘ command to configure an IP on the sourcefire management interface (uses the MGT0/0 physical interface).  I just took the defaults.  The IP on the MGT interface defaults to 192.168.8.8/24. 

4.Assign static IP to laptop in above configured subnet.  I used 192.168.8.10/24 for my laptop.

5.Install the .pkg file from FTP.  Only http/ https/ ftp are allowed methods of installation

6.Issue command: system install ftp://user:pass@192.168.8.10/asasfr-sys-5.3.1-152.pkg

7.You will eventually be prompted to reboot the sourcefire module.  The above command took me about 15 minutes to complete.  Once it reboots, press ENTER a few times and you should be back at the ASA enable prompt.  Only the sourcefire image reboots, not the ASA itself.

8.Give it about 5 minutes and connect back to the console ‘

9.NOTE: the username and password have changed automatically. 

a.User: admin | Pass: Sourcefire

10.Once you log in you’ll have to SPACE through the EULA and accept.  You’ll be prompted to reconfigure the IP information. I took the defaults which are 192.168.45.45/24 for the MGT interface.  Once this is done you’ll want to configure the ASA to send traffic through the module.

IV.Connect back to the ASA via ASDM management.

a.Click ‘Configuration – Firewall – Service Policy Rules’

b.Right-click to ‘Add Service Policy Rule…’

i.I selected ‘Global’ (click next)

ii.I named the class ‘sfr-global-class’

iii.Select ‘Any Traffic’ (click next)

iv.Only TAB I configured was ‘ASA FirePOWER Inspection’

1.Check ‘Enable ASA FirePOWER for this traffic flow’

2.Check ‘Permit’

3.Check ‘monitor only’

a.I assume there are policies to configure b/c NOT checking monitor-only blocked all traffic for me. ( haven’t gotten that far yet)

4.Click ‘Finish’ to create the policy.  Apply changes and save to Flash.

 

At this point, connect back to the ASA via CLI and connect to the sourcefire console ‘session srf console’  The command ‘show traffic-statistcs’ should prove you have traffic going through the module.  I haven’t gotten the GUI management figured out yet but this should be enough to get the module installed and you can mess around with it.

Labels:
24 Comments
walter baziuk
Level 5
Level 5
‎11-16-2015 03:37 PM
‎11-16-2015 03:37 PM

Hello

The latestFireSIGHT Virtual Defense Center for VMware Package Installer works and it runs on eSX 5.5
FireSIGHT Virtual Defense Center for VMware Package Installer
Cisco_Firepower_Management_Center_VMware-6.0.0-1005.tar.gz
EVEN THOUGH the untar file type is wrong and there is only one file and not 8 as expected WIERD!!

Now I have to logon as admin and NONE of the passwords as documented are accepted

I tried these passwords
Sourcefire
sourcefire
Cisco
cisco
root
password
Password
Admin
Admin
<blank>

anyone know the correct password to use from the console to start the cobfig

Attached it the latest document I could find. It is different than the v5 install document
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/quick_start/management_center_virtual/FMCv-quick.pdf

Cheers

walter

0 Helpful
walter baziuk
Level 5
Level 5
‎11-16-2015 03:46 PM
‎11-16-2015 03:46 PM

this is what my 5506x look like

sh module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
1    ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            xxx
sfr  FirePOWER Services Software Module           ASA5506            xxx

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
1    84b2.6117.f565 to 84b2.6117.f56e  1.0          1.1.1        9.5(1)
sfr  84b2.6117.f564 to 84b2.6117.f564  N/A          N/A          5.4.1-211

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211

Mod Status              Data Plane Status      Compatibility
---- ------------------ --------------------- -------------
1    Up Sys             Not Applicable
 sfr Up                 Up

0 Helpful
zsmithtek
Level 1
Level 1
‎11-16-2015 04:31 PM
‎11-16-2015 04:31 PM

try combos with admin123 as username.  I think 123 is in there somewhere now.  Not sure if login is admin123/Sourcefire or admin/Sourcefire123 ...try something like that.  I think admin123 is in there though...

0 Helpful
walter baziuk
Level 5
Level 5
‎11-27-2015 04:14 AM
‎11-27-2015 04:14 AM

Hello:

More issues with new ASA and I found a priority 1 BUG with the ASA bios F/W. Some screen shots are attached to show what I see

This is what I did and what I found out:

1. With the firepower module on the ASA . The ASA ASDM see the firepower module. The ASA ASDM see three firepower tabs ( in the device dashboard). As well, it see the config access to the firepower module as the firepower menu (bottom left tab in config mode) appears. The ASA and ASDM operate as expected with the Nov 18 released ASDM s/w
2. With the source fire VM managing the firepower module on the Asa. The ASA ASDM loses two firepower tabs ( but still sees the firepower status tab). As well, the ASA ASDM loses all config access to the firepower module as the firepower menu (bottom left tab in config mode) no longer appears. The ASDM still see the config Tab and can make changes to the ASA itself f via the ASDM.
3. I logged into the source fire VM. I removed the linkage between it and the ASA firepower module. The VM keeps running and no longer sees any firepower module or ASA as expected.
4. I now exit the ASA ASDM and log in again. The ASA ASDM comes up and now the ASDM complains it can’t see the ASA. That is strange as the logs start appearing, the ASA status field updates and all the graphs are operating as expected. However the config filed is now greyed out. As in step 2, there is only one firepower tab.
5. I log into the firepower module CLI console. It seem to be running. I reload the firepower module, it goes for a restart.
6. After 5 mins the firepower is back up( i.e. I can log into it), the ASA ASDM screen is the same as steps 4, no changes
7. I exit the ASA ASDM. I log into the ASA CLI console. Save the config and reload the ASA.
8. After 30 minute the ASA is still not up. I see a green light inside, but none of the external status lights are on. Is the ASA dead (; I pull the power cord , wait for 1 minute and reinsert
9. After 30 minute the ASA is still not up. I see a green light inside, but none of the external status lights are on. Is the really ASA dead no? I recall doing something the last time I had an issue. At this time I have three cables on the ASA ; WAN, LAN and MGMT. I pulled the LAN cables. Now the ASA only sees two links. As soon as the cable is pulled, BAM, The ASA external LEDS start to complete the reboot. I plug the LAN cable back in and the reboots continues to progress. Three minutes later, the ASA is up and running and processing traffic.
10. I log into the ASA ASDM. The ASA ASDM comes up and now the ASDM again complains it can’t see the ASA. Now there is no firepower tab at all! I can’t even ping the firepower module.
11. Two minutes later, the firepower module pings start to respond. I log into the firepower module CLI console. It seem to be running. I check the up time. It seem that the module takes a few minutes longer to reboot than the ASA. Thus if you log into the ASDM too soon, you will not see the firepower module, the ASA only.
12. The ASA ASDM still complains it can’t see the ASA. That is strange as the logs start appearing, the ASA status field updates and all the graphs are operating as expected. However the config filed is now greyed out. As in step 2, there is only one firepower tab.
13. As above I can no longer control the ASA or the firepower module from ASDM

A. This is see a MAJOR ASA bug, it three or more interface are attached, the ASA will fail a restart OR a power up. The restart freezes until there are only two interfaces. This CANNOT be any user CLI config issue as the boot sequence has not even loaded any configs yet. This is likely an ASA BIOS issue. I can produce a tech config file later tonight if needed


B. The firepower module takes too long to boot. The ASA is up and running before the firepower module finishes. In a real world situation , a production environment would loses all firepower features even though the ASA is up and running traffic. THIS IS A SECUITY BUG.


C. The ASDM is buggy still and now losses “some communication with the ASA “ even though other features seem to still work. The config tab is affected and thus we loses access to the firepower confg also. I will try an older ASDM to see it the latest has another bug

yet_firepower_reponds_from_gui_and_cli.png

asa_did_not_get_a_response.png

config_button_grey_out.png

fp-only_status_tabs_seen.png

no_fp_tab_seen.png

0 Helpful
rhddlschlrkd1
Level 1
Level 1
‎12-09-2015 09:35 PM
‎12-09-2015 09:35 PM

May be admin / Admin123 or root / Admin123

try it plz

0 Helpful
fawadasad1
Level 1
Level 1
‎12-22-2015 03:27 PM
‎12-22-2015 03:27 PM

Hi -Were you able to resolve the issue which you mentioned in your post if yes can you please share how you have resolved them -Thanks 

0 Helpful
vladsokalsky
Level 1
Level 1
‎02-04-2016 07:22 AM
‎02-04-2016 07:22 AM

Thank You !

0 Helpful
informationt
Level 1
Level 1
‎04-07-2016 08:02 AM
‎04-07-2016 08:02 AM

I am also having a similar issue with a new deployment.  Can't administer through the web interface anymore, and socket errors when I try to administer FirePOWER through ASDM.  50% of the time it doesn't launch without errors, and I only see the FirePOWER Status tab, nothing else.

Frustrating doesn't begin to explain.

0 Helpful
Kyle Stewart
Level 1
Level 1
‎04-07-2016 08:55 AM
‎04-07-2016 08:55 AM

Regarding your comment with the ASA coming up and allowing traffic before the firepower module comes up can be addressed. Saying it is a security bug is a bit much since it is a configurable setting (see attachment).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents