Firepower 2100 series platform can run either FTD or ASA software.
When Firepower 2100 series platform running ASA, has two software, FXOS and ASA. Both have its own management IP address and share same physical Interface Management 1/1.
Both ASA and FXOS has its own authentication, same with SNMP, Syslog and tech-support logs.
Toggle between FXOS & ASA prompt:
From FXOS prompt, you can use "connect asa" to go to ASA prompt, "exit" to come back to FXOS.
From ASA prompt, you can use "connectfxos" to go to FXOS prompt, "exit" to come back to ASA.
When using Console, you'll login to fxos prmpt.
ssh/telnet to ASA Management IP to access ASA.
ssh to fxos management IP to access FXOS.
ASA & FXOS Management:
In order to manage ASA, you have ASDM or CLI (SSH, Telnet). To manager FXOS, we have CLI and FCM-Firepower Chassis Manager - Browser base GUI tool.
FXOS useful configurations:-
The Default IP address for FXOS IP address for FP2100 running ASA is 192.168.45.45.
Verify & Configuring Management IP address for FXOS:-
To Verify FXOS IP address
firepower-2110# scope fabric-interconnect a
firepower-2110 /fabric-interconnect #show detail
Product Name: Cisco FPR 2110
Vendor: Cisco Systems, Inc.
Serial (SN): JMX202820M4
OOB IP Addr: 192.168.45.45
OOB Netmask: 255.255.255.0
OOB Gateway: 192.168.45.1
OOB Gateway Use DataPort: No
OOB Boot Proto: Static
OOB IPv6 Address: ::
OOB IPv6 Gateway: ::
OOB IPv6 Gateway Use DataPort: No
IPv6 Boot Proto: Static
DHCPD Admin State: DHCP Server Enabled
Changing FXOS management IP address:
firepower# scope fabric-interconnect a
firepower /fabric-interconnect # set out-of-band static ip 10.106.143.40 netmask 255.255.255.0 gw 10.106.143.1
firepower /fabric-interconnect* #commit-buffer (Commit buffer to save config)
some time you may get below error:
" Error: Update failed: [Management ipv4 address (IP 10.106.143.40 / net mask 255.255.255.0 ) is not in the same network of current DHCP server IP range 192.168.45.5 - 192.168.45.10. Either disable DHCP server first or config with a different ipv4 address.] "
If you get above error, you need to either disable DHCP or change DHCP range in the same subnet as new Management IP address.
Disabling DHCP Server:
firepower# scope system
firepower /system* #scope services
firepower /system* # disable dhcp-server
firepower /system* # enable dhcp-server 10.106.143.10 10.106.143.20 (To enable DHCP server on FXOS)
Configuring NTP ortimezone on ASA running on FP2100 is restricted. Clock,timezone,ntp need to be configured on FXOS, which will besync to ASA.
firepower# scope system
firepower/system* #scope services
firepower/system/services *# set clockoct6 2017 17 12 00
has anyone set this up before? I did pretty basic setup 2x4150 per data center and 2x7702 per data center (HSRP, etc). Similar setups with 9300 worked just fine (few differences)We did best practises with site ips, MAC filters, etc and everything works bu...
Hi everyone,A couple of days ago ISE 2.7 was uploaded to the Cisco site.Oddly enough there wasn't an open beta on the Customer Connection page, so no release notes are available there. Any chance we can read what's new in this version here, or alternative...
I'm working on a deployment where we need to redirect wireless guests to a web portal for authentication. We're using CWA - the radius server sends a url-redirect to the NAD ( Meraki AP ) , as well as the url-redirect acl that is meant to specify t...
Hey all, I'm working on a lab in PT and I'm wondering if someone could help me with the syntax for these two commands I need to put on my ASA:Put commands on ASA to allow for ASDM access from inside networkConfigure dynamic PAT using outside interface so ...