Firepower 2100 series platform can run either FTD or ASA software.
When Firepower 2100 series platform running ASA, has two software, FXOS and ASA. Both have its own management IP address and share same physical Interface Management 1/1.
Both ASA and FXOS has its own authentication, same with SNMP, Syslog and tech-support logs.
Toggle between FXOS & ASA prompt:
From FXOS prompt, you can use "connect asa" to go to ASA prompt, "exit" to come back to FXOS.
From ASA prompt, you can use "connectfxos" to go to FXOS prompt, "exit" to come back to ASA.
When using Console, you'll login to fxos prmpt.
ssh/telnet to ASA Management IP to access ASA.
ssh to fxos management IP to access FXOS.
ASA & FXOS Management:
In order to manage ASA, you have ASDM or CLI (SSH, Telnet). To manager FXOS, we have CLI and FCM-Firepower Chassis Manager - Browser base GUI tool.
FXOS useful configurations:-
The Default IP address for FXOS IP address for FP2100 running ASA is 192.168.45.45.
Verify & Configuring Management IP address for FXOS:-
To Verify FXOS IP address
firepower-2110# scope fabric-interconnect a
firepower-2110 /fabric-interconnect #show detail
Product Name: Cisco FPR 2110
Vendor: Cisco Systems, Inc.
Serial (SN): JMX202820M4
OOB IP Addr: 192.168.45.45
OOB Netmask: 255.255.255.0
OOB Gateway: 192.168.45.1
OOB Gateway Use DataPort: No
OOB Boot Proto: Static
OOB IPv6 Address: ::
OOB IPv6 Gateway: ::
OOB IPv6 Gateway Use DataPort: No
IPv6 Boot Proto: Static
DHCPD Admin State: DHCP Server Enabled
Changing FXOS management IP address:
firepower# scope fabric-interconnect a
firepower /fabric-interconnect # set out-of-band static ip 10.106.143.40 netmask 255.255.255.0 gw 10.106.143.1
firepower /fabric-interconnect* #commit-buffer (Commit buffer to save config)
some time you may get below error:
" Error: Update failed: [Management ipv4 address (IP 10.106.143.40 / net mask 255.255.255.0 ) is not in the same network of current DHCP server IP range 192.168.45.5 - 192.168.45.10. Either disable DHCP server first or config with a different ipv4 address.] "
If you get above error, you need to either disable DHCP or change DHCP range in the same subnet as new Management IP address.
Disabling DHCP Server:
firepower# scope system
firepower /system* #scope services
firepower /system* # disable dhcp-server
firepower /system* # enable dhcp-server 10.106.143.10 10.106.143.20 (To enable DHCP server on FXOS)
Configuring NTP ortimezone on ASA running on FP2100 is restricted. Clock,timezone,ntp need to be configured on FXOS, which will besync to ASA.
firepower# scope system
firepower/system* #scope services
firepower/system/services *# set clockoct6 2017 17 12 00
Hi Everybody,Maybe this subject was already discussed and a solution exist, but a could find it in any discussion.I setup a site to site VPN between 2 sites ( HQ_ASA <--- VPN ---> Site_ASA). the inside subnet for each site is nated before reaching t...
Hi community!Faced the issue with connecting into Standby node of FO ASA cluster. The problem description:- when I try to connect via SSH to the Standby node I always getting the message "Remote side unexpectedly closed network connection";- when I c...
Hello I have an issue where I am upgrading ASA5585-X Active/Standby pairs from 9.1.7 to 9.8.4(26). Several pairs have been upgraded, and in each case, the Standby device is reloaded first. However, when it reboots, it boots back into a Cold Standby s...
Good afternoon,I have a Cisco ASA 5506 on a Spectrum Ubee cable modem. We have a block of 7 static IP addresses. We are using 4 of the addresses. One is the primary IP of the router which allows client internet access via dynamic NAT, as well ...
Hi,I haveone ISE (PAN+MNT )Node in DC andanother ISE (PAN+MNT) node in DR .And I have one AD domain in DC and another AD domain in DR. And I have two node groups deployment for branch sites with each group contain two PSNs.What I would like to know i...