02-09-2015 02:28 PM - edited 03-10-2019 06:19 AM
Hello,
today I have been trying to configure the ASA firepower module's IP address. But unfortunately I am not succeed. The firewall is at branch location and do not have any more router on the LAN network. So I have shutdown the management interface and configure the firepower management IP on the Server network. But unfortunately I cannot ping the gateway IP address which is basically the one of the interface of the firewall. It is 5525x series Firewall. So it doesn't has any dedicated interface for the firepower management. So it would be nice to know where did I make the mistake? I did reload and recovery of the module and I see the status as still recovery state. So my question is whethere there is any problem on the module itself?
Module status
sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC
ips Unknown N/A
cxsc Unknown N/A
sfr Unknown N/A
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 f 1.0 2.1(9)8 9.2(3)
ips N/A N/A
cxsc N/A N/A
sfr N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Recover Not Applicable
Firewall Interface Config
#Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.101.106.115 YES CONFIG up up
GigabitEthernet0/1 10.106.106.115 YES CONFIG up up
GigabitEthernet0/2 10.103.254.254 YES CONFIG up up
GigabitEthernet0/3 10.0.210.254 YES CONFIG up up
GigabitEthernet0/4 10.100.254.254 YES CONFIG up up
GigabitEthernet0/5 10.107.253.115 YES CONFIG up up
#interface GigabitEthernet0/1
speed 1000
duplex full
nameif server
security-level 70
ip address 10.106.106.115 255.255.0.0
Firepower Management config
Hostname: SFR1
Management Interface Configuration
IPv4 Configuration: static
IP Address: 10.106.251.253
Netmask: 255.255.0.0
Gateway: 10.106.106.115
IPv6 Configuration: Stateless autoconfiguration
DNS Configuration:
Domain: XXX.local
Search:
XXX.local
DNS Server:
10.101.251.2
10.201.251.2
Any assist will be greatly appreciated.
Thanks
Saimun
Solved! Go to Solution.
02-09-2015 10:24 PM
Saimun,
Even though there is not a physical Firepower services module management port, it uses the Management0/0 port for connecting to the SFR module. If you'd like it on the same VLAN as your server VLAN on the ASA, plug the Management0/0 port into a switch that shares the server VLAN network and give the SFR module an IP address on the same subnet.
make sure you remove the nameif statement from under the Management0/0 interface. Here's an example:
interface Management0/0
management-only
no nameif
security-level 100
no ip address
02-09-2015 10:24 PM
Saimun,
Even though there is not a physical Firepower services module management port, it uses the Management0/0 port for connecting to the SFR module. If you'd like it on the same VLAN as your server VLAN on the ASA, plug the Management0/0 port into a switch that shares the server VLAN network and give the SFR module an IP address on the same subnet.
make sure you remove the nameif statement from under the Management0/0 interface. Here's an example:
interface Management0/0
management-only
no nameif
security-level 100
no ip address
02-10-2015 01:25 AM
Thanks a lot mate. It is working. But now I have another issue to upload the sfr module package. Anyway i am creating another new discussion about it.
08-05-2015 03:18 AM
I have exactly the same issue. The sfr module is always in recover stage. The ASA's internal IP address is not able to reach the IP address of the SFR module. Though both are IP addresses are in the same subnet, I am unable to ping them.
interface BVI1
ip address 192.168.1.242 255.255.255.0
ciscoasa(config)# sh int IP br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/1 192.168.1.242 YES unset up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset up up
BVI1 192.168.1.242 YES CONFIG up up
The firewall is in transparent mode, the access-lists any any are configured.
!
interface GigabitEthernet0/0
no nameif
bridge-group 1
no security-level
interface GigabitEthernet0/1
nameif outside1
bridge-group 1
security-level 0
Please tell me if the connections I have done has a mistake. I am connecting my laptop to outside1 interface, the management and interface g0/0 are connected to the switch in the same vlan.
08-05-2015 01:05 PM
Have you run through the initial SFR module setup? If you've done that successfully (assuming you have since you refer to having an IP address configured on it), then you need to run through the "system install" routine to move from the boot image to the system image on the sfr module.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide