I'm currently studying the new CCNP Security SENSS 300-206 exam to re-certify my CCNP Security. The study materials I'm using are the SENSS Student Guide Volumes 1 and 2, Cisco Next-Generation Security Solutions All-in-one Cisco ASA FirePOWER Services, NGIPS, and AMP by Omar Santos, SENSS CBT Nuggets videos by Keith Barker, a Cisco ASA 8.4 virtual lab in GNS3, an ASA 5506X with FirePOWER Module and the Cisco FMC demo in dCloud (Cisco Connection Online or CCO login required).
The ASA 5506-X Management 1/1 interface must be connected to a switch in order to manage the ASA (and FirePOWER module) via ASDM. The ASA FirePOWER module needs to be configured with an IP address in order to be detected by ASDM and it can use the same subnet with the Management 1/1 IP address. The SSH and ASDM function on the ASA Management 1/1 interface is independent from the ASA FirePower module.
You can login to the ASA FirePOWER module using the session sfr console from privilege mode and type admin / Admin123 for the username and password login.
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
firepower login: admin
Password: Admin123
Last login: Tue Dec 19 01:50:22 UTC 2017 on ttyS1
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)
>
You can verify the ASA FirePOWER module software version using the show version command. The ASA 5506-X FirePOWER module is pre-installed with the latest version (6.2.0 as of this writing).
> show version
-------------------[ firepower ]--------------------
Model : ASA5506H (72) Version 6.2.0 (Build 362)
UUID : eb919100-a201-11e7-ba3a-acd556562abc
Rules update version : 2016-03-28-001-vrt
VDB version : 271
----------------------------------------------------
You can verify the ASA FirePOWER module IP address using the show ifconfig command and the logical eth0 interface has a default IP address of 192.168.45.45/24.
> show ifconfig
cplane Link encap:Ethernet HWaddr 00:00:00:02:00:01
inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7383290 errors:0 dropped:3673355 overruns:0 frame:0
TX packets:1855097 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:465477809 (443.9 Mb) TX bytes:170663745 (162.7 Mb)
eth0 Link encap:Ethernet HWaddr 50:0F:80:80:AB:CD
inet addr:192.168.45.45 Bcast:192.168.45.255 Mask:255.255.255.0
inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:528 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:85907 (838 Kb) TX bytes:426 (426.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225446 errors:0 dropped:0 overruns:0 frame:
TX packets:225446 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:28145463 (26.8 Mb) TX bytes:28145463 (26.8 Mb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
You can configure the ASA FirePOWER module IP address when you initially login via the session sfr console privilege mode command and after accepting the EULA.You can use the configure network ipv4 manual <IP ADDRESS> <SUBNET MASK> <DEFAULT GATEWAY> command to change the default network settings.
> configure network ipv4 manual 172.27.5.18 255.255.255.224 172.27.5.19
Setting IPv4 network configuration.
Network settings changed.
> show ifconfig
cplane Link encap:Ethernet HWaddr 00:00:00:02:00:01
inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7393835 errors:0 dropped:3678566 overruns:0 frame:0
TX packets:1857932 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:466143182 (444.5 Mb) TX bytes:170923927 (163.0 Mb)
eth0 Link encap:Ethernet HWaddr 50:0F:80:80:AB:CD
inet addr:172.27.5.18 Bcast:172.27.5.19 Mask:255.255.255.224
inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24632 errors:0 dropped:0 overruns:0 frame:0
TX packets:41879 errors:0 dropped:0 overruns:0 carrier:0
collsions:0 txqueuelen:1000
RX bytes:2238878 (2.1 Mb) TX bytes:48324650 (46.0 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:236554 errors:0 dropped:0 overruns:0 frame:0
TX packets:236554 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:30401602 (28.9 Mb) TX bytes:30401602 (28.9 Mb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 opped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
You're also now able to SSH directly to the FirePOWER module IP address.
$ ssh -l admin 172.27.5.18
Password:
Last login: Fri Dec 22 07:05:29 2017 from 10.111.0.14
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)
>
To test via ping type expert (root or admin user) and then use the sudo ping <DESTINATION IP> command.
> expert
admin@firepower:~$ sudo ping 172.27.5.19 // DEFAULT GATEWAY/UPSTREAM ROUTER
PING 172.27.5.19 (172.27.5.19) 56(84) bytes of data.
64 bytes from 172.27.5.19: icmp_req=1 ttl=255 time=0.963 ms
64 bytes from 172.27.5.19: icmp_req=2 ttl=255 time=0.445 ms
64 bytes from 172.27.5.19: icmp_req=3 ttl=255 time=0.342 ms
64 bytes from 172.27.5.19: icmp_req=4 ttl=255 time=0.384 ms
64 bytes from 172.27.5.19: icmp_req=5 ttl=255 time=0.352 ms
64 bytes from 172.27.5.19: icmp_req=6 ttl=255 time=0.404 ms
^C
--- 172.27.5.19 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 0.342/0.481/0.963/0.219 ms
admin@firepower:~$ sudo ping 172.20.7.10 // ASDM PC
PING 172.20.7.10 (172.20.7.10) 56(84) bytes of data.
64 bytes from 172.20.7.10: icmp_req=1 ttl=123 time=88.2 ms
64 bytes from 172.20.7.10: icmp_req=2 ttl=123 time=147 ms
64 bytes from 172.20.7.10: icmp_req=3 ttl=123 time=127 ms
64 bytes from 172.20.7.10: icmp_req=4 ttl=123 time=95.1 ms
64 bytes from 172.20.7.10: icmp_req=5 ttl=123 time=107 ms
64 bytes from 172.20.7.10: icmp_req=6 ttl=123 time=94.4 ms
^C
--- 172.20.7.10 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms
rtt min/avg/max/mdev = 88.262/110.068/147.233/20.959 ms
The ASA 5506-X had ASDM 7.8(1) installed and I'm using a Windows 7 machine with Java 1.8.0_131 installed. You can check the Java on your local machine or via ASDM by going to Help > About Cisco ASDM.
Once the ASA FirePOWER module IP address has been configured, you can now access and manage it locally via ASDM. There are three additional ASA FirePOWER tabs that will appear in ASDM: ASA FirePOWER Dashboard, ASA FirePOWER Reporting and ASA FirePOWER Status.
You'll need redirect IP traffic to the ASA FirePOWER module in order to apply its policies by going to Configuration > Firewall > Service Policy Rules > Add.
Choose the default Global > click Next.
Type a name for the new traffic class > click Any Traffic > click Next. You can alternatively specify specific IP address or subnets using an ACL instead of all IP traffic.
Go to ASA FirePOWER Inspection tab > tick Enable ASA FirePOWER for this traffic flow > choose Permit traffic. This is a fail-open option or normal traffic will still flow through the ASA even if the FirePOWER module fails. Click Finish > then Apply.
You can configure local policies on the ASA FirePOWER module via ASDM without the help or policy update or push from the Firepower Management Center (FMC).You go to Configuration > ASA FirePower Configuration > Policies > Access Control Policy
You'll need to create some Rules by clicking OK on the pop-up message and click Store ASA FirePOWER Changes > click Add Rule.
The ASA 5506-X Management 1/1 interface must be connected to a switch in order to manage the ASA (and FirePOWER module) via ASDM. The ASA FirePOWER module needs to be configured with an IP address in order to be detected by ASDM and it can use the same subnet with the Management 1/1 IP address. The SSH and ASDM function on the ASA Management 1/1 interface is independent from the ASA FirePower module.
You can login to the ASA FirePOWER module using the session sfr console from privilege mode and type admin / Admin123 for the username and password login.
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
firepower login: admin
Password: Admin123
Last login: Tue Dec 19 01:50:22 UTC 2017 on ttyS1
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)
>
You can verify the ASA FirePOWER module software version using the show version command. The ASA 5506-X FirePOWER module is pre-installed with the latest version (6.2.0 as of this writing).
> show version
-------------------[ firepower ]--------------------
Model : ASA5506H (72) Version 6.2.0 (Build 362)
UUID : eb919100-a201-11e7-ba3a-acd556562abc
Rules update version : 2016-03-28-001-vrt
VDB version : 271
----------------------------------------------------
You can verify the ASA FirePOWER module IP address using the show ifconfig command and the logical eth0 interface has a default IP address of 192.168.45.45/24.
> show ifconfig
cplane Link encap:Ethernet HWaddr 00:00:00:02:00:01
inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7383290 errors:0 dropped:3673355 overruns:0 frame:0
TX packets:1855097 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:465477809 (443.9 Mb) TX bytes:170663745 (162.7 Mb)
eth0 Link encap:Ethernet HWaddr 50:0F:80:80:AB:CD
inet addr:192.168.45.45 Bcast:192.168.45.255 Mask:255.255.255.0
inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:528 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:85907 (838 Kb) TX bytes:426 (426.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225446 errors:0 dropped:0 overruns:0 frame:
TX packets:225446 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:28145463 (26.8 Mb) TX bytes:28145463 (26.8 Mb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
You can configure the ASA FirePOWER module IP address when you initially login via the session sfr console privilege mode command and after accepting the EULA.You can use the configure network ipv4 manual <IP ADDRESS> <SUBNET MASK> <DEFAULT GATEWAY> command to change the default network settings.
> configure network ipv4 manual 172.27.5.18 255.255.255.224 172.27.5.19
Setting IPv4 network configuration.
Network settings changed.
> show ifconfig
cplane Link encap:Ethernet HWaddr 00:00:00:02:00:01
inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7393835 errors:0 dropped:3678566 overruns:0 frame:0
TX packets:1857932 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:466143182 (444.5 Mb) TX bytes:170923927 (163.0 Mb)
eth0 Link encap:Ethernet HWaddr 50:0F:80:80:AB:CD
inet addr:172.27.5.18 Bcast:172.27.5.19 Mask:255.255.255.224
inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24632 errors:0 dropped:0 overruns:0 frame:0
TX packets:41879 errors:0 dropped:0 overruns:0 carrier:0
collsions:0 txqueuelen:1000
RX bytes:2238878 (2.1 Mb) TX bytes:48324650 (46.0 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:236554 errors:0 dropped:0 overruns:0 frame:0
TX packets:236554 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:30401602 (28.9 Mb) TX bytes:30401602 (28.9 Mb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 opped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
You're also now able to SSH directly to the FirePOWER module IP address.
$ ssh -l admin 172.27.5.18
Password:
Last login: Fri Dec 22 07:05:29 2017 from 10.111.0.14
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)
>
To test via ping type expert (root or admin user) and then use the sudo ping <DESTINATION IP> command.
> expert
admin@firepower:~$ sudo ping 172.27.5.19 // DEFAULT GATEWAY/UPSTREAM ROUTER
PING 172.27.5.19 (172.27.5.19) 56(84) bytes of data.
64 bytes from 172.27.5.19: icmp_req=1 ttl=255 time=0.963 ms
64 bytes from 172.27.5.19: icmp_req=2 ttl=255 time=0.445 ms
64 bytes from 172.27.5.19: icmp_req=3 ttl=255 time=0.342 ms
64 bytes from 172.27.5.19: icmp_req=4 ttl=255 time=0.384 ms
64 bytes from 172.27.5.19: icmp_req=5 ttl=255 time=0.352 ms
64 bytes from 172.27.5.19: icmp_req=6 ttl=255 time=0.404 ms
^C
--- 172.27.5.19 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 0.342/0.481/0.963/0.219 ms
admin@firepower:~$ sudo ping 172.20.7.10 // ASDM PC
PING 172.20.7.10 (172.20.7.10) 56(84) bytes of data.
64 bytes from 172.20.7.10: icmp_req=1 ttl=123 time=88.2 ms
64 bytes from 172.20.7.10: icmp_req=2 ttl=123 time=147 ms
64 bytes from 172.20.7.10: icmp_req=3 ttl=123 time=127 ms
64 bytes from 172.20.7.10: icmp_req=4 ttl=123 time=95.1 ms
64 bytes from 172.20.7.10: icmp_req=5 ttl=123 time=107 ms
64 bytes from 172.20.7.10: icmp_req=6 ttl=123 time=94.4 ms
^C
--- 172.20.7.10 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms
rtt min/avg/max/mdev = 88.262/110.068/147.233/20.959 ms
The ASA 5506-X had ASDM 7.8(1) installed and I'm using a Windows 7 machine with Java 1.8.0_131 installed. You can check the Java on your local machine or via ASDM by going to Help > About Cisco ASDM.
Once the ASA FirePOWER module IP address has been configured, you can now access and manage it locally via ASDM. There are three additional ASA FirePOWER tabs that will appear in ASDM: ASA FirePOWER Dashboard, ASA FirePOWER Reporting and ASA FirePOWER Status.
You'll need redirect IP traffic to the ASA FirePOWER module in order to apply its policies by going to Configuration > Firewall > Service Policy Rules > Add.
Choose the default Global > click Next.
Type a name for the new traffic class > click Any Traffic > click Next. You can alternatively specify specific IP address or subnets using an ACL instead of all IP traffic.
Go to ASA FirePOWER Inspection tab > tick Enable ASA FirePOWER for this traffic flow > choose Permit traffic. This is a fail-open option or normal traffic will still flow through the ASA even if the FirePOWER module fails. Click Finish > then Apply.
You can configure local policies on the ASA FirePOWER module via ASDM without the help or policy update or push from the Firepower Management Center (FMC).You go to Configuration > ASA FirePower Configuration > Policies > Access Control Policy
You change the default Access
Control: Trust All Traffic to Intrusion Prevention: Balanced Security and
Connectivity
You'll need to create some Rules by clicking OK on the pop-up message and click Store ASA FirePOWER Changes > click Add Rule.
No comments:
Post a Comment