hit counter script
Cisco Firepower 2100 Series Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. Firepower 2100 Series
  6. Getting started manual

Cisco Firepower 2100 Series Getting Started Manual

Hide thumbs Also See for Firepower 2100 Series:
Table of Contents

Advertisement

Quick Links

Cisco Firepower 2100 Getting Started Guide
First Published: 2019-09-25
Last Modified: 2019-09-25
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Firepower 2100 Series

Summary of Contents for Cisco Firepower 2100 Series

  • Page 1 Cisco Firepower 2100 Getting Started Guide First Published: 2019-09-25 Last Modified: 2019-09-25 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...

  • Page 3: Table Of Contents

    FTD allows, use the Firepower Management Center (FMC) instead. Note The Firepower 2100 Series hardware can run either FTD software or ASA software. Switching between FTD and ASA requires you to reimage the device. See Reimage the Cisco ASA or Firepower Threat Defense Device.

  • Page 4: End-To-End Procedure

    See the following tasks to deploy FTD with FDM on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power on the Device, on page Cisco Firepower 2100 Getting Started Guide...

  • Page 5: Review The Network Deployment And Default Configuration

    Review the Network Deployment and Default Configuration The following figure shows the default network deployment for Firepower Threat Defense using Firepower Device Manager on a Firepower 2100 series appliance using the default configuration. Note If cannot use the default IP address (for example, you are adding your device to an existing network), then you can connect to the console port and perform initial setup at the CLI, including setting the Management IP address, gateway, and other basic networking settings.
  • Page 6 (to-the-device and from-the-device), such as syslog or SNMP. The Diagnostic interface is not typically used. See the FDM configuration guide for more information. • DNS server for management • OpenDNS: 208.67.222.222, 208.67.220.220, or servers you specify during setup Cisco Firepower 2100 Getting Started Guide...

  • Page 7: Cable The Device

    Firepower Threat Defense Deployment with FDM Cable the Device • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes • Data interfaces—Obtained from outside DHCP, or a gateway IP address you specify during setup •...

  • Page 8: Power On The Device

    Check the PWR LED on the front of the device; if it is solid green, the device is powered on. Step 4 Check the SYS LED on the front of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 2100 Getting Started Guide...

  • Page 9: (Optional) Change Management Network Settings At The Cli

    DHCP server on Management will be disabled if you change the IP address. • Manage the device locally?—Enter yes to use FDM. A no answer means you will use FMC instead. Example: You must accept the EULA to continue. Press <ENTER> to display the EULA: Cisco Firepower 2100 Getting Started Guide...

  • Page 10: Log Into Fdm

    Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 11: Complete The Initial Configuration

    Time Zone—Select the time zone for the system. b) NTP Time Server—Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers. You can add multiple servers to provide backups. Cisco Firepower 2100 Getting Started Guide...

  • Page 12: Configure Licensing

    Configure the Device in Firepower Device Manager, on page Configure Licensing The FTD uses Cisco Smart Software Licensing, which lets you purchase and manage a pool of licenses centrally. When you register the chassis, the License Authority issues an ID certificate for communication between the chassis and the License Authority.
  • Page 13 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 14 On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description • Expire After—Cisco recommends 30 days. • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag if you are in a country that allows for strong encryption.
  • Page 15 In FDM, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token.: Cisco Firepower 2100 Getting Started Guide...
  • Page 16 You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 2100 Getting Started Guide...
  • Page 17 Firepower Threat Defense Deployment with FDM Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.

  • Page 18: Configure The Device In Firepower Device Manager

    You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 19 The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 20 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 21: Access The Ftd And Fxos Cli

    Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI from the FTD CLI for troubleshooting purposes. Cisco Firepower 2100 Getting Started Guide...
  • Page 22 After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, see the Cisco Firepower Threat Defense Command Reference. Step 4 To exit the FTD CLI, enter the exit or logout command. Example: > exit firepower# Cisco Firepower 2100 Getting Started Guide...

  • Page 23: Power Off The Device

    To continue configuring your FTD device, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FDM, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 2100 Getting Started Guide...
  • Page 24 Firepower Threat Defense Deployment with FDM What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 25 FDM web-based device setup wizard to configure the basic features of the software that are most commonly used for small network deployments. Note The Cisco Firepower 2100 hardware can run either FTD software or ASA software. Switching between FTD and ASA requires you to reimage the device. See Reimage the Cisco ASA or Firepower Threat Defense Device.

  • Page 26: Before You Start

    The Firepower device and the FMC both have the same default management IP address: 192.168.45.45. This guide assumes that you will set different IP addresses for your devices during initial setup. End-to-End Procedure See the following tasks to deploy the FTD with FMC on your chassis. Cisco Firepower 2100 Getting Started Guide...
  • Page 27 Review the Network Deployment, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power on the Device, on page FTD CLI Complete the Initial Configuration, on page Firepower Log Into the Firepower Management Center, on page Management Center Cisco Firepower 2100 Getting Started Guide...

  • Page 28: Review The Network Deployment

    The following figure shows a possible network deployment for the Firepower 2100 where the FMC and management computer connect to the management network. The management network has a path to the internet for licensing and updates. Cisco Firepower 2100 Getting Started Guide...
  • Page 29 FMC by connecting Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the FMC and management computer to the switch. (This direct connection is allowed because the management interface is separate from the other interfaces on the FTD.) Cisco Firepower 2100 Getting Started Guide...

  • Page 30: Cable The Device

    IP addresses for your devices during initial setup. Note Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements. Procedure Step 1 Cable for a separate management network: Cisco Firepower 2100 Getting Started Guide...
  • Page 31 Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces. Step 2 Cable for an edge deployment: Cisco Firepower 2100 Getting Started Guide...

  • Page 32: Power On The Device

    (UPS)). Loss of power without first shutting down can cause serious file system damage. There are many processes running in the background all the time, and losing power does not allow the graceful shutdown of your system. Cisco Firepower 2100 Getting Started Guide...

  • Page 33: Complete The Initial Configuration

    Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter. See the following guidelines: • Enter the IPv4 default gateway for the management interface—The data-interfaces setting applies only to Firepower Device Manager management; you should set a gateway IP address for Management Cisco Firepower 2100 Getting Started Guide...
  • Page 34 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 35 The NAT ID must be unique among all NAT IDs used to register managed appliances to establish trust for the initial communication and to look up the correct registration key. Cisco Firepower 2100 Getting Started Guide...

  • Page 36: Log Into The Firepower Management Center

    Obtain Licenses for the Firepower Management Center All licenses are supplied to the FTD by the FMC. You can optionally purchase the following feature licenses: • Threat—Security Intelligence and Cisco Firepower Next-Generation IPS • Malware—Advanced Malware Protection for Networks (AMP) •...
  • Page 37 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...

  • Page 38: Register The Firepower Threat Defense With The Firepower Management Center

    • FTD management IP address and/or NAT ID • FMC registration key Procedure Step 1 In FMC, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device, and enter the following parameters. Cisco Firepower 2100 Getting Started Guide...
  • Page 39 • Smart Licensing—Assign the Smart Licenses you need for the features you want to deploy: Malware (if you intend to use AMP malware inspection), Threat (if you intend to use intrusion prevention), and URL (if you intend to implement category-based URL filtering). Cisco Firepower 2100 Getting Started Guide...

  • Page 40: Configure A Basic Security Policy

    • Access control—Allow traffic from inside to outside. To configure a basic security policy, complete the following tasks. Configure Interfaces, on page Configure the DHCP Server, on page Add the Default Route, on page Configure NAT, on page Cisco Firepower 2100 Getting Started Guide...
  • Page 41 Choose Devices > Device Management, and click the edit icon ( ) for the device. Step 2 Click Interfaces. Step 3 Click the edit icon ( ) for the interface that you want to use for inside. The General tab appears. Cisco Firepower 2100 Getting Started Guide...
  • Page 42 QoS policies. e) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 2100 Getting Started Guide...
  • Page 43 • Obtain default route using DHCP—Obtains the default route from the DHCP server. • DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1. Cisco Firepower 2100 Getting Started Guide...
  • Page 44 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Step 5 Click Save. Cisco Firepower 2100 Getting Started Guide...
  • Page 45 IP address or a Networks/Hosts object. • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. Cisco Firepower 2100 Getting Started Guide...
  • Page 46 Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 2100 Getting Started Guide...
  • Page 47 • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: Cisco Firepower 2100 Getting Started Guide...
  • Page 48 If you have other zones, be sure to add rules allowing traffic to the appropriate networks. See the FMC configuration guide to configure more advanced security settings and rules. Cisco Firepower 2100 Getting Started Guide...
  • Page 49 The rule is added to the Rules table. Step 4 Click Save. Deploy the Configuration Deploy the configuration changes to the FTD; none of your changes are active on the device until you deploy them. Cisco Firepower 2100 Getting Started Guide...

  • Page 50: Access The Ftd And Fxos Cli

    You can alternatively SSH to the Management interface of the FTD device. You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access. Cisco Firepower 2100 Getting Started Guide...
  • Page 51 > exit firepower# This returns you to the FXOS CLI prompt. For information on the commands available in the FXOS Note CLI, enter ?. For usage information, see the Cisco Firepower FXOS Command Reference. Cisco Firepower 2100 Getting Started Guide...
  • Page 52 What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 53 Note The Firepower 2100 hardware can run either ASA software or FTD software. Switching between ASA and FTD requires you to reimage the device. See Reimage the Cisco ASA or Firepower Threat Defense Device. Note Privacy Collection Statement—The Firepower 2100 does not require or actively collect personally-identifiable information.
  • Page 54 You can manage the ASA using one of the following managers: • ASDM (Covered in this guide)—A single device manager included on the device. • CLI • Cisco Security Manager—A multi-device manager on a separate server. You can also access the FXOS CLI for troubleshooting purposes. Unsupported Features The following ASA features are not supported on the Firepower 2100: •...
  • Page 55 Make sure you change the interface IDs to match the new hardware IDs. For example, the ASA 5525-X includes Management 0/0, and GigabitEthernet 0/0 through 0/5. The Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. Cisco Firepower 2100 Getting Started Guide...
  • Page 56 FXOS). The new image will load when you reload the ASA. End-to-End Procedure See the following tasks to deploy and configure the ASA on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page Cisco Firepower 2100 Getting Started Guide...

  • Page 57: Review The Network Deployment And Default Configuration

    59: Configure feature licenses. ASDM Configure the ASA, on page Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 2100 using the default configuration in ASA Appliance mode. Cisco Firepower 2100 Getting Started Guide...
  • Page 58 192.168.1.1 255.255.255.0 no shutdown object network obj_any subnet 0.0.0.0 0.0.0.0 nat (any,outside) dynamic interface http server enable http 0.0.0.0 0.0.0.0 management http 192.168.1.0 255.255.255.0 management dhcpd auto_config outside dhcpd address 192.168.1.20-192.168.1.254 inside dhcpd enable inside Cisco Firepower 2100 Getting Started Guide...

  • Page 59: Cable The Device

    Firepower 2100 Appliance Mode Default Configuration, on page 56). You can later configure ASA management access from other interfaces; see the ASA general operations configuration guide. Step 2 Connect the outside network to the Ethernet1/1 interface (labeled WAN). Cisco Firepower 2100 Getting Started Guide...

  • Page 60: Power On The Device

    Authority and also use ASDM immediately. You can also use SSH and SCP if you later configure SSH access on the ASA. Other features that require strong encryption (such as VPN) must have the Strong Encryption license enabled, which requires you to first register to the License Authority. Cisco Firepower 2100 Getting Started Guide...

  • Page 61: Configure Licensing

    • https://management_ip—Management interface IP address assigned from DHCP. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 62 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 63 Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 2100 Getting Started Guide...
  • Page 64 ASA Deployment in Appliance Mode Configure Licensing • Description • Expire After—Cisco recommends 30 days. • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag. The token is added to your inventory. d) Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard.
  • Page 65 (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: Cisco Firepower 2100 Getting Started Guide...

  • Page 66: Configure The Asa

    Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 2100 Getting Started Guide...
  • Page 67 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 2100 Getting Started Guide...

  • Page 68: Access The Asa And Fxos Cli

    All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged EXEC mode, enter the disable, exit, or quit command. Step 3 Access global configuration mode. configure terminal Example: ciscoasa# configure terminal ciscoasa(config)# Cisco Firepower 2100 Getting Started Guide...

  • Page 69: What's Next

    Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 70 ASA Deployment in Appliance Mode What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 71 Note The Firepower 2100 hardware can run either ASA software or FTD software. Switching between ASA and FTD requires you to reimage the device. See Reimage the Cisco ASA or Firepower Threat Defense Device. Note Privacy Collection Statement—The Firepower 2100 does not require or actively collect personally-identifiable information.
  • Page 72 • ASDM—A single device manager included on the device. This guide describes how to manage the ASA using ASDM. • CLI • Cisco Security Manager—A multi-device manager on a separate server. Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI.
  • Page 73 Note that when you connect to the ASA console from FXOS (connect asa), then ASA AAA configuration for console access applies (aaa authentication serial console). End-to-End Procedure See the following tasks to deploy and configure the ASA on your chassis. Cisco Firepower 2100 Getting Started Guide...
  • Page 74 ASA Deployment in Platform Mode End-to-End Procedure Cisco Firepower 2100 Getting Started Guide...

  • Page 75: Review The Network Deployment And Default Configuration

    ASA Platform mode. Note If you cannot use the default IP address for ASDM access, you can set the IP address at the ASA CLI. See (Optional) Change the IP Address, on page Cisco Firepower 2100 Getting Started Guide...
  • Page 76 • management—Management 1/1 (management), IP address 192.168.45.1 • ASDM access—Management hosts allowed. • NAT—Interface PAT for all traffic from inside to outside. • FXOS management traffic initiation—The FXOS chassis can initiate management traffic on the ASA outside interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 77 • Firepower Chassis Manager and SSH access—From the management network only. • Default Username—admin, with the default password Admin123 • DHCP server—Client IP address range 192.168.45.10-192.168.45.12 • NTP server—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org • DNS Servers—OpenDNS: 208.67.222.222, 208.67.220.220 • Ethernet 1/1 and Ethernet 1/2—Enabled...

  • Page 78: Cable The Device

    Be sure to install any necessary USB serial drivers for your operating system. Step 3 Connect the outside network to the Ethernet1/1 interface (labeled WAN). For Smart Software Licensing, the ASA needs internet access so that it can access the License Authority. Cisco Firepower 2100 Getting Started Guide...

  • Page 79: Power On The Device

    Platform mode, and optionally how to change it back to Appliance mode. When you change the mode, the configuration is cleared and you need to reload the system. The default configuration is applied upon reload. Cisco Firepower 2100 Getting Started Guide...
  • Page 80 To exit privileged mode, enter the disable, exit, or quit command. Step 3 Access global configuration mode. configure terminal Example: ciscoasa# configure terminal ciscoasa(config)# Step 4 Set the mode to Platform mode. no fxos mode appliance write memory reload Cisco Firepower 2100 Getting Started Guide...
  • Page 81 WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted. ciscoasa(config)# write memory Building configuration... Cryptochecksum: c0532471 648dc7c2 4f2b4175 1f162684 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm] Cisco Firepower 2100 Getting Started Guide...

  • Page 82: (Optional) Change The Ip Address

    (Optional) Change the FXOS Management IP Addresses or Gateway, on page Procedure Step 1 On your management computer connected to the Management 1/1 interface, launch the Firepower Chassis Manager by going to the following URL. https://192.168.45.45 Cisco Firepower 2100 Getting Started Guide...

  • Page 83: (Optional)Enableadditionalinterfacesinthefirepowerchassis Manager

    The Management 1/1 interface shows as MGMT in this table. Step 3 (Optional) Add an EtherChannel. Note EtherChannel member ports are visible on the ASA, but you can only configure EtherChannels and port membership in FXOS. Cisco Firepower 2100 Getting Started Guide...
  • Page 84 Ctrl key. To select a range of interfaces, select the first interface in the range, and then, while holding down the Shift key, click to select the last interface in the range. h) Click OK. Cisco Firepower 2100 Getting Started Guide...

  • Page 85: Log Into Asdm

    • management_ip—Identifies the IP address or host name of the ASA management interface (192.168.45.1). The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 86 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 87 Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description Cisco Firepower 2100 Getting Started Guide...
  • Page 88 ASA Deployment in Platform Mode Configure Licensing • Expire After—Cisco recommends 30 days. • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag. The token is added to your inventory. d) Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard.
  • Page 89 (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: Cisco Firepower 2100 Getting Started Guide...

  • Page 90: Configure The Asa

    Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 2100 Getting Started Guide...
  • Page 91 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 2100 Getting Started Guide...

  • Page 92: (Optional) Configure Management Access For Fxos On Data Interfaces

    Choose HTTPS, SNMP, or SSH from the navigation pane. b) Click Add, and set the Interface where you want to allow management, set the IP Address allowed to connect, and then click OK. Cisco Firepower 2100 Getting Started Guide...

  • Page 93: Access The Asa And Fxos Cli

    Be sure to install any necessary USB serial drivers for your operating system. Use the following serial settings: • 9600 baud • 8 data bits • No parity Cisco Firepower 2100 Getting Started Guide...
  • Page 94 ASA data interface IP address on port 3022 (the default port). Step 2 Connect to the ASA CLI. connect asa To return to the FXOS CLI, enter Ctrl+a, d. Example: firepower-2110# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Cisco Firepower 2100 Getting Started Guide...

  • Page 95: (Optional) Change The Fxos Management Ip Addresses Or Gateway

    Password: Admin123 Last login: Sat Jan 23 16:20:16 UTC 2017 on pts/1 Successful login attempts for user 'admin' : 4 Cisco Firepower Extensible Operating System (FX-OS) Software […] firepower-2110# firepower-2110# exit Remote card closed command session. Press any key to continue.
  • Page 96 To keep the currently-set gateway, omit the gw keyword. Similarly, to keep the existing management IP address while changing the gateway, omit the ip and netmask keywords. Cisco Firepower 2100 Getting Started Guide...
  • Page 97 64 ipv6-gw 2001:DB8::1 firepower-2110 /fabric-interconnect/ipv6-config* # Step 5 Delete and add new access lists for HTTPS, SSH, and SNMP to allow management connections from the new network. a) Set the scope for system/services. scope system Cisco Firepower 2100 Getting Started Guide...
  • Page 98 /system/services/ip-block* # exit firepower-2110 /system/services* # a) Delete the old access lists. For IPv4: delete ip-block ip_address prefix [http | snmp | ssh] For IPv6: delete ipv6-block ipv6_address prefix [https | snmp | ssh] Cisco Firepower 2100 Getting Started Guide...
  • Page 99 Type help or '?' for a list of available commands. ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: ****** Repeat Password: ****** ciscoasa# configure terminal ciscoasa(config)# b) Change the Management 1/1 IP address. interface management1/1 Cisco Firepower 2100 Getting Started Guide...
  • Page 100 /fabric-interconnect # scope ipv6-config firepower-2110 /fabric-interconnect/ipv6-config # show ipv6-if Management IPv6 Interface: IPv6 Address Prefix IPv6 Gateway ----------------------------------- ---------- ------------ 2001:DB8::2 2001:DB8::1 firepower-2110 /fabric-interconnect/ipv6-config # set out-of-band static ipv6 2001:DB8::2 ipv6-prefix 64 ipv6-gw 2001:DB8::1 Cisco Firepower 2100 Getting Started Guide...

  • Page 101: What's Next

    New/Modified commands: fxos mode appliance, show fxos mode Prompt to set admin 9.13(1) You are not prompted to set the admin password when you first log in to Firepower Chassis password Manager. Formerly, the default password was Admin123. Cisco Firepower 2100 Getting Started Guide...
  • Page 102 ASA Deployment in Platform Mode History for the Firepower 2100 in Platform Mode Cisco Firepower 2100 Getting Started Guide...
  • Page 103 © 2019 Cisco Systems, Inc. All rights reserved.

This manual is also suitable for:

Firepower 2110Firepower 2120Firepower 2130Firepower 2140Firepower 2100

Table of Contents

Save PDF