hit counter script
Cisco Firepower 2100 Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. Firepower 2100
  6. Getting started manual

Cisco Firepower 2100 Getting Started Manual

Hide thumbs Also See for Firepower 2100:
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco Firepower 2100 Getting Started Guide
First Published: 2019-09-25
Last Modified: 2021-05-26
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Firepower 2100

Summary of Contents for Cisco Firepower 2100

  • Page 1 Cisco Firepower 2100 Getting Started Guide First Published: 2019-09-25 Last Modified: 2021-05-26 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 3 You may want to use the ASA if you do not need the advanced capabilities of the FTD, or if you need an ASA-only feature that is not yet available on the FTD. Cisco provides ASA-to-FTD migration tools to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD.
  • Page 4 To get started with FMC on the Management network, see Firepower Threat Defense Deployment with FMC, on page To get started with FMC on a remote network, see Firepower Threat Defense Deployment with a Remote FMC, on page Cisco Firepower 2100 Getting Started Guide...
  • Page 5 CLI or ASDM. CSM does not support managing FTDs. CSM is not covered in this guide. For more information, see the CSM user guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 6 The ASA REST API lets you automate ASA configuration. However, the API does not include all ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the REST API guide. Cisco Firepower 2100 Getting Started Guide...

  • Page 7: Table Of Contents

    Device. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 8: End-To-End Procedure

    See the following tasks to deploy FTD with FDM on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power on the Device, on page Cisco Firepower 2100 Getting Started Guide...

  • Page 9: Review The Network Deployment And Default Configuration

    • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. The following figure shows the default network deployment for FTD using FDM with the default configuration. Cisco Firepower 2100 Getting Started Guide...
  • Page 10 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration • inside→outside traffic flow • management—Management 1/1 (management) • (6.6 and later) IP address from DHCP • (6.5 and earlier) IP address 192.168.45.45 Cisco Firepower 2100 Getting Started Guide...
  • Page 11 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...

  • Page 12: Cable The Device

    For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside.

  • Page 13: Power On The Device

    OFF position. The front panel PWR LED flashes momentarily and turns off. Do not remove the power until the PWR LED is completely off. See the FXOS Configuration Guide for more information on using the shutdown commands. Cisco Firepower 2100 Getting Started Guide...

  • Page 14: (Optional) Change Management Network Settings At The Cli

    Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 2 Connect to the FTD CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 2100 Getting Started Guide...
  • Page 15 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 16: Log Into Fdm

    • An access rule trusting all inside to outside traffic. • An interface NAT rule that translates all inside to outside traffic to unique ports on the IP address of the outside interface. • A DHCP server running on the inside interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 17 90-day evaluation license and set up smart licensing later. To register the device now, click the link to log into your Smart Software Manager account, and see Configure Licensing, on page Cisco Firepower 2100 Getting Started Guide...

  • Page 18: Configure Licensing

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 19 • RA VPN—See the Cisco AnyConnect Ordering Guide. Step 2 In the Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. Cisco Firepower 2100 Getting Started Guide...
  • Page 20 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 2100 Getting Started Guide...
  • Page 21 In the FDM, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token: Cisco Firepower 2100 Getting Started Guide...
  • Page 22 You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 2100 Getting Started Guide...
  • Page 23 Firepower Threat Defense Deployment with FDM Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.

  • Page 24: Configure The Firewall In Firepower Device Manager

    You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 25 The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 26 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 27: Access The Ftd And Fxos Cli

    Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 2100 Getting Started Guide...
  • Page 28 Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.

  • Page 29: Power Off The Firewall Using Fdm

    To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FDM, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 2100 Getting Started Guide...
  • Page 30 Firepower Threat Defense Deployment with FDM What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 31 Device. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 32: Before You Start

    What's Next?, on page 61 Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. End-to-End Procedure See the following tasks to deploy the FTD with FMC on your chassis. Cisco Firepower 2100 Getting Started Guide...

  • Page 33: Review The Network Deployment

    Both the FMC and FTD require internet access from management for licensing and updates. The following figure shows a possible network deployment for the Firepower 2100 where the FMC and management computer connect to the management network. The management network has a path to the internet for licensing and updates.
  • Page 34 FMC and FTD managamement. In the following diagram, the Firepower 2100 acts as the internet gateway for the management interface and the FMC by connecting Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the FMC and management computer to the switch.

  • Page 35: Cable The Device

    Figure 11: Edge Network Deployment Cable the Device To cable one of the above scenarios on the Firepower 2100, see the following steps. Note Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.
  • Page 36 Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces. Step 2 Cable for an edge deployment: Cisco Firepower 2100 Getting Started Guide...

  • Page 37: Power On The Device

    Before you begin It's important that you provide reliable power for your device (for example, using an uninterruptable power supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are Cisco Firepower 2100 Getting Started Guide...

  • Page 38: Complete The Ftd Initial Configuration

    Before you begin • Deploy and perform initial configuration of the FMC. See the FMC getting started guide. You will need to know the FMC IP address or hostname before you set up the FTD. Cisco Firepower 2100 Getting Started Guide...
  • Page 39 Use OpenDNS to reload the appropriate IP addresses into the fields. Firewall Hostname—The hostname for the system's management address. b) Configure the Time Setting (NTP) and click Next. 1. Time Zone—Select the time zone for the system. Cisco Firepower 2100 Getting Started Guide...
  • Page 40 FDM. Other FDM configuration will not be retained when you register the device to FMC. Step 5 Choose Device > System Settings > Management Center, and click Proceed to set up FMC management. Step 6 Configure the FMC Details. Cisco Firepower 2100 Getting Started Guide...
  • Page 41 No if the FMC is behind NAT or does not have a public IP address or hostname. At least one of the devices, either the FMC or the FTD, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices. Cisco Firepower 2100 Getting Started Guide...
  • Page 42 If you want to cancel the switch to FMC, click Cancel Registration. Otherwise, do not close the FDM browser window until after the Saving FMC Registration Settings step. If you do, the process will be paused, and will only resume when you reconnect to FDM. Cisco Firepower 2100 Getting Started Guide...

  • Page 43: Complete The Ftd Initial Configuration Using The Cli

    If the password was already changed, and you do not know it, you must reimage the device to reset Note the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 2100 Getting Started Guide...
  • Page 44 • Configure firewall mode?—We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration. Example: You must accept the EULA to continue. Press <ENTER> to display the EULA: Cisco Firepower 2100 Getting Started Guide...
  • Page 45 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 46: Log Into The Firepower Management Center

    For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes). Procedure Step 1 Using a supported browser, enter the following URL. https://fmc_ip_address Step 2 Enter your username and password. Cisco Firepower 2100 Getting Started Guide...

  • Page 47: Obtain Licenses For The Fmc

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...

  • Page 48: Register The Ftd With The Fmc

    • Gather the following information that you set in the FTD initial configuration: • The FTD management IP address or hostname, and NAT ID • The FMC registration key Procedure Step 1 In the FMC, choose Devices > Device Management. Cisco Firepower 2100 Getting Started Guide...
  • Page 49 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page Cisco Firepower 2100 Getting Started Guide...
  • Page 50 • Registration key, NAT ID, and FMC IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the FMC using the configure manager add command. For more troubleshooting information, see https://cisco.com/go/fmc-reg-error. Cisco Firepower 2100 Getting Started Guide...
  • Page 51 A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces. The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Cisco Firepower 2100 Getting Started Guide...
  • Page 52 Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by clicking New. Cisco Firepower 2100 Getting Started Guide...
  • Page 53 For example, enter 192.168.1.1/24 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. f) Click OK. Step 4 Click the Edit ( ) for the interface that you want to use for outside. The General tab appears. Cisco Firepower 2100 Getting Started Guide...
  • Page 54 Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the FTD. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Cisco Firepower 2100 Getting Started Guide...
  • Page 55 IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 2100 Getting Started Guide...
  • Page 56 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 2100 Getting Started Guide...
  • Page 57 The policy is added the FMC. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 2100 Getting Started Guide...
  • Page 58 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 2100 Getting Started Guide...
  • Page 59 Step 1 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the FTD. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 2100 Getting Started Guide...
  • Page 60 Select the device in the Deploy Policies dialog box, then click Deploy. Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 2100 Getting Started Guide...
  • Page 61 Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.
  • Page 62 Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). Step 7 After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. Cisco Firepower 2100 Getting Started Guide...
  • Page 63 What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 64 Firepower Threat Defense Deployment with FMC What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 65 FTD to the remote branch office. • The branch office administrator cables and powers on the FTD. • The central administrator completes configuration of the FTD using the FMC. About FMC Management Cisco Firepower 2100 Getting Started Guide...
  • Page 66 Device. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 67 Either the FTD or FMC needs a public IP address or hostname to allow to allow the inbound management connection; you need to know this IP address for initial setup. You can also optionally configure Dynamic DNS (DDNS) for the outside interface to accommodate changing DHCP IP assignments. Cisco Firepower 2100 Getting Started Guide...
  • Page 68 Figure 19: Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. End-to-End Procedure See the following tasks to deploy the FTD with FMC on your chassis. Cisco Firepower 2100 Getting Started Guide...
  • Page 69 Central Administrator Pre-Configuration Using the CLI, on page (Central Central Administrator Pre-Configuration Using FDM, on page 68 administrator) Physical Setup Cable the Firewall, on page (Branch administrator) Physical Setup Power on the Device, on page 80 (Branch administrator) Cisco Firepower 2100 Getting Started Guide...
  • Page 70 Before you begin • Deploy and perform initial configuration of the FMC. See the FMC getting started guide. You will need to know the FMC IP address or hostname before you set up the FTD. Cisco Firepower 2100 Getting Started Guide...
  • Page 71 DNS servers for name resolution. The default is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields. Firewall Hostname—The hostname for the system's management address. Cisco Firepower 2100 Getting Started Guide...
  • Page 72 FDM. Other FDM configuration will not be retained when you register the device to FMC. Step 7 Choose Device > System Settings > Management Center, and click Proceed to set up FMC management. Step 8 Configure the FMC Details. Cisco Firepower 2100 Getting Started Guide...
  • Page 73 For Do you know the FMC hostname or IP address, click Yes if you can reach the FMC using an IP address or hostname, or No if the FMC is behind NAT or does not have a public IP address or hostname. Cisco Firepower 2100 Getting Started Guide...
  • Page 74 FMC. See Configure the Firewall in Firepower Device Manager, on page 22 for more information about configuring static routes in FDM. Cisco Firepower 2100 Getting Started Guide...
  • Page 75 If you configure DDNS before you add the FTD to the FMC, the FTD automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the FTD can validate the DDNS server certificate for the HTTPS connection. The FTD supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 76 If the password was already changed, and you do not know it, then you must reimage the device to Note reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Cisco Firepower 2100 Getting Started Guide...
  • Page 77 You will not be able to reconnect yet from a remote network due to the default route change (through the data interfaces). Console connections are not affected. Cisco Firepower 2100 Getting Started Guide...
  • Page 78 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 79 • If you configure a DDNS server update URL, the FTD automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the FTD can validate the DDNS server certificate for the HTTPS connection. The FTD supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 80 The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the FMC. Cisco Firepower 2100 Getting Started Guide...
  • Page 81 Cable the Firewall The FMC and your management computer reside at a remote headquarters, and can reach the FTD over the internet. To cable the Firepower 2100, see the following steps. Figure 24: Cabling a Remote Management Deployment Cisco Firepower 2100 Getting Started Guide...
  • Page 82 Check the PWR LED on the front of the device; if it is solid green, the device is powered on. Step 4 Check the SYS LED on the front of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 2100 Getting Started Guide...
  • Page 83 All licenses are supplied to the FTD by the FMC. You can optionally purchase the following feature licenses: • Threat—Security Intelligence and Next-Generation IPS • Malware—Malware • URL—URL Filtering • RA VPN—AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Cisco Firepower 2100 Getting Started Guide...
  • Page 84 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 85 • The FTD management IP address or hostname, and NAT ID • The FMC registration key Procedure Step 1 In the FMC, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. Cisco Firepower 2100 Getting Started Guide...
  • Page 86 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page Cisco Firepower 2100 Getting Started Guide...
  • Page 87 • Registration key, NAT ID, and FMC IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the FTD using the configure manager add command. For more troubleshooting information, see https://cisco.com/go/fmc-reg-error. Cisco Firepower 2100 Getting Started Guide...
  • Page 88 A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces. The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Cisco Firepower 2100 Getting Started Guide...
  • Page 89 Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by clicking New. Cisco Firepower 2100 Getting Started Guide...
  • Page 90 For example, enter 192.168.1.1/24 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. f) Click OK. Step 4 Click the Edit ( ) for the interface that you want to use for outside. The General tab appears. Cisco Firepower 2100 Getting Started Guide...
  • Page 91 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 2100 Getting Started Guide...
  • Page 92 IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 2100 Getting Started Guide...
  • Page 93 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 2100 Getting Started Guide...
  • Page 94 The policy is added the FMC. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 2100 Getting Started Guide...
  • Page 95 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 2100 Getting Started Guide...
  • Page 96 Step 1 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the FTD. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 2100 Getting Started Guide...
  • Page 97 You can only SSH to a reachable interface; if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The device allows a maximum of 5 concurrent SSH connections. Cisco Firepower 2100 Getting Started Guide...
  • Page 98 Click OK. Step 4 Click Save. You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Cisco Firepower 2100 Getting Started Guide...
  • Page 99 Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 2100 Getting Started Guide...
  • Page 100 Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.
  • Page 101 Heartbeat Send Time: Mon Jun 15 09:02:08 2020 UTC Heartbeat Received Time: Mon Jun 15 09:02:16 2020 UTC View the FTD network information At the FTD CLI, view the Management and FMC access data interface network settings: show network Cisco Firepower 2100 Getting Started Guide...
  • Page 102 At the FTD CLI, check that the FMC registration was completed. Note that this command will not show the current status of the management connection. show managers > show managers Type : Manager Host : 10.89.5.35 Registration : Completed > Cisco Firepower 2100 Getting Started Guide...
  • Page 103 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Control Point Interface States: Interface number is 14 Interface config status is active Interface state is active Cisco Firepower 2100 Getting Started Guide...
  • Page 104 FMC's Devices > Device Management > Device > Management > FMC Access Details > CLI Output page. show running-config sftunnel > show running-config sftunnel sftunnel interface outside sftunnel port 8305 show running-config ip-client Cisco Firepower 2100 Getting Started Guide...
  • Page 105 If you use a data interface on the FTD for FMC management, and you deploy a configuration change from the FMC that affects the network connectivity, you can roll back the configuration on the FTD to the last-deployed configuration so you can restore management connectivity. You can then adjust the configuration Cisco Firepower 2100 Getting Started Guide...
  • Page 106 Rolling back complete configuration on the FTD. This will take time...... Policy rollback was successful on the FTD. Configuration has been reverted back to transaction id: Following is the rollback summary: ........> Cisco Firepower 2100 Getting Started Guide...
  • Page 107 What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 108 Firepower Threat Defense Deployment with a Remote FMC What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 109 Device. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 110 Cable the Device, on page 110. (Branch Office Employee) Branch Office Tasks Power On the Device, on page 111. (Branch Office Employee) Cisco Defense Log Into CDO with Cisco Secure Sign-On, on page 115. Orchestrator (CDO Admin) Cisco Firepower 2100 Getting Started Guide...
  • Page 111 Note This procedure assumes you are working with a new firewall running FTD Version 6.7 or later. Procedure Step 1 Unpack the chassis and chassis components. Cisco Firepower 2100 Getting Started Guide...
  • Page 112 Communicate with the CDO administrator to develop an onboarding timeline. Cable the Device This topic describes the how to connect the Firepower 2100 to your network so that it can be managed remotely by a CDO administrator. • If you received a Firepower firewall at your branch office and your job is to plug it in to your network, watch this video.
  • Page 113 Step 2 Press the power switch on the back of the device. Step 3 Check the PWR LED on the front of the device; if it is solid green, the device is powered on. Cisco Firepower 2100 Getting Started Guide...
  • Page 114 If there is a problem, the SYS LED flashes amber and green, and the device did not reach the Cisco Cloud. If this happens, make sure that your network cable is connected to the Ethernet 1/1 interface and to your WAN modem.
  • Page 115 Create a New Cisco Secure Sign-On Account After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 116 Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Create a New Cisco Secure Sign-On Account Figure 28: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register. Figure 29: Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company.
  • Page 117 Choose a security image. d) Click Create My Account. You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 118 Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication (MFA). • To log into CDO, you must first create your account in Cisco Secure Sign-On and configure MFA using Duo; see Create a New Cisco Secure Sign-On Account, on page 140.
  • Page 119 Before you begin Low-touch provisioning (LTP) is a feature that allows a new factory-shipped Firepower 2100 series device to be provisioned and configured automatically, eliminating many of the manual tasks involved with onboarding the device to CDO.
  • Page 120 • Apply Smart License: Select this option if your device is not smart licensed already. You have to generate a token using the Cisco Smart Software Manager and copy in this field. • Device Already Licensed: Select this option if your device has already been licensed.
  • Page 121 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 122 Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description Cisco Firepower 2100 Getting Started Guide...
  • Page 123 You return to the Manage Licenses page. While the device registers, you see the following message: Step 6 After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. Cisco Firepower 2100 Getting Started Guide...
  • Page 124 Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.
  • Page 125 After onboarding the firewall to CDO, you can manage the firewall with CDO. To manage the FTD with CDO: 1. Browse to https://sign-on.security.cisco.com. 2. Log in as the user you created in Create a New Cisco Secure Sign-On Account, on page 140. 3. Review Managing FTD with Cisco Defense Orchestrator for links to common management tasks.
  • Page 126 Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Manage the Device with CDO Cisco Firepower 2100 Getting Started Guide...
  • Page 127 Device. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 128: End-To-End Procedure

    Access the FTD and FXOS CLI, on page 160 • Power Off the Firewall Using FDM, on page 161 • What's Next, on page 161 End-to-End Procedure See the following tasks to deploy FTD with CDO on your chassis. Cisco Firepower 2100 Getting Started Guide...
  • Page 129 Firepower Threat Defense Deployment with CDO End-to-End Procedure Pre-Configuration Review the Network Deployment and Default Configuration, on page 129. Pre-Configuration Cable the Device, on page 134. Cisco Firepower 2100 Getting Started Guide...

  • Page 130: How Cisco Defense Orchestrator Works With Firepower Threat Defense

    Firepower Threat Defense Deployment with CDO How Cisco Defense Orchestrator Works with Firepower Threat Defense Pre-Configuration Power on the Device, on page 135. FTD CLI (Optional) Change Management Network Settings at the CLI, on page 136. Firepower Device Log Into FDM, on page 138.

  • Page 131: Review The Network Deployment And Default Configuration

    FTD performs all routing and NAT for your inside networks. If you need to configure PPPoE for the outside interface to connect to your ISP, you can do so after you complete initial setup in FDM. Cisco Firepower 2100 Getting Started Guide...
  • Page 132 Figure 35: Suggested Network Deployment Cloud SDC Note For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. On-Premises SDC Network, Credentials Onboarding Cisco Firepower 2100 Getting Started Guide...
  • Page 133 IP address to be on a new network. • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 2100 Getting Started Guide...
  • Page 134 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration • inside→outside traffic flow • management—Management 1/1 (management) • (6.6 and later) IP address from DHCP • (6.5 and earlier) IP address 192.168.45.45 Cisco Firepower 2100 Getting Started Guide...
  • Page 135 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...

  • Page 136: Cable The Device

    For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside.

  • Page 137: Power On The Device

    Check the PWR LED on the front of the device; if it is solid green, the device is powered on. Step 4 Check the SYS LED on the front of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 2100 Getting Started Guide...

  • Page 138: (Optional) Change Management Network Settings At The Cli

    Password: Admin123 Successful login attempts for user 'admin' : 1 [...] Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] Cisco Firepower 2100 Getting Started Guide...
  • Page 139 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:...

  • Page 140: Log Into Fdm

    CLI setup, then enter that address. Step 2 Log in with the username admin, and the default password Admin123. What to do next • Run through the FDM setup wizard; see Complete the Initial Configuration, on page 139. Cisco Firepower 2100 Getting Started Guide...

  • Page 141: Complete The Initial Configuration

    DNS servers for name resolution. The default is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields. Firewall Hostname—The hostname for the system's management address. Cisco Firepower 2100 Getting Started Guide...

  • Page 142: Log Into Cdo

    The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 143 • Use a current version of Firefox or Chrome. Procedure Step 1 Sign Up for a New Cisco Secure Sign-On Account. a) Browse to https://sign-on.security.cisco.com. b) At the bottom of the Sign In screen, click Sign up. Figure 37: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register.
  • Page 144 Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company. d) After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
  • Page 145 Firepower Threat Defense Deployment with CDO Log Into CDO with Cisco Secure Sign-On You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.

  • Page 146: Onboard The Ftd To Cdo

    CDO using this method. Note If you have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Until your accounts are merged, you cannot see your device’s events in SecureX or benefit from other SecureX features.
  • Page 147 • Your device can use either a 90-day evaluation license or it can be smart-licensed. You will not need to unregister licenses installed on the device from the Cisco Smart Software Manager. • Make sure DNS is configured properly on your FTD device.
  • Page 148 You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
  • Page 149 Firepower Threat Defense Deployment with CDO Onboard an FTD with a Registration Key (Version 6.4 or 6.5) j) (6.6) Refresh the Cloud Services page. If the device successfully registered with the Cisco cloud, on the Cisco Defense Orchestrator tile, click Enable.
  • Page 150 You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
  • Page 151 Under System Settings, click Cloud Services. b) Click Get Started in the Cisco Defense Orchestrator group. c) In the Region field, choose the Cisco cloud region to which your tenant is assigned: • Choose US if you log in to defenseorchestrator.com.
  • Page 152 Disabling this option does not affect any previously scheduled updates you may have configured Note through FDM. Step 6 In the Credentials area, enter the username as admin and enter the password that you set during initial setup. Then click Next. Cisco Firepower 2100 Getting Started Guide...

  • Page 153: Configure The Device In Cdo

    The following example configures an interface to be used as a “demilitarized zone” (DMZ), where you place publicly-accessible assets such as your web server. Click Save when you are finished. Figure 44: Edit Interface Step 5 If you configured new interfaces, choose Management > Objects. Cisco Firepower 2100 Getting Started Guide...
  • Page 154 DHCP server on the inside2 interface with the address pool 192.168.45.46-192.168.45.254. Figure 46: DHCP Server Step 7 Choose Management > Routing, then click the Add icon to configure a default route. Cisco Firepower 2100 Getting Started Guide...
  • Page 155 • SSL Decryption—If you want to inspect encrypted connections (such as HTTPS) for intrusions, malware, and so forth, you must decrypt the connections. Use the SSL decryption policy to determine which connections need to be decrypted. The system re-encrypts the connection after inspecting it. Cisco Firepower 2100 Getting Started Guide...
  • Page 156 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
  • Page 157 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 158 In the Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. Cisco Firepower 2100 Getting Started Guide...
  • Page 159 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 2100 Getting Started Guide...
  • Page 160 You return to the Manage Licenses page. While the device registers, you see the following message: Step 6 After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. Cisco Firepower 2100 Getting Started Guide...
  • Page 161 Firepower Threat Defense Deployment with CDO Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.
  • Page 162 Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.
  • Page 163 After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your FTD using CDO, see the CDO Configuration Guides. For additional information related to using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 2100 Getting Started Guide...
  • Page 164 Firepower Threat Defense Deployment with CDO What's Next Cisco Firepower 2100 Getting Started Guide...
  • Page 165 P A R T ASA Deployment with ASDM • ASA Appliance Mode Deployment with ASDM, on page 165 • ASA Platform Mode Deployment with ASDM and Firepower Chassis Manager, on page 185...
  • Page 167 You can then configure your security policy in the ASA operating system using ASDM or the ASA CLI. This chapter describes how to deploy the Firepower 2100 in your network in ASA Appliance mode. By default, the Firepower 2100 runs in Appliance mode; to use Platform mode, see...

  • Page 168: About The Asa

    • GTP/GPRS Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 2100 in Appliance Mode. However, you will need to modify your configuration. Also note some behavioral differences between the platforms. 1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.
  • Page 169 ASA Deployment with ASDM Migrating an ASA 5500-X Configuration 2. Edit the configuration as necessary (see below). 3. Connect to the console port of the Firepower 2100 in Appliance Mode, and enter global configuration mode: ciscoasa> enable Password: The enable password is not set. Please set it now.

  • Page 170: End-To-End Procedure

    Firepower 2100 in Appliance Mode Configuration boot system commands The Firepower 2100 in Appliance Mode only allows a single boot system command, so you should remove all but one The ASA 5500-X allows up to four boot system commands to command before you paste.
  • Page 171 Review the Network Deployment and Default Configuration, on page 170. Pre-Configuration Cable the Device, on page 172. Pre-Configuration Power on the Device, on page 173. ASA CLI (Optional) Change the IP Address, on page 174. ASDM Log Into ASDM, on page 175. Cisco Firepower 2100 Getting Started Guide...

  • Page 172: Review The Network Deployment And Default Configuration

    181. Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 2100 using the default configuration in ASA Appliance mode. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
  • Page 173 For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, Platform mode is maintained. The default factory configuration for the Firepower 2100 in Appliance mode configures the following: • inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside) •...

  • Page 174: Cable The Device

    0.0.0.0 0.0.0.0 management http 192.168.1.0 255.255.255.0 management dhcpd auto_config outside dhcpd address 192.168.1.20-192.168.1.254 inside dhcpd enable inside dns domain-lookup outside dns server-group DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Device Cisco Firepower 2100 Getting Started Guide...

  • Page 175: Power On The Device

    ASA Deployment with ASDM Power on the Device Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Connect your management computer to either of the following interfaces: •...

  • Page 176: (Optional) Change The Ip Address

    This command does not clear the currently-set mode, Appliance or Platform, for the Firepower 2100. Example: ciscoasa(config)# configure factory-default 10.1.1.151 255.255.255.0 Based on the management IP address and mask, the DHCP address pool size is reduced to 103 from the platform limit 256 Cisco Firepower 2100 Getting Started Guide...
  • Page 177 ASA, connect to a management-only interface, or connect to an interface not configured for a strong encryption feature. Before you begin • See the ASDM release notes on Cisco.com for the requirements to run ASDM. Cisco Firepower 2100 Getting Started Guide...
  • Page 178 HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 179 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
  • Page 180 Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description Cisco Firepower 2100 Getting Started Guide...
  • Page 181 Keep this token ready for later in the procedure when you need to register the ASA. Figure 53: View Token Figure 54: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Cisco Firepower 2100 Getting Started Guide...
  • Page 182 Encryption (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: Cisco Firepower 2100 Getting Started Guide...
  • Page 183 Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 2100 Getting Started Guide...
  • Page 184 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 2100 Getting Started Guide...
  • Page 185 Procedure Step 1 Connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.
  • Page 186 Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 187 This chapter describes how to deploy the Firepower 2100 in your network in ASA Platform mode. By default, the Firepower 2100 runs in Appliance mode, so this chapter tells you how to set the mode to Platform mode. This chapter does not cover the following deployments, for which you should refer to the...

  • Page 188: About The Asa

    The ASA provides advanced stateful firewall and VPN concentrator functionality in one device. The Firepower 2100 is a single-application appliance for the ASA. You can run the ASA in either Platform mode or Appliance mode (the default). The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).
  • Page 189 You can also allow FXOS management from ASA data interfaces; configure SSH, HTTPS, and SNMP access. This feature is useful for remote management. Unsupported Features Unsupported ASA Features The following ASA features are not supported on the Firepower 2100: • Integrated Routing and Bridging • Redundant interfaces • Clustering •...

  • Page 190: End-To-End Procedure

    Note that when you connect to the ASA console from FXOS (connect asa), then ASA AAA configuration for console access applies (aaa authentication serial console). End-to-End Procedure See the following tasks to deploy and configure the ASA on your chassis. Cisco Firepower 2100 Getting Started Guide...
  • Page 191 ASA Deployment with ASDM End-to-End Procedure Cisco Firepower 2100 Getting Started Guide...

  • Page 192: Review The Network Deployment And Default Configuration

    SNMP (HTTPS and SSH are enabled by default); . Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 2100 using the default configuration in ASA Platform mode. Cisco Firepower 2100 Getting Started Guide...
  • Page 193 • If you add the ASA to an existing inside network, you will need to change the inside IP address to be on the existing network. Figure 55: Firepower 2100 in Your Network Firepower 2100 Platform Mode Default Configuration You can set the Firepower 2100 to run in Platform mode; Appliance mode is the default. Cisco Firepower 2100 Getting Started Guide...
  • Page 194 For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, this mode is maintained. ASA Configuration The default factory configuration for the ASA on the Firepower 2100 configures the following: • inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside) • outside IP address from DHCP, inside IP address—192.168.1.1 •...

  • Page 195: Cable The Device

    • Ethernet 1/1 and Ethernet 1/2—Enabled Cable the Device Manage the Firepower 2100 on the Management 1/1 interface. You can use the same management computer for FXOS and ASA. The default configuration also configures Ethernet1/1 as outside. Cisco Firepower 2100 Getting Started Guide...

  • Page 196: Power On The Device

    Connect your management computer to the console port. You need to access the ASA CLI to change from Appliance mode to Platform mode. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection.

  • Page 197: Enable Platform Mode

    Enable Platform Mode The Firepower 2100 runs in Appliance mode by default. This procedure tells you how to change the mode to Platform mode, and optionally how to change it back to Appliance mode.
  • Page 198 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm] Step 5 After restart, view the current mode to confirm the change. show fxos mode Example: ciscoasa(config)# show fxos mode Cisco Firepower 2100 Getting Started Guide...

  • Page 199: (Optional) Change Thefxosandasamanagement Ipaddresses Or Gateway

    (Optional) Change theFXOSandASAManagement IPAddresses or Gateway You can change the FXOS management IP address on the Firepower 2100 chassis from the FXOS CLI. The default address is 192.168.45.45. You can also change the default gateway for FXOS management traffic. The default gateway is set to 0.0.0.0, which sends FXOS traffic over the backplane to be routed through the ASA data interfaces.
  • Page 200 To keep the currently-set gateway, omit the gw keyword. Similarly, to keep the existing management IP address while changing the gateway, omit the ip and netmask keywords. Cisco Firepower 2100 Getting Started Guide...
  • Page 201 64 ipv6-gw 2001:DB8::1 firepower-2110 /fabric-interconnect/ipv6-config* # Step 5 Delete and add new access lists for HTTPS, SSH, and SNMP to allow management connections from the new network. a) Set the scope for system/services. scope system Cisco Firepower 2100 Getting Started Guide...
  • Page 202 /system/services/ip-block* # exit firepower-2110 /system/services* # a) Delete the old access lists. For IPv4: delete ip-block ip_address prefix [http | snmp | ssh] For IPv6: delete ipv6-block ipv6_address prefix [https | snmp | ssh] Cisco Firepower 2100 Getting Started Guide...
  • Page 203 Type help or '?' for a list of available commands. ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: ****** Repeat Password: ****** ciscoasa# configure terminal ciscoasa(config)# b) Change the Management 1/1 IP address. Cisco Firepower 2100 Getting Started Guide...
  • Page 204 The following example configures an IPv6 management interface and gateway: firepower-2110# scope fabric-interconnect a firepower-2110 /fabric-interconnect # scope ipv6-config firepower-2110 /fabric-interconnect/ipv6-config # show ipv6-if Management IPv6 Interface: IPv6 Address Prefix IPv6 Gateway ----------------------------------- ---------- ------------ 2001:DB8::2 2001:DB8::1 Cisco Firepower 2100 Getting Started Guide...

  • Page 205: (Optional) Log Into The Firepower Chassis Manager

    EtherChannel), then the ASA configuration retains the original commands so that you can make any necessary adjustments; removing an interface from the configuration can have wide effects. You can manually remove the old interface configuration in the ASA OS. Cisco Firepower 2100 Getting Started Guide...
  • Page 206 203. • The Firepower 2100 supports EtherChannels in Link Aggregation Control Protocol (LACP) Active or On mode. By default, the LACP mode is set to Active; you can change the mode to On at the CLI. We suggest setting the connecting switch ports to Active mode for the best compatibility.
  • Page 207 Ctrl key. To select a range of interfaces, select the first interface in the range, and then, while holding down the Shift key, click to select the last interface in the range. h) Click OK. Cisco Firepower 2100 Getting Started Guide...

  • Page 208: Log Into Asdm

    • management_ip—Identifies the IP address or host name of the ASA management interface (192.168.45.1). The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 209 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
  • Page 210 Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 2100 Getting Started Guide...
  • Page 211 Keep this token ready for later in the procedure when you need to register the ASA. Figure 57: View Token Figure 58: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Cisco Firepower 2100 Getting Started Guide...
  • Page 212 Encryption (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: Cisco Firepower 2100 Getting Started Guide...

  • Page 213: Configure The Asa

    Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 2100 Getting Started Guide...
  • Page 214 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 2100 Getting Started Guide...

  • Page 215: (Optional) Configure Management Access For Fxos On Data Interfaces

    (Optional) Configure Management Access for FXOS on Data Interfaces If you want to manage FXOS on the Firepower 2100 from a data interface, then you can configure SSH, HTTPS, and SNMP access. This feature is useful if you want to manage the device remotely, but you want to keep Management 1/1, which is the native way to access FXOS, on an isolated network.

  • Page 216: Access The Asa And Fxos Cli

    SSH. Connect to the Console Port to Access FXOS and ASA CLI The Firepower 2100 console port connects you to the FXOS CLI. From the FXOS CLI, you can then connect to the ASA console, and back again. You can only have one console connection at a time. When you connect to the ASA console from the FXOS console, this connection is a persistent console connection, not like a Telnet or SSH connection.
  • Page 217 ASA data interface IP address on port 3022 (the default port). Step 2 Connect to the ASA CLI. connect asa To return to the FXOS CLI, enter Ctrl+a, d. Example: firepower-2110# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Cisco Firepower 2100 Getting Started Guide...

  • Page 218: What's Next

    • To configure FXOS chassis settings, see the FXOS configuration guide. • For troubleshooting, see the FXOS troubleshooting guide. History for the Firepower 2100 in Platform Mode Feature Name Version Feature Information The default mode 9.13(1) With the introduction of Appliance mode, the default mode was changed to Appliance mode. In changed to Appliance earlier releases, the only mode available was Platform mode.
  • Page 219 ASA Deployment with ASDM History for the Firepower 2100 in Platform Mode Feature Name Version Feature Information Prompt to set admin 9.13(1) You are not prompted to set the admin password when you first log in to Firepower Chassis password Manager.
  • Page 220 ASA Deployment with ASDM History for the Firepower 2100 in Platform Mode Cisco Firepower 2100 Getting Started Guide...
  • Page 221 © 2021 Cisco Systems, Inc. All rights reserved.

Table of Contents