Browsed by
Month: July 2015

ConfigBytes: ASA 5506x w/ FirePOWER Services

ConfigBytes: ASA 5506x w/ FirePOWER Services

#ConfigBytes

Getting Started with the ASA5506x & FirePOWER Services

 

Official Quick Start Guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html

FirePOWER User Guide:

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541.html

FirePOWER Services for ASA Data Sheet:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

 

TL:DR Key Points

  • Since the ASA5506x doesn’t have built-in switch capabilities (yet), you will need a L2 switch to connect the management interface which is used for firepower services module and your inside ASA interface for management. If you have an L3 switch the FirePOWER management interface can be on a different subnet from your inside ASA interface.
  • Download ASDM 7.4(3)image, ASA 9.4(1)3 and the latest firepower/sourcefire sensor patch (5.4.1.2 at this time). Place these files on the ASA flash, upgrade and point to the new ASDM file.
  • Create a username/password w/ PRIV 15 for ASDM access. “username Wu-Tang password KillaBeesOnTheSwarm privilege 15”
  • I highly recommend using the ASA Startup Wizard, this is much easier then a console session (“session srf console”) to the FirePOWER services module for setup of management.
  • Default Username/Password for the SourceFIRE module is admin/Sourcefire
  • Upgrade FirePOWER through ASDM or FireSight. Remember you can use ASDM or FireSight to manage the FirePOWER services.
  • Install your FirePOWER licenses
  • Don’t forget to configure a service policy on the ASA to redirect traffic to the FirePOWER module.

topology

Final Config

5506xFPS(config)# sh run
: Saved
: Serial Number: <removed>
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)3
!
hostname 5506xFPS
domain-name cisco.lab
enable password <removed>
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Inside_2
nameif inside2
security-level 100
ip address 10.100.220.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa941-3-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name cisco.lab
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging buffer-size 8192
logging asdm-buffer-size 250
logging console emergencies
logging asdm alerts
mtu outside 1500
mtu inside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside2,outside) after-auto source dynamic any interface
route inside2 10.0.0.0 255.0.0.0 10.100.220.2 1
route inside2 172.16.0.0 255.240.0.0 10.100.220.2 1
route inside2 192.168.0.0 255.255.0.0 10.100.220.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 10.100.220.0 255.255.255.0 inside2
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.100.220.1,CN=5506xFPS
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
<removed>
quit
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh pubkey-chain
server 10.100.220.153
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.100.220.10-10.100.220.199 inside2
dhcpd dns 216.144.187.199 8.8.8.8 interface inside2
dhcpd lease 28800 interface inside2
dhcpd enable inside2
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.30 source outside prefer
dynamic-access-policy-record DfltAccessPolicy
username asa password encrypted privilege 15
username admin password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
class-map global-class-SF
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description Global+SF
class global-class-SF
sfr fail-close
class inspection_default
inspect dns preset_dns_map
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:8c074bd2be57c9a8df6e364e77b07ae7
: end

Video Example of URL Filtering with FirePOWER

Hope this latest #ConfigBytes was helpful!

The Journey to CCIE #2 Starts Now

The Journey to CCIE #2 Starts Now

Game On Old Friend

2015-07-20 10.25.25 pm

 

It’s hard to believe that it’s been almost 2 years since I passed the R/S lab and my digits (40755) were assigned. I remember the numbers just passed 40k and I was so hoping to get 40007.

This way I could be 007. <GRIN>

Now I’m ready for the next challenge. My motivation for CCIE DC was simple. First I wanted to challenge myself yet again. Second, I feel strongly that a deep understanding of UCS & virtualization helps me stay relevant when it comes to private cloud conversations which all the cool kids are doing. Finally, I suck at storage. If storage was a weakness to me, it would be like green kryptonite to Clark.

2015-07-20 09.34.46 pm

 

 

 

 

 

 

 

 

All that said, I also miss the behind the wheel configuration and troubleshooting. I’m a pre-sales SE and spend most of my time these days in design sessions, product updates, and evangelizing new solutions. What better way to get serious hands-on than a CCIE lab?

Right before Christmas 2014, I took the CCIE DC written and failed it by 1-2 questions. I was so upset about carrying that disappointment through the holidays. Jan 8th was my date of redemption and I passed with a 953/1000.

I purchased workbooks from INE and leveraged their all access pass program and have about 1/2 the lab gear in one of our Cisco offices Just don’t have enough juice. <FACEPALM>

I’m also going to leverage VIRL and UCS Emulator for my studies.

Now it’s time to lock down and get this lab banged out in November. T-Minus 4 months… #TickTock

 

CCIE Data Center Lab Exam v1.0 

Lab Equipment and Software Versions

Passing the lab exam requires a depth of understanding difficult to obtain without hands-on experience. Early in your preparation you should arrange access to equipment similar to that used on the exam, and listed below.

The lab exam tests any feature that can be configured on the equipment and the NXOS versions indicated below. Occasionally, you may see more recent NXOS versions installed in the lab, but you will not be tested on the new features of a release unless indicated below.

  • Cisco Catalyst Switch 3750
  • Cisco 2511 Terminal Server
  • MDS 9222i
  • Nexus7009
    • (1) Sup
    • (1) 32 Port 10Gb (F1 Module)
    • (1) 32 Port 10Gb (M1 Module)
  • Nexus5548
  • Nexus2232
  • Nexus 1000v
  • UCS C200 Series Server
    • vic card for c-series
  • UCS-6248 Fabric Interconnects
  • UCS-5108 Blade Chassis
    • B-200 Series Blades
    • Palo mezzanine card
    • Emulex mezzanine card
  • Cisco Application Control Engine Appliance – ACE4710
  • Dual attached JBODs

Software Versions

  • NXOS v6.x on Nexus 7000 Switches
  • NXOS v5.x on Nexus 5000 Switches
  • NXOS v4.x on Nexus 1000v
  • NXOS v5.x on MDS 9222i Switches
  • UCS Software release 2.x Fabric Interconnect
  • Software Release A5(1.0) for ACE 4710
  • Cisco Data Center Manager software v5.x

ACE!? Really!??!?!?

2015-07-20 10.05.10 pm

#CCIEDC