KB ID 0001172
Problem
Routing traffic back from the ASA , in most cases you will have a static route (or routes) tied to the inside interface of the firewall. Or you may have dynamic routing if your network is a little more complex. But your FirePOWER module is essentially a small Linux box sat inside the firewall, it has its own network connection and maintains its own routing table.
You may have already noticed if your FirePOWER module is down or unreachable you will see an error like this;
Cannot connect to the ASA ForePOWER module
This means you can talk to the insider interface but not the FirePOWER module. If it’s misconfigured see the following article;
ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)
But what if you’re on a different network segment, and the ASA can talk to you but the SFR module can’t?
Solution
Adding a Static Route to the SFR Module
To put a static route on the SFR module you have to connect to it directly. Connect the firewall and then open a session with the module.
[box]
Petes-ASA(config)# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Cisco ASA5506 v5.4.1 (build 211) Sourcefire3D login: admin Password: {your-password} Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. >
[/box]
You need to find what the SFR has called its management interface, usually it’s eth0 but let’s check;
[box]
>Show interfaces --------------------[ outside ]--------------------- Physical Interface : GigabitEthernet1/1 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------------[ inside ]--------------------- Physical Interface : GigabitEthernet1/2 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ----------------------[ DMZ ]----------------------- Physical Interface : GigabitEthernet1/3 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------------[ cplane ]--------------------- IPv4 Address : 127.0.2.1 ----------------------[ eth0 ]---------------------- Physical Interface : eth0 Type : Management Status : Enabled MDI/MDIX : Auto MTU : 1500 MAC Address : 00:F2:AA:66:94:3F IPv4 Address : 10.0.0.253 ----------------------[ tun1 ]---------------------- IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64 ---------------------[ tunl0 ]---------------------- ----------------------------------------------------
[/box]
Now you can ad in your static route(s).
[box]
> configure network static-routes ipv4 add eth0 192.168.100.0 255.255.255.0 10.0.0.1
Configuration updated successfully
[/box]
To delete a static route;
configure network static-routes ipv4 delete interface destination netmask gateway
Add a Static Route to the FirePOWER Management Console
To do the same on an FMC appliance, System > Configuration > Management Interface > IPv4 Routes > Add.
To do the same from command line on the appliance, use the following commands;
[box]
sudo su cd /etc/sysconfig/network-devices touch ifcfg-static-routes echo 'eth0 ipv4 192.168.10.0 255.255.255.0 192.168.1.1’ >> /etc/sysconfig/network-devices/ifcfg-static-routes /etc/rc.d/init.d/routes restart
[/box]
Related Articles, References, Credits, or External Links
NA
Nice one!
Thanks, this saved my Bacon, Cisco said it could not be done
Nvm found out, used
Had a FMC error where the system could not read it’s own static route file because of newly added static routes from the gui. Could not make any FMC config changes in GUI. This is the error I started receiving:
Error 500: Internal Server Error
The server encountered an internal error or misconfiguration.
Please contact technical support and inform them of the time the error occurred, and anything you might have done that may have caused the error.
When doing the restart for routes I would get [FAILED]
root@FMC:/etc/sysconfig/network-devices# /etc/rc.d/init.d/routes restart
Deleting route for eth0 -4 X.X.X.X/255.0.0.0 via X.X.X.X [ OK ]
Deleting route for eth1 -4 X.X.X.X/255.255.255.224 via X.X.X.X [FAILED]
Setting route for eth0 -4 X.X.X.X/255.0.0.0 via X.X.X.X [ OK ]
Setting route for eth1 -4 X.X.X.X/255.255.255.224 via X.X.X.X [FAILED]
After doing
> /etc/sysconfig/network-devices-ifcfg-static-routes
then re-adding the static routes per this article I was able to fix my issue. Thank you!!