Cisco Firepower Services – Change IP and DNS Addresses

KB ID 0001173 

Problem

If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?

ASA 5508 Firepower Port

Change Firepower IP Address

 

Solution

Change the FirePOWER Module IP Address

Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).

Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


GRAINGER-SFR login: admin
Password:{your password}
Last login: Thu Apr  7 08:11:00 UTC 2016 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.100
---------------------[ tunl0 ]----------------------
----------------------------------------------------
>

To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;

> configure network ipv4 manual 192.168.1.99 255.255.255.0 192.168.1.1 eth0
Setting IPv4 network configuration.
Network settings changed.

You can check its worked with a ‘show interfaces command’.

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
---------------------[ tunl0 ]----------------------
----------------------------------------------------

>

Or you can use the ‘show interfaces {interface-name}‘ command.

> show interfaces eth0
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
IPv4 Broadcast            : 192.168.1.255
RX Packets                : 261
RX Errors                 : 0
RX Drops                  : 0
RX Overruns               : 0
RX Frame                  : 0
TX Packets                : 214
TX Errors                 : 0
TX Drops                  : 0
TX Overruns               : 0
TX Carrier                : 0
Collisions                : 0
----------------------------------------------------


Change the FirePOWER Module IP Address

This is a little more convoluted, there is a command to do this, Note: You can enter multiple servers separated by commas.

> configure network dns servers 8.8.8.8,8.8.4.4

But you also need to restart the nscd daemon in the underlying linux, to do that you need to get into ‘expert mode’.

> expert

admin@PETES-SFR:~$ sudo /etc/rc.d/init.d/nscd restart

Password:{Enter Your Password}

Stopping nscd…                                                     [  OK  ]

Starting nscd…                                                       [  OK  ]

admin@PETES-SFR:~$

Related Articles, References, Credits, or External Links

Cisco FirePOWER – Adding a Static Route

Author: PeteLong

Share This Post On

11 Comments

  1. Hi ! Is there a way to show the current DNS servers used ?

    Post a Reply
    • Yes 🙂

      session sfr

      expert

      vi /etc/resolv.conf

      Post a Reply
      • Thx a lot ! 🙂
        Do you know what IP address is used by default ?
        (I’ve already changed it so i can not check anymore).

        It’s a little weird that this parameters can not be changed using ASDM…

        Post a Reply
  2. Is there a document that details what can be done in expert mode, or how the sfr product works? Like where is the configuration file stored?

    Post a Reply
    • Hi Evan, not that I’ve seen, I’m surmising Cisco are keeping those cards close to their chest?

      Pete

      Post a Reply
  3. Hello, do you have to make any changes on the firepower management server after you change the IP addresses on the SFR modules? Or will the new IP address of the SFR module automatically get updated on the management server?

    Post a Reply
    • Yes you need to re-register!

      Pete

      Post a Reply
  4. From the FMC VM linux interface, I had to enter the following to configure the mgmt interface:

    sudo /usr/local/sf/bin/configure-network

    Post a Reply
  5. Didnt know you could get into the linux running underneath SFR. Cool.

    Post a Reply
  6. Hi guys,

    I have a job coming up for a customer where we need to change the IP address of both the FMC (Virtual machine), and the 2 managed SFR modules (ASA 5512 with firepower services (EOL, I know!))

    Please can you advise what is the best order of operations to achieve this? I was thinking along the following lines;

    1. Re IP the FMC. I believe this can be done from FMC GUI, right?

    2. On the SFR consoles (via ASA console), delete, and then re-add the manager on new IP address.
    *** Do we need to be aware of anything specific at this stage, do we need to re-apply access policy, or anything like that? ***

    3. Re-IP the SFR modules as per process explained in this thread.

    4. On the SFR consoles (via ASA console), delete, and then re-add the manager on new IP address.
    *** Do we need to be aware of anything specific at this stage, do we need to re-apply access
    policy, or anything like that? ***

    Would the above process work, or is there anything you would do differently? Also, I’ll be changing the DNS settings, but not sure I have the expert mode password, guessing a reboot of the ASA would suffice instead of clearing a process?

    Thanks in advance folks.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *