KB ID 0001173
Problem
If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?
Solution
Change the FirePOWER Module IP Address
Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).
Petes-ASA# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. GRAINGER-SFR login: admin Password:{your password} Last login: Thu Apr 7 08:11:00 UTC 2016 on pts/0 Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. Cisco Linux OS v5.4.1 (build 12) Cisco ASA5506 v5.4.1 (build 211) > show interfaces --------------------[ outside ]--------------------- Physical Interface : GigabitEthernet1/1 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------------[ inside ]--------------------- Physical Interface : GigabitEthernet1/2 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------------[ cplane ]--------------------- IPv4 Address : 127.0.2.1 ----------------------[ eth0 ]---------------------- Physical Interface : eth0 Type : Management Status : Enabled MDI/MDIX : Auto MTU : 1500 MAC Address : 00:C8:8B:C1:0E:0C IPv4 Address : 192.168.1.100 ---------------------[ tunl0 ]---------------------- ---------------------------------------------------- >
To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;
> configure network ipv4 manual 192.168.1.99 255.255.255.0 192.168.1.1 eth0
Setting IPv4 network configuration.
Network settings changed.
You can check its worked with a ‘show interfaces command’.
> show interfaces --------------------[ outside ]--------------------- Physical Interface : GigabitEthernet1/1 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------------[ inside ]--------------------- Physical Interface : GigabitEthernet1/2 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------------[ cplane ]--------------------- IPv4 Address : 127.0.2.1 ----------------------[ eth0 ]---------------------- Physical Interface : eth0 Type : Management Status : Enabled MDI/MDIX : Auto MTU : 1500 MAC Address : 00:C8:8B:C1:0E:0C IPv4 Address : 192.168.1.99 ---------------------[ tunl0 ]---------------------- ---------------------------------------------------- >
Or you can use the ‘show interfaces {interface-name}‘ command.
> show interfaces eth0 ----------------------[ eth0 ]---------------------- Physical Interface : eth0 Type : Management Status : Enabled MDI/MDIX : Auto MTU : 1500 MAC Address : 00:C8:8B:C1:0E:0C IPv4 Address : 192.168.1.99 IPv4 Broadcast : 192.168.1.255 RX Packets : 261 RX Errors : 0 RX Drops : 0 RX Overruns : 0 RX Frame : 0 TX Packets : 214 TX Errors : 0 TX Drops : 0 TX Overruns : 0 TX Carrier : 0 Collisions : 0 ----------------------------------------------------
Change the FirePOWER Module IP Address
This is a little more convoluted, there is a command to do this, Note: You can enter multiple servers separated by commas.
> configure network dns servers 8.8.8.8,8.8.4.4
But you also need to restart the nscd daemon in the underlying linux, to do that you need to get into ‘expert mode’.
> expert
admin@PETES-SFR:~$ sudo /etc/rc.d/init.d/nscd restart
Password:{Enter Your Password}
Stopping nscd… [ OK ]
Starting nscd… [ OK ]
admin@PETES-SFR:~$
Related Articles, References, Credits, or External Links
Cisco FirePOWER – Adding a Static Route
14/04/2016
Hi ! Is there a way to show the current DNS servers used ?
14/04/2016
Yes 🙂
session sfr
expert
vi /etc/resolv.conf
15/04/2016
Thx a lot ! 🙂
Do you know what IP address is used by default ?
(I’ve already changed it so i can not check anymore).
It’s a little weird that this parameters can not be changed using ASDM…
16/04/2016
By default it has none, you enter the DNS settings as part of the initial setup from CLI
See http://www.petenetlive.com/KB/Article/0001107
Pete
18/04/2016
Is there a document that details what can be done in expert mode, or how the sfr product works? Like where is the configuration file stored?
18/04/2016
Hi Evan, not that I’ve seen, I’m surmising Cisco are keeping those cards close to their chest?
Pete
21/06/2017
Hello, do you have to make any changes on the firepower management server after you change the IP addresses on the SFR modules? Or will the new IP address of the SFR module automatically get updated on the management server?
27/06/2017
Yes you need to re-register!
Pete
25/01/2019
From the FMC VM linux interface, I had to enter the following to configure the mgmt interface:
sudo /usr/local/sf/bin/configure-network
03/04/2019
Didnt know you could get into the linux running underneath SFR. Cool.
15/10/2019
Hi guys,
I have a job coming up for a customer where we need to change the IP address of both the FMC (Virtual machine), and the 2 managed SFR modules (ASA 5512 with firepower services (EOL, I know!))
Please can you advise what is the best order of operations to achieve this? I was thinking along the following lines;
1. Re IP the FMC. I believe this can be done from FMC GUI, right?
2. On the SFR consoles (via ASA console), delete, and then re-add the manager on new IP address.
*** Do we need to be aware of anything specific at this stage, do we need to re-apply access policy, or anything like that? ***
3. Re-IP the SFR modules as per process explained in this thread.
4. On the SFR consoles (via ASA console), delete, and then re-add the manager on new IP address.
*** Do we need to be aware of anything specific at this stage, do we need to re-apply access
policy, or anything like that? ***
Would the above process work, or is there anything you would do differently? Also, I’ll be changing the DNS settings, but not sure I have the expert mode password, guessing a reboot of the ASA would suffice instead of clearing a process?
Thanks in advance folks.