Cisco Firepower Services – Change IP and DNS Addresses

KB ID 0001173 

Problem

If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?

 

Solution

Change the FirePOWER Module IP Address

Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).

[box]

Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


GRAINGER-SFR login: admin
Password:{your password}
Last login: Thu Apr  7 08:11:00 UTC 2016 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.100
---------------------[ tunl0 ]----------------------
----------------------------------------------------
>

[/box]

To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;

[box]

> configure network ipv4 manual 192.168.1.99 255.255.255.0 192.168.1.1 eth0
Setting IPv4 network configuration.
Network settings changed.

[/box]

You can check its worked with a ‘show interfaces command’.

[box]

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
---------------------[ tunl0 ]----------------------
----------------------------------------------------

>

[/box]

Or you can use the ‘show interfaces {interface-name}‘ command.

[box]

> show interfaces eth0
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
IPv4 Broadcast            : 192.168.1.255
RX Packets                : 261
RX Errors                 : 0
RX Drops                  : 0
RX Overruns               : 0
RX Frame                  : 0
TX Packets                : 214
TX Errors                 : 0
TX Drops                  : 0
TX Overruns               : 0
TX Carrier                : 0
Collisions                : 0
----------------------------------------------------


[/box]

Change the FirePOWER Module IP Address

This is a little more convoluted, there is a command to do this, Note: You can enter multiple servers separated by commas.

[box]

> configure network dns servers 8.8.8.8,8.8.4.4

[/box]

But you also need to restart the nscd daemon in the underlying linux, to do that you need to get into ‘expert mode’.

[box]

> expert

admin@PETES-SFR:~$ sudo /etc/rc.d/init.d/nscd restart

Password:{Enter Your Password}

Stopping nscd…                                                     [  OK  ]

Starting nscd…                                                       [  OK  ]

admin@PETES-SFR:~$

[/box]

Related Articles, References, Credits, or External Links

Cisco FirePOWER – Adding a Static Route

What’s My Network Address and What’s my Broadcast Address?

KB ID 0000215 

Problem

The network address is the IP address that is the lowest number in your network range, and the broadcast address is the highest.

To find out what your is, use the form below.

Solution

Find your IP address and Subnet Mask then enter it below.

 

Enter your IP address:
.

.

.
Enter your subnet mask:
.

.

.


Answer:

Network Address:
Broadcast Address:

 

Related Articles, References, Credits, or External Links

NA

AnyConnect – Using a Windows DHCP Server to Lease IP Addresses to the Remote Clients

KB ID 0001050

Problem

I did an AnyConnect design for a client recently, and they asked ‘Instead of using the firewall to lease the DHCP addresses to our remote clients, can we use our Windows DHCP Server?” In the past I’ve used Windows DHCP servers for IPSEC VPN clients, but more recently I’ve tended to just use the firewall. The client had some valid reasons for wanting to do so, and given the complexity of their network, before I said yes, I wanted to make sure we could give them what they wanted, and have a separate DHCP scope just for the remote clients.

Solution

Setup a New Windows AnyConnect DHCP Scope

1. Server Manager > Tools > DHCP > Expand Server-name > IPv4 > Right Click > New Scope > Name it and follow the instructions.

2. Setup a network with enough addresses to cover all your remote clients.

3. You do not need to specify a router/default gateway, but I setup DNS settings (even though you still set these options on the firewall).

Once the new scope is up, activated and running you need to configure the firewall.

Changing AnyConnect to Use your Windows DHCP Server.

Here I already have the ASA doing DHCP from a local IP pool, so I’m going to remove that pool, and change over to the DHCP server.

1. To use a windows server for DHCP you need to put an entry in the ‘Tunnel-Group’ for your AnyConnect connection (if you only have one DHCP scope that’s all you need to do, but because I want to use a different scope I also need to put an entry in the AnyConnect ‘Group-Policy’ as well. (That’s the group policy on the Cisco firewall, I’m NOT talking about Windows Group Policies!)

Below with a show run tun command I can see the firewall pool I’m using and the name of my group-policy.

2. First remove the pool from the tunnel group

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group {group_name} general-attributes
Petes-ASA(config-tunnel-general)# no address-pool {pool_name}

[/box]

3. Then while still in the general-attributes section specify the IP address of your DHCP server. Then you need to edit the group-policy to specify the network address of the DHCP scope you want to use (if you only have one scope skip this step, but if you have more than one scope the ASA will take an address for the first scope it gets to, if you don’t specify one!)

[box]

Petes-ASA(config-tunnel-general)# dhcp-server {server_IP_address}
Petes-ASA(config-tunnel-general)# group-policy {policy_name} attributes
Petes-ASA(config-group-policy)# dhcp-network-scope {DHCP_Scopenetwork_address}

[/box]

4. Finally I don’t need it any more so I’ll delete the IP pool I was using before.

5. Lets make sure my remote clients can still connect.

6. I could simply look in the management console to see the lease, but let’s be a bit geeky and use PowerShell.

Related Articles, References, Credits, or External Links

AnyConnect Client Fails To Get IP From Windows DHCP Server