Cisco Firepower 1010 (FTD) Initial Setup

KB ID 0001678

 

If you’re here you’ve either purchased a new Cisco Firepower device running FTD (FirePower Threat Defence) or have re-imaged your Firepower device from ASA to FTD code.

On its factory defaults, the unit will have the following settings.

  • Inside IP address (VLAN 1) 192.168.1.1 (on all interfaces from 2 to 8).
  • Outside IP Address set to DHCP in interface 1.
  • Management IP address 192.168.45.1 on the Management Interface.
  • DHCP Scopes on both the inside and management interfaces (192.168.1.x and 192.168.45.x respectively).

  1. Power Connector.
  2. 8 x Gigabit Ethernet ports: Normally GigabitEthernet 1/1 will be for the WAN, GigabitEthernet 1/2 though 1/8 will be for the LAN (with 1/7 and 1/8 being PoE).
  3. Management Port.
  4. Console Port (RJ45).
  5. Console Port (Mini USB).
  6. USB Port (useful for upgrades, and backups).
  7. Kensington Lock: Seriously? I’ve not seen one of these since about 2005, does anyone still use them?
  8. Reset Button: Depress for 3 seconds reverts the firewall to its factory settings, (and preserves the config apparently).
  9. Status Lights, (another reason not to put things on top of it!) Though you will notice there’s some on the back also. Note: When all lights are solid the firewall is operational, when the centre light is blinking, it’s still booting).

FirePower 1010 Setup

I will be deploying this as a stand alone FTD firewall, that will be managed locally on the device itself via FDM (Firepower Device Manager) and not via an FMC (Firepower Management Center) appliance.

Smart Licensing: If you’re not already familiar with Cisco Smart Licensing, I’ve covered it in more depth here. Set yourself up a free Smart License Account, and generate a token, copy it to the clipboard, (we will need it in a minute).

Connect to the firewall via a LAN port on https://192.168.1.1, or via the Management port on https://192.168.45.1 (unless you have ran though the FTD setup at command line, and have already changed the management IP).

Default usernames, (you will be asked to change them) are;

  • Username: admin
  • Password: Admin 123

Scroll down.

Here I’m accepting the default Outside/Public Interface settings of DHCP enabled, with IPv6 disabled, if yours has a static IP, or you want to user IPv6 then change the settings accordingly > Next.

I’ll accept the defaults here, be advised those NTP servers may take a little while to ‘go-green’ (you will see what I mean later) > Next.

I’m going to do this manually in a minute, so we can skip this > Next.

Note: The unit will have a default policy of let everything out (sourced from inside), and nothing in (sourced from outside) we will leave that as it is, as a decent start point.

Stanalone device > Configure Interfaces.

Note: Below I’m going to REMOVE the DHCP Scope, then change the ‘inside’ IP address (to avoid errors). Then later I will add the new DHCP scope back in again.

VLANs > Vlan1 > Edit. > DHCP section > Edit > Remove.

You can now set the inside IP address accordingly. (Don’t panic you wont lose connectivity yet!) > OK.

Now you need to Save/Commit the changes, and Deploy them. Now you will lose connectivity, if you have changed the inside IP address, so manually give yourself an IP address on the new network, and reconnect to the firewall.

Note: Update: Pleas ensure tha management is allowed in VLAN1 before proceeding (System Settings -> Management Access -> Data Interfaces.)

Cisco Firepower Setup DHCP

Create a new DHCP Scope: Should you require the firewall to be a DHCP server, log back in to the new internal IP address > System Settings > DHCP Server.

Create DHCP Server > Enable DHCP Server > Enter the new scope > OK.

Remember to commit the changes, and deploy them again!

Cisco Firepower FTD Licensing

Thankfully this is MUCH easier than doing the same thing while running ASA Code (on the same hardware!) > Smart Licence > View Configuration.

Register Device.

Paste in your token, (from above) > Set your location > Register Device. Go and have a coffee, it will look like it’s broken/not worked for a few minutes.

After a while you should see this;

There will be some outstanding changes to save and deploy also, now the unit is registered.

Back in the Cisco Smart Licence portal, it should look a bit like this;

Once fully complete and operational, all connected interfaces should have all the options ‘go-green’. For me the NTP servers took a while!

Note: Obviously the interfaces in orange are not in use!

 

Related Articles, References, Credits, or External Links

NA

Connecting to and Configuring Cisco Routers with ‘Cisco Configuration Professional’

KB ID 0000512 

Problem

It’s not often I work on Cisco routers, but as I tend to do most of the Cisco ASA Firewalls, I’m the unofficial “Cisco Guy”. Which is fine until someone wants a router or some complex switching, then I need to do some heavy duty frowning.

Last time I put in a Cisco router it was a baby Cisco 800 series (an 877W) so I assumed the 1921 ISR router I had to put in would be the same. Before I used the Cisco SDM console that’s now either depreciated or not used, and a quick look in the flash memory of the router told me there was nothing in there apart from the IOS.

Now for all your web based router needs, you use the “Cisco Configuration Professional” software, it comes in two flavours:

1. Express – this installs on the router itself and is a cut down version.

2. PC Version – the full suite of tools installs on a Windows PC (that has Java installed) Note: is does NOT need anything else installing on the router.

To download the software you will need a valid Cisco CCO login and a valid support contract (or SmartNet) for your router. (download link).

Solution

1. Using the console cable provided with your router connect a PC/Laptop to the router and access using Hyperterminal or PuTTy, (See here for details).

2. Connect an ethernet port to your LAN, we are going to configure it to get an IP from DHCP (assuming you have DHCP of course if not give is a static IP address).

3. While connected via console cable, go to enable mode, set the ether net port you connected to DHCP, then configure Telnet and SSH login, and finally allow HTTP access.

Note: If you get an error message like “IP address may not be configured on L2 Links” then assign the IP address to the VLAN (usually, but not always VLAN 1).This is seen on smaller 800 series routers, to resolve also make sure the Ethernet port is NOT shutdown like this;

[box]

interface FastEthernet0
! <<<<<<<Note: Make sure the Ethernet ports you will use are NOT in a shutdown state!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192168.1..1 255.255.255.0 <<<Or use DHCP as appropriate

[/box]

4. So all being well, this is what you should see if you issue a “show run” command.

5. Lets make sure it got an IP address with “show ip interface”.

6. Install CCP on you PC and launch it > Select “Manage Devices” > Enter the IP, username and password you set earlier > OK.

7. If discovery fails make sure you’re cabled correctly and select “Discover”.

8. It connects over https so it’s normal to see this, just click yes.

9. You can now configure the router as required.

10. If you have the Security/Firewall IOS you can also manage that from here.

 

Related Articles, References, Credits, or External Links

Original Article Written 26/09/11