Cisco Firepower系列订购时可以选择FTD或者ASA镜像,由于笔者公司一直用的ASA镜像,为了方便运维和管理,仍然选择了ASA镜像。本文将介绍如何安装、设置和使用基于ASA镜像的Firepower 2100。

Cisco的Firepower本身并不是一个产品,而是一套产品或者组件。在此之前,我们有必要了解一下如下术语:

  • FXOS:Cisco Firepower eXtensible Operating System是用于网络和安全解决方案的下一代系统平台。 是运行在Firepower 2000、4000和9000系列上的底层系统,在 FXOS 之上再运行 ASA 或 FTD 软件。我们可以这样理解:FXOS是“虚拟化管理程序”,ASA和FTD是运行在FXOS之上的“虚拟机”。它提供2种管理方式:
    - CLI:命令行,用于配置、监控和排障。
    - FCM:FXOS Chassis Manager - 基于Web的网页管理端,可以可视化配置和监控。

  • FTD:Firepower Threat Defense是运行在FXOS上的提供NGFW功能的“虚拟机”。一般通过中央控制器(FMC)管理 ,思科正在拼命推动 FTD 成为 ASA 的继任者。它有2种管理模式:
    - FMC:Firepower Management Center - FTD的中央控制器,对所有 FTD 实施集中部署管理。
    - FDM:Firepower Device Manager - 基于Web的用于管理FTD网页管理端,功能有限,比如创建本地账号都无法实现。

  • ASA:Adaptive Security Appliance是我们都知道和喜爱的旧版思科防火墙软件,思科希望我们尽快忘记并迁移到FTD平台。我们仍然可以在Firepower系列防火墙FXOS上运行ASA“虚拟机”。它有2种管理模式:
    - CLI:命令行。
    - ASDM:图形化界面软件,远程管理ASA。

使用Console连接至Firepower 2100后我们就直接进入了FXOS CLI模式,我们先要配置FXOS,然后再配置ASA。在FXOS模式下输入命令connect asa进入ASA模式,在ASA模式下输入connect fxos进入FXOS模式。默认FXOS用户名为admin,密码为Admin123。

配置FXOS

修改FXOS主机名
firepower-2110# scop system
firepower-2110 /system # set name et-fp2110
firepower-2110 /system* # commit-buffer
firepower-2110 /system # top
et-fp2110#
设置domain name
et-fp2110# scope system
et-fp2110 /system # scope service
et-fp2110 /system/services # set domain-name ex.eflytop.com
et-fp2110 /system/services* # commit-buffer
et-fp2110 /system/services # show domain-name
Domain: ex.eflytop.com
配置时间和NTP服务器

有些服务比如NTP需要再FXOS里面配置,ASA里面不再提供相关命令,从FXOS同步时间。

et-fp2110# scope system
et-fp2110 /system # scope services
et-fp2110 /system/services # set clock Aug 18 2021 05 29 30
et-fp2110 /system/services # set timezone
et-fp2110 /system/services* # enter ntp-server 10.16.16.16
et-fp2110 /system/services/ntp-server* # commit-buffer
et-fp2110 /system/services/ntp-server #  exit
et-fp2110 /system/services # show ntp-server
et-fp2110 /system/services # show clock
配置DNS
et-fp2110# scope system
et-fp2110 /system* # scope services
et-fp2110 /system/services *# create dns 8.8.8.8 0
et-fp2110 /system/services *# commit-buffer 
配置带外管理/管理接口

根据上图可以看到FXOS默认的管理接口IP为192.168.45.45,并启用了DHCP为接入管理接口的PC分配同网段的IP便于管理,现实环境中我们一般有专用的管理网段,需要修改管理接口IP、DHCP设定和允许接入网段。

  • 关闭DHCP服务:
et-fp2110# scope system
et-fp2110 /system # scope services
et-fp2110 /system/services # disable dhcp-server
  • 配置新的管理IP:
et-fp2110*# scope fabric-interconnect a
et-fp2110 /fabric-interconnect* # set out-of-band static ip 10.70.128.32 netmask 255.255.240.0 gw 10.70.128.1 
  • 配置允许访问管理口网段:
et-fp2110 /system/services # enter ip-block 10.0.0.0 8 https
et-fp2110 /system/services* # enter ip-block 10.0.0.0 8 ssh
et-fp2110 /system/services # delete ip-block 192.168.45.0 24 https
et-fp2110 /system/services* # delete ip-block 192.168.45.0 24 ssh
et-fp2110 /system/services* # commit-buffer
设置接口

先看一看目前的接口配置

et-fp2110# scope eth-uplink
et-fp2110 /eth-uplink # scope fabric a
et-fp2110 /eth-uplink/fabric # show  interface

Interface:
    Port Name      Port Type          Admin State Oper State       State Reason
    -------------- ------------------ ----------- ---------------- ------------
    Ethernet1/1    Data               Enabled     Up               Up
    Ethernet1/2    Data               Enabled     Up               Up
    Ethernet1/3    Data               Disabled    Link Down        Down
    Ethernet1/4    Data               Disabled    Link Down        Down
    Ethernet1/5    Data               Disabled    Link Down        Down
    Ethernet1/6    Data               Disabled    Link Down        Down
    Ethernet1/7    Data               Disabled    Link Down        Down

你会看到除了接口1和2外,其余接口都是disabled。必须要在FXOS里enable对应的接口,才能在ASA中正常使用,不然在ASA中no shutdown此接口但接口状态还是down的。命令如下:

et-fp2110# scope eth-uplink 
et-fp2110 /eth-uplink # scope fabric a
et-fp2110 /eth-uplink/fabric # enter interface Ethernet1/8
et-fp2110 /eth-uplink/fabric/interface # enable
et-fp2110 /eth-uplink/fabric/interface * # commit-buffer
配置FXOS管理账号
et-fp2110# scope security
et-fp2110 /security # create local-user aerynsun
et-fp2110 /security/local-user* # set password
Enter a password: 
Confirm the password: 
et-fp2110 /security/local-user* # enter role admin
et-fp2110 /security # enter local-user admin
et-fp2110 /security/local-user # set password
Enter a password:
Confirm the password:
et-fp2110 /security/local-user* # commit-buffer

配置ASA

从FXOS切换到ASA
et-fp2110# connect asa
Remote card closed command session. Press any key to continue.
Connection with fxos terminated.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: <blank>
ciscoasa# configure terminal
ciscoasa(config)# 

从ASA切换到FXOS的命令为

ciscoasa# connect fxos
配置管理口

FXOS和ASA共用管理口Management1/1,但是需要为它们配置不同IP地址。

ciscoasa(config)# interface management1/1
ciscoasa(config-if)# ip address 10.70.128.33 255.255.240.0
ciscoasa(config)# route management 0.0.0.0 0.0.0.0 10.70.128.1
其它配置

配置路由、策略、NAT、VPN等,这跟我们以前配置ASA的命令没有区别,这里不单独介绍。