LAB: Internet connectivity (3/n)

I had already started to deploy Windows 2016 server that I’m going to used for Active Directory.
But working on a server that doesn’t have any internet can be somewhat counter productive, so let’s get the internet functionality up and working.

I have a FirePower 2110 appliance, and I could manage it locally or through the FirePower Management Center (FMC).
Locally managed would be the easy way at this time, but I need the FMC as I’m planning some tests with it either way.

I happened to have “Cisco_Firepower_Management_Center_Virtual_VMware-6.2.3-83.tar.gz” on my machine, but otherwise you would get it from cisco.com

Deploying it is simply unzipping the file, going into vmware, select “Deploy OVF template” and select the “Cisco_Firepower_Management_Center_Virtual_VMware-ESXi-6.2.3-83.ovf” and “Cisco_Firepower_Management_Center_Virtual_VMware-6.2.3-83-disk1.vmdk” files, and going throug the next-next-finish process.

[This process it taking it’s time… going to get pizza.]

So, one pizza later the installation has finished, and I can log in via console with admin/Admin123
Related: The FMC quick start guide.

Accordingly, I run the “sudo /usr/local/sf/bin/configure-network” command via the vmware console.
Before running the command I decided on a name (fmc.escort.is) and IP (10.208.254.20)
I’m not doing any IPv6 this time, that will come later.

 

 

 

 

 

To finish up I need to go to the GUI interface, https://10.208.254.20, to select a password, configure hostname etc.

I used the IP I selected for my domain-controller, 10.208.1.16, as the primary DNS server.
This is obviously not going to work, because I haven’t set up the domain controller & DNS functionality on the server yet.

With traditional/legacy licensing, you would go and get the license to paste into the licensing field, but since we’ll be using Cisco Smart Licensing (whenever I get the license that is) I just left the licensing box empty.

Now I need to get the FMC to communicate with the FTD device.
I’ve already set an IP address on the FirePower(FTD) appliance, as 10.208.254.21, so I just need to ssh into it and add the FMC manager.

 

And on the FMC I’ll go to Devices -> Add -> Device

Since I haven’t created an access control policy I have to do that now as well.

 

 

 

 

 

 

 

 

Aaand this throws me an error, saying I need to registert with smart licensing before adding ftd devices.

 

 

 

Now this presents an issue, the FMC doesn’t have internet access until I get this sorted out.
But I can go to system -> Licenses -> Smart Licenses and select “Evaluation Mode”, which gives us 90 days of grace period.

 

 

 

 

Now I can add the FTD and also select the malware/threat/URL features.

 

 

 

 

 

 

 

 

So to get internet working I will need to, preferably in this order:

  • Configure inside and outside interfaces and static routes.
    • On both the FTD and the C3750G
  • Configure the access control policy to allow outbound traffic
  • Configure the NAT policy to NAT outbound traffic.

Starting with devices -> fpr-2110-lab-1 -> interfaces
e1/1 got a public IP address and the outside/internet zone
e1/2 got a subinterface, e1/2.2255, with 10.208.255.254/30 and the “inside” zone
On the Routing tab, in static route, I added a default route towards the internet and 10.208.0.0/16 towards 10.208.255.253
After I pressed save and proceeded to configure g1/0/2 on the 3750G

 

 

 

 

Before we “deploy” the config from FMC to FTD I’m going to go to devices -> NAT, create a Threat Defense NAT Policy.
And a single NAT rule to nat outbound traffic.

 

 

 

 

I used the same object that I created for the static route but I could as well have used “any”.
Now it’s “save” and then “Deploy”

We can monitor the deployment by clicking on our yellow error triangle (which will stay yellow until we get the network connectivity sorted).

Depending on your FMC and FTD versions, the deployment can take anywhere between 2-9 minutes. This one took 1:35

 

 

 

 

I’m able to ping inside and outside addresses on the FTD, but no traffic going through.
That’s because I jumped over the access policy configuration and forgot to do it.
So Policies -> Access Control -> LAB-access-policy.
Created a new rule in the default section allowing all traffic from inside to internet.
The “Logging” tab is in bold because I also enabled log at the end of connection.

 

 

 

Going into the 3750 switch I can now ping the internet, so I can continue with the Domain Controller installation.
(I need “internal” DNS up and working before I can continue with FMC/FTD stuff.)

 

 

 

Leave a Comment