Cisco FTD Basic Configuration, v6.7 using Firepower Device Management(FDM)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys my name is david and today we are going to configure cisco ftd using the firepower device management that's going to be local management not the fmc and we are going to deploy it in the evmg if ng so here's my event g and let's add the new node that's going to be firepower 6 and we're going to use 6.7 version and let's enable it now for the isp we are going to add the new cloud which is simulated isp living on my firewall it has the public iep address but in reality it's just a lan subnet for this firepower that's gonna be isp and it's on cloud three now what's this cloud three cloud three is the fourth interface on the evg virtual machine running on the es6i and that fourth interface is connected to the vlan that goes to my firewall on one of the subnet one of the router interface okay so that router interface has the public ipr specific for this lab and that's going to be simulated isp for for our firepower and let's connect it to the gear with ethernet zero zero for the management we are going to use this computer where we are connected now this computer has two interfaces one is the management phase which i use right now to rdp to this windows machine and the second is going to the vlan that is connected to the third interface of the eventg virtual machine that comes here as the cloud 2 okay so this cloud 2 and my computers lan interface are on the same broadcaster so i'm going to connect management interface to manage the firewall and also i'm going to connect gigabit ethernet 0 1 for the lan connectivity so now imagine that there is a switch layer 2 switch between firewall and my computer and my company is plugged to that switch and then both management interface and inside interface of the firewall is also plugged to the same switch so we are going to wait around maybe eight minutes for this to boot but before that let's add some of the information here our public address is going to be 12.34.56. slash 24. and on the isp side we have slash nut slash dot 1 and on the firewall side let's increase this a little bit on the firewall side we will have that 11 i guess yeah 11 is okay let's move up a little bit now on the inside interface we want to have this subnet so default subnet is zero slash 192.168.45.00 and the firewall will have two ip address within the same subnet one is going to be inside interface with that one and then the management phase would will have the same subnet but because management base is in a separate routing table that's not going to be a problem that they both have the same subnet and ip for the management interface is going to be dot 45 and in fact the routing table of the management phase will use that one as the gateway as the next hop okay now when we configure the this firewall initially it will run the dhp service on the gigabit ethernet zero one which will give us the ip address here on this interface and then we can you know communicate with the file using the data interface not only management phase let's wait it's going to take some time to boot the firewall and then we can lock we can configure this uh this file from the cli to put some management ip addresses okay so our firewall is ready to be configured through this ally and let's put the default username which is admin and default password is admin123 with the uppercase a and let's read the agreement of course completely carefully like we always do and agree on that let's put the new password which i'm not going to tell you and question do we want to use ipv4 and of course we want do we want to use ipv6 we don't do we want to configure the ip address manually on the management phase yes we do and that's going to be ipl that's going to be the mask and the instigator now this gateway is for management phase now if these this both interface are going to be in the one broadcast domain then the management phase can use data interface as the gateway which is usually the case on most of the at least small businesses now the firewall hostname is going to be ftd let's name it new york ftd or new york firewall 0-1 this is the dns servers we don't change the dns search we are going to use this compiler dns servers and we don't want to search the miss and we hit the enter and wait a couple of minutes here we'll get the question if we want to manage this firewall locally or through the fmc and we don't have dfmc right now in this lab so and this video is about configuring the files using firepower device manager which is a local so i'm going to hit the enter and apply default yes on the question if we want to manage this device locally now once this is configured then we can go ahead and log into the ip address 192.168.45 which is the default ip address of the management phase let's run some ping and to see if this ip is already reachable before we try to log in i'm pretty sure it's already ritual yes and is did that one also reachable well not yet at least we cannot ping it okay let's go into firepower device manager and it is not ready yet to log in that's okay we are going to wait it will take some time all right after several minutes i think we are ready yep we can log into the we can open the page now let's log in the admin and our new password which we put in the cli if you do remember and this is our first initial page so we are going to skip the wizard if there is such thing and we're going to start the 90 day evaluation that's a trial and we're going to configure this firewall now using this firepower device management we're going to put the outside ip address we can change inside the ip address and the dhcp we can put a routing tape default route change the management access from management port to the data port not change actually add the data port and things like that okay so let's go to the interface and this is my interface list as you can see the inside interface already has the ip address but outside the face doesn't so let's go let's go on the outside interface change the type to static and then put the static ip and just tell that 34.56.11 and uh sub musk can be 255 255 255 0. and okay now after this we also want to add the static route using this specific interface using the outside interface for that we are going into device management again and here's the routing we click view routing information and we click create static route under the static routing and let's name it default route we're on the description we want to use the outside interface gigabit 0 0 0 for the default route and we want to say that if we go to any ipv4 we want to use this gateway and our gateway is going to be 12.34.56.1 yes one now one is this one here so we are saying basically that uh no actually that's that's not here's the one this is the one we are using in the default route okay 12.34 that's 56.1 12.34.56.1 and let's click ok now we configure the outside interface outside the ip address and the routing tab we can change internal ip address and the dhp if you want to and let's change that go into interfaces and here we can change dhp now here or we can do it and do it from the settings let's let's deal with this and do it from the settings and the new ip address is going to be 10.101.1.0.1 and this our run ip know what let's make it one yeah this is the ip and i'm going to hit ok now we want to change dhp to this subnet let's go into devices here's the dhp server we click that and we create a new poll new pool for inside type interface 0.1 and then it starts from 10.101.0.50 for example to 200 and enable this dhp now we also want to enable dns for that let's go configuration and tell the dhp that you want to also give up give out the dns server information and let's say use options open dns i mean and here's a cisco dns ip addresses let's save it and then go under the device on dns servers and in dns settings let's set up the incoming interface that's going to be gigabit zero one in our case and then apply the ip addresses which is this is compiler the unnecessary group by default it includes the ip addresses that are coming by default with the ftd and we chose this group and then we say save the same applies with management face but we won't use the management face as a dns resolver only data interface now let's see what do we have in the management interface uh we don't care about that hostname we already set up and let's go and put the access policies to a low traffic between computer and cloud oh by the way let me go back did we change the management interface okay so in the management phase management access we want to access this firewall using data interface not only the management phase because at the end we basically want to disconnect this management port and use only data port so for that we go into management access and in the data interface we created access so we're saying that we want to access this file from using gigabit 0 1 and using the http and a ssh and pretty much any network because it's a lab we're not afraid okay and let's leave it like that management web server no change and to play we don't change okay go back to policies and let's create a policy now in the policy we want to use the zones if the security zone is already set up and if you go here and check not here actually here on the security zones we have inside zone and outside zone and none of the interface on are within these zones so when we create the policy if we choose the zone let's say if we say that the match traffic coming from inside zone then this rule won't match any traffic because and the objects security zone doesn't have an interface in it this is how you choose the interface okay so we want to put if we want to use zones and then we want to put interface in inside that zone and let's put these zero 1 in the inside zone and 0 to not 0 to 0 0 is inside the outside zone and this is the outside zone now when we create the policy we can match the zones we can say that if traffic comes from this zone then match it and that's what we are going to do inside zone and destination is going to be outside zone the network can be any or we can create specific network uh let's use the any any port and destination any port and okay now we don't want to differentiate with applications or anything else it's just a simple basic permit any permit any so usually you don't you don't do rules like that rules like that in the production that's not how we usually allow traffic because it's pretty rare that you want to allow anything toward anything now let's create the net because remember this network is private address and we want to translate it into the public ipad so it can be rattled inside the isp and in you know in the public internet so for that we want to translate we need to translate this subnet into the ip of this subnet okay let's do create rule now let's enable the because we want to translate this subnet into this subnet and we choose name [Music] name is going to be internet add it's going to be dynamic type because we translate the entire subnet into one ipa of this subnet and the source interface is going to be zero one source address is gonna be any or you know what let's did you change the subnet here hold on let me go back not monitor device 10. okay let's create the object and use that object it denied i don't like putting any anywhere like in that and rules we already that's okay so let's do the net correctly we're on internet at dynamic before our or not and then we want souls to be zero one destination to be zero zero here with zero zero source address let's create the one so it's gonna be something like this i'll name it so i can recognize and this is the network slash 24 yep inside subnet or let's say user subnet and use that object as a source object okay and destination with address is going to be any that's okay source part is going to be any destination for it's going to be any for for an obvious reasons for an obvious reason and we want to translate this source address into interface or what we can do is create a new ip address let's say 10 12.34.56.5 for example and use that ip address as the not ip address public not the ipad result in which our inside network will be translated something like this host one ip okay and let's choose that okay so now if you open a diagram you'll see that any of the ip address going to any destination no i mean any of the ipads from this subnet using any source port going to any destination on any port coming from inside interface going through the router firewall i mean and then leaving the firewall using outside interface will be translated into this ip address and the source port destination address and destination port is going to be the same unless ports are already being used let's say you know if if the previous packet left the firewall and the source port was 20 nothing the source port was 1024 the next packet cannot have the same source port so it's gonna add one at the end it's gonna be 10 25. let let's click the okay okay so we have not configured we have the access control let's go ahead and check did we put the routing table yes we did here's one routing table we have ip addresses we have dns dhcp um i think we have everything what we need so let me submit this and check if we missed anything okay so i have a list we did the outside ip we did the we did the change we did change the inside ip inside subnet we configured management access we configured default route dhp server dns server access policies and the configuration yeah that's that's supposed to be enough so let's wait and oh by the way now because we open the access through the data port what we can do here is disable the management port let's say here this one we can disconnect this this is one of the benefit of having even g pro you can disconnect and add cables while the nodes are up and running that's that is very very good and deployment is in progress let's go ahead and disable this port now this is the let me show the settings of this network interface card you see it shows default but as an alternate configuration i have static ips that means if my computer won't be able to get the iplus from the dhp then as a backup it will use this static ip it's pretty convenient to be honest and then let's restart this interface to get the new ip address from the file and let's hope the file will already pushed all the you know settings let's see if we get the ip address not yet probably firewall is still pushing the pull up we got one okay it looks like we haven't changed the dhcp pool because you see i'm getting the 192 168 45.47 even though interface was 10. 100 something right so we need to plug this port again we need to fix that did i miss the dhp settings okay let's go back and the hp server hmm no we have not and why i'm getting this subnet here that's weird let's go [Music] here and let's see what do we have here hmm that is weird let me renew the ipad address again maybe it's windows acting up mp config ap config release oh come on okay guys hold on ap config release and renew okay now we have the new ipad as you see right so it was windows windows was acting up let me disable this port again so now we are connected through the data port only and we are going to use this new ip address the inside port ipres10.101.0.1 10 that https 10.101.0.1 and of course we can access the file through the data port now data interface we put the same username password as before and yes now let's see if we can bingo ping google we can now let's check let's check if we can resolve the name domain google.com we can so if we try to go and surf the internet we should be able to all right so now this computer goes through the to the internet through this firewall if i disable this port i will not be able to surf the internet let me copy this and open it here you see i'm not able to open this because i don't have the internet so if i try and appear in google again here from here i won't be able to because we disconnected cable that's pretty much confirmation that yes we are going to the internet through this firewall and this is how you configure the cisco ftd using device power firepower device manager that's a local manager without using this centralized firepower centralized firepower management center that's an fmc for short this is a short one and yeah this is it this i configure and the next time we'll probably try to add hive ability unit into this setup so we can have the failover device if primary fails and maybe we can add some other interfaces or vlans you know for the guest access or stuff like that but for now this is it thanks for watching and have a wonderful day

Info

Channel: IT Solutions Network

Views: 1,427

Rating: undefined out of 5

Keywords: cisco ftd, firepower threat defense, firepower threat defense virtual, firepower threat defense base features, firepower threat defense software, firepower threat defense configuration guide, cisco ftd nat, cisco ftd cli, cisco ftd ha, cisco ftd site to site vpn configuration, firepower threat defense cisco, cisco ftd firewall, Firepower Device Management(FDM), FDM, Firepower Device Management, version 6.7

Id: c2p5WK0Tzqk

Channel Id: undefined

Length: 27min 16sec (1636 seconds)

Published: Sun Sep 26 2021